While the Instagram API uses both non-secure HTTP and secure HTTPs connections, the weird thing is that it uses the non-secure path for your account’s authentication. All it does is store a standard cookie on your device, sent without encryption. What this means is that if you’re using an unsecure connection, like public Wi-Fi at Starbucks, someone could potentially intercept that cookie and use it to authenticate themselves into your account.

The hacker can then utilize a variety of API calls to do all sorts of nasty things with your Instagram account, deleting your #foodporn pics with ease. The sad thing is that the person who discovered this security hole contacted Instagram about it, but hasn’t heard anything back. The solution is actually pretty simple on Instagram’s part: start using secure, encrypted cookies instead.

In the meantime, the actual threat level is pretty low, since it’s unlikely the guy at Starbucks is going to try and hack into your Instagram account, but you should be aware that the threat is there.

[Source]

The post Security Threat: Unencrypted Cookies in Instagram iOS App appeared first on Mobile Magazine.

“Decryption is not possible without having access to the actual device because we need to obtain the encryption keys that are stored in (or computed by) the device and are not dumped or stored during typical physical acquisition.”

Those backups you create everytime you “sync” your iOS device, those are the ones that can be cracked, but crackers will also need the physical iPhone or iPad itself to obtain any relevant data. Sure, it sounds like a long shot, first your desktop is stolen, then your iPhone too, basically with that much of your digital assets missing its no surprise you’re data isn’t going to be safe. Apple was smart by not storing the encryption keys from the device on the backup location, this makes it much more difficult and why the hardware is also needed; assuming you have access to the computing power necessary to crack the 256-bit AES. The only real threat we see, if you can even call it a threat, is the authorities. They’re the ones running AMD’s STREAM or nVidia CUDA to get at you and seize your hardware and software simultaneously.

The post iOS4 Cracked, Russian ElcomSoft Breaks the Backup Encryption appeared first on Mobile Magazine.

Apparently, Android 3.0 will bring the ability to encrypt all the data on the tablet, protecting it with a secure password. This will certainly help get Android tablets in the hands of enterprise users, who may have otherwise been waiting around for the PlayBook later this year.

The image here, which comes by way of Engadget, shows the encryption option page on a Motorola XOOM. When asked, Google says that this feature is not exclusive to Moto and that it will “encrypt your accounts, settings, downloaded applications and their data, media, and other files.”

We don’t know what kind of encryption it’s going to use, but we’re told the process takes about an hour and the only way to decrypt the data is to do a factory reset… which basically erases everything. So yeah, don’t forget your password.

[Mashable]

The post Android 3.0 Honeycomb is safer with data encryption appeared first on Mobile Magazine.

Securing data is important, particularly in a corporate environment where business communications can be critically confidential. Combustion is never an environmentally sound solution for handling confidential materials. Making this a bit more green, and simpler, is the new Wipe technology announced by Toshiba today. It works in tandem with the company’s Self-Encrypting Drive (SED) models.

In short, the technology allows for private data to be fundamentally erased from the hard drives when a system is turned off, or when the SED hard drive is removed from the system. This secure erasure is crucial for when machines are returned, serviced, disposed, re-purposed, or otherwise taken away.

The idea started with notebook computers and all the data that their hard drives could contain coming from data sensitive environments, but it also extends into the realm of copiers, printers, and other similar machines which store images and private data. Many of these systems contain hard drives and, well, you don’t want to keep an image of that confidential social security number, or other valuable document available to peering eyes.

By using Wipe Technology, the data is automatically “invalidated” by the hard drive itself, which is faster than over-write data erasure or physical destruction methods. Not a bad idea from Toshiba.

[Toshiba]

The post Toshiba Self-Encrypting hard drives “invalidate data” with automatic Wipe technology appeared first on Mobile Magazine.

A Russian spy Photo: Newscom/file

Despite just announcing a new phone, it seems that Research in Motion is going into a world of hurt. The United Arab Emirates (UAE) and Saudi Arabia have already said that the BlackBerry service represents a security risk, and now Lebanon, India and Indonesia are joining in on the anti-Berry party.

They’re saying that BlackBerry can be a risk because of its potential use for militant forces, terrorists, and other similar persons bent on our destruction. Because the government has no way of monitoring these services, due to RIM’s high level of security, BlackBerry services are almost a safe haven for criminals.

Lebanon hasn’t formally banned BlackBerry just yet, but they are “studying the issue from all sides” and they’re “discussing this with the concerned administrations and ministries.” Shutting down the enterprise level security in these countries isn’t really an option for RIM, since the corporations that work there rely on its reliability and security.

The United Arab Emirates asserts that with the encryption, the BlackBerry violates the telecommunications regulations of the United Arab Emirates and will block key BB services starting October 11th.

Saudia Arabia plans to turn off the BlackBerry juice as of today. Lebanon announced yesterday that the BB system will have to be assessed in the name of national security.

This is a bit ridiculous, having a company chastised because of their system being too secure.  If its insecure everyone complains about its vulnerabilities, now if its too secure the governments complain because they cannot spy or “monitor terrorists”.  I’m afraid I have to side with RIM on this one.  Will this still allow government employees of said countries to use the security benefits of the BlackBerry, just not its citizens?

India would like a communications center setup for BlackBerry network monitoring or interception of messages.  We will have to see how this all pans out, but there are a lot of upset countries out there, and even a bigger upset company.  “If they can’t deal with the Internet, they should shut it off.”  RIM’s co-CEO Michael Lazaridis told The Wall Street Journal.

“This is about the Internet,” Lazaridis told the Journal. “Everything on the Internet is encrypted. This is not a BlackBerry-only issue. If they can’t deal with the Internet, they should shut it off.”

And after all this, the U.S. and Canadian governments are stepping in.

“There are issues attached to freedom of information, the flow of information, the use of technology. We are in touch with these governments,” P J Crowley, the U.S. State Department spokesman told reporters at a daily news briefing this morning.

After the Indian government asked RIM to allow them to monitor the Blackberry services, Crowley responded.  “We’re going to try to understand what their concerns are, the nature of the ongoing negotiations that they have with this particular company. And then you’ve touched on that there are number of countries that are in the midst of these negotiations and we’ll see what the implications are.”

“So it is not about any one device. It’s not about any one network. We’re trying to see how we can make these technologies more broadly available and they can be utilized in a variety of different ways to help build institutions, accountability, and other trends in key countries,” Crowley added.

“Canada has been working closely with the officials at Research In Motion as well as with governments on the ground to assist them in dealing with these challenges,” Trade Minister Peter Van Loan told reporters in Ottawa this morning.

RIM’s BlackBerry messenger is the only smartphone messaging system whose traffic is soley managed by the company.

With RIM’s Lazaridis denying any third party access to monitor communications running through BlackBerry enterprise servers, it’s going to be interesting to see how it all pans out.

Update: The Saudi Arabian government has turned off the BlackBerry data services for 700,000 Saudi’s. This shutdown occurred at 4AM EST today. RIM housing a data center in Saudi Arabia would allow the service to be activated, right now all data is routed to the Canadian data center. [Bangkok Post]

Additional reporting by Fabrizio Pilato

The WSJ, Yahoo

The post RIM will not succomb to third party monitoring: BlackBerry ban possible in 5 countries appeared first on Mobile Magazine.

Elecom Biometric Flash Drive

Security. The guy in the red shirt who always beams down with the Enterprise landing party, but never beams up again.

And seriously, who cares?

Ever since Captain Kirk whipped it out and flipped it on, in every episode of the same original 60s Star Trek series, the mobile phone has been a symbol of freedom.

No programs, no IT department, just free love forever… And no security! There was no need for it, no data on a phone, no passwords, no access to the corporate network. In those bygone days, not fussing with security may have been the best part of having a mobile phone.

Has anyone ever found security attractive? It doesn’t make the developer rich or famous. It doesn’t make the user more elegant and beautiful (I’m looking at you, cow-eyed Apple consumer, you know that free love is still blind), or more productive (if you’re not fortunate enough to buy a smart phone to just accessorize).  If Ensign Ricky is not coming back with the landing party, well — who cares! We all lived innocent in a Garden where love was free and forever, where every feeling and opportunity could be shared instantly, gratified as soon as our bodies caught up to our signals, sending each other photos and sexts, not even aware of our nakedness. There was only one restriction. Thou Shalt Not Eat of the Tree in the Center of the Garden, the Tree of Intelligence.  Every garden has a serpent, and when that shiny Apple was held up for the first time, who among us stood up and said “Guys wait! What about security?”

Now your innocence is jail broke, your phone is a little computer… as complex, vulnerable, and leveraged into every part of your life as your Old World desktop — in many ways more so! And it’s getting worse with every generation. These are early days of course; no one knows the full extent of the problem, but one thing is abundantly clear already: innocence and freedom are the price of Intelligence.

A large part of security’s unapproachable aura is the economic dynamic that is inverse (some would say, perverse) to the way we normally think of profit in a market economy. Whereas most of us try to buy and sell a feature that is going to make us glad, security’s dubious temptations promise to make us sad. Most party people don’t get that and don’t want to think about it much, but it’s actually painless.

1. You have something others want.
2. Someone steals it from you.
3. You are sad, and want to be compensated.
4. You pay the insurance company a stiff premium to compensate the rest of your stuff, but
5. Nothing else gets stolen, you just continue to pay a lot and get nothing for it, so you’re sad again, what up yo!

Security comes in here, because your insurance company will drastically reduce your premiums if you invest in an accredited security program. That’s how everyone gets paid for something nobody wants.   The take home is that, if you don’t know how the security works, you are increasing your risk from both ends: you may not have either your insurance right, or your (data) stuff safe.    Having fun so far? Don’t worry, it gets much more depressing. For example, did you think that leaving it to the experts is safe? Not if those “experts” are the big organizations that inspire a false sense of safety for most ordinary users. One of the biggest known losses of data from the last decade could be the UK government’s mishandling of 25 million nationals’ bank account information, national insurance numbers, birth dates, and anything else a criminal would need to steal someone’s identity. It resulted in the resignation of the department head of the agency that lost the data — that’s your consolation if you lost your identity, all your life savings, etc. — and to this day nobody knows where the data ended up.

If the PC industry is any indication of what is coming to the smart phone market, government agencies, fortune 500 corporations, and local banks offer no refuge for the very substance of your modern existence, your personal data. Despite all the hi-tech differentiators that define your modern, smartphone-bearing life, you are no less alone and unprotected in a predatory wilderness than your paleo ancestors; your digital identity is still just many financial calories to any tech-savvy carnivore who happens to see it exposed.

Scared? Good. There is no more explicit example of burying your head in the sand, nor potentially tragic, than ignoring mobile security. Over time, you will be carrying more and more of your life in your phone holster, and more and more people will be after it. Your only defense is your knowledge.   So where do you begin? We decided to speak with Jacob Greenblatt, Chief Strategist at Discretix. From a background of delivering general security solutions from mobile phones to portable storage devices, the Discretix mobile security product suite is currently protecting millions of handsets, flash memory cards, drives, and smartphones around the world.

Discretix Cryptocell security platform

The Discretix suite is broad, attacking the potentially vast mobile security challenge from multiple fronts. Embedded engines perform heavy lifting, time-tested encryption and key-exchange protocols. Newer approaches concentrate fire on some of the more ephemeral features and opportunities specific to mobile: software images and versioning, booting protocols, disk integrity, and ensuring that flash memory devices for both storage and user authentication are safe from hackers and thieves.

Smartphones from the iPhone and Android families deploy the application via the CPU, as well as USB, flash or USB drives, sandisk, se, Motorola… Discretix provides the security infrastructure, encryption engine, real core security competencies required to encrypt a disk, wipe the data, or reset a device.

According to the company, any smartphone’s potential downfall is it’s chief strength: the ability to download what you want, when you want it, and have it run on your phone. Everyone knows that’s how the bad guys get in to get your stuff.   But other dangers are not as immediately obvious. If that phone is, for example, a Blackberry packing a full list of customers’ email addresses and private information, and it is simply misplaced, then it requires a security solution that will wipe the device remotely, kill the device, or retrieve it.   A remote wipe has a number of different mechanisms. The basic idea is very simple, the phone would receive a certain repeated message continuously. If that message was not received for a defined period, the phone is required to execute a protocol. So I report my phone lost, for example, immediately the repeating message stops, and the phone responds by wiping its disk and shutting down. In the case of an unconnected device like a flashcard, as soon as that device connects to any phone, the protocol should wipe the device immediately.

But here a subtlety lurks, someone could cloak the message to wipe out someone else’s device; the mechanism embedded in the chipsets would need to be able to differentiate faultlessly between a self-device that is operational, and a foreign device that should not be connecting to this phone, not unlike a mammalian immune system.   Further dimensions open when you provide a security infrastructure that offers the software vendor hooks to take advantage of your offerings, thereby providing a more robust performance, and a more uniform standard.

Discretix multi-scheme content protection

According to Discretix, the target is not only moving, but the problem is getting bigger at least as fast as the mobile market itself. Smart phones are by no means satisfied with mere phone status, or even settling for just being smart. At the recent MWC, Discretix saw chipsets that were able to run HD movies on a large screen from a mobile phone, new form factors like book readers and numerous iPad-like species of tablet computers. The handsets are also becoming more actively involved in delivering content projection.

“Traditionally content has been concentrated on large devices like televisions and movie theatres. That content is migrated in a mobile form, in different formats and combinations; as that content migrates to the mobile device, the mobile security solutions required to protect that content are likely to increase. We expect the mobile security market (MSM) to display continued fast growth, what was a desktop device last year is now a mobile connected device today, like netbooks, tablets, ebook readers, are more connected devices. Are all running open oses; many allow you to download apps and are used for delivering some type of content to the end user and such requires more solutions.” Jacob Greenblatt told Mobile in a telephone interview.

Mobile Security industry is about to go through a major overhaul.

“According to our initial estimates we see the MSM at a 100-150 million global today, we expect the market to more than quadruple and approach 800 million by 2013. Internal company forecasts are seeing an increased number of mobile content subscribers. Approximately 500-600 million subscribers will be accessing mobile content via the internet by 2013.

Companies like ours have watched the market develop and we’ve seen an uncharacteristically large increase in content to mobile devices. I’m not talking about games, Tetris or things like that, 40% of subs by 2013 will be using a smartphone in one form or another.” added Greenblatt.

Discretix expects mobile business security to be catalyzed by a few high profile incidents that will escalate and catapult industry awareness and priority. The immediate response will include mandatory encryption, and other security standards subject to regulatory compliance.  A mobile phone/internet device can increase enterprise productivity, but the downside and risk must be taken into consideration. In dollar figures, RIM’s recent acquisition of Certicom weighed in at $100 million, so this downside is not trivial.

The current iPhone 4G (generation 4) is displaying the industry’s classic “borrow from the future” approach to security, rushing the most desirable features out to market first, and leaving security woefully inadequate for the current release. Discretix views the current state as sufficient for what the iPhone is currently used for, but nevertheless a soft target until Apple invests the needed resources to tighten up to enterprise standards.

Who is making the most secure smartphones today?

Discretix seems most impressed with a few offerings like the NSA-grade made by General Dynamics. Nokia has always traditionally invested heavily in security, probably the vendor that’s invested the most is RIM. They’ve always had encryption since day one, their solutions are behind a firewall, there enterprise is great. They are able to target that NSA market as well since their Certicom acquisition.

Special feature by Lance Hanlen with contributions by Fabrizio Pilato

The post Mobile Security – The Gathering Storm appeared first on Mobile Magazine.

Targeting government and enterprise customers, and approved by the U.S. government, Kingston’s state-of-the-art data protection solution is really just plug and play. They are using SPYRUS technology for the XTS-AES and ECC. This is in line with acceptable policies for data sharing of both classified and unclassified documents within the U.S. government and DoD.

Cipher mode for encryption is XTS-AES, much stronger than CBC, ECB and other modes. With FIPS 140-2 standard, the DataTraveler 5000 is tamper-evident and will notify users if their drive has been tampered with. The power-on self test feature also verifies encryption is running properly each time the drive is connected to a USB port.

Shipping in 2, 4, 8 and 16GB sizes, they will sell for $111, $185, $231 and $400 respectively.
Windows 7, Vista and XP only supported, sorry no Macs just yet.

The post Kingston DataTraveler 5000 secure flash USB memory drive features 256-bit AES hardware-based encryption appeared first on Mobile Magazine.