Biometrics for secure mobile connections

Though security applications that verify a person's identity based on their physical attributes, such as fingerprint readers or iris scanners, have been in use for some time, biometric security has only recently started to appear in mobile phones, PDAs and notebook computers where the need for miniaturisation represents a technological challenge. 

So far biometric data has been used to tie the device to a person to prevent it from being used illegitimately if lost or stolen. But the IST project SecurePhone is taking a new approach, employing physical attributes to enable the user to digitally sign audio, text or image files, providing proof of their origin and authenticity.

"As far as we know there is no other biometrically-enabled digital signature application available for mobile devices that can guarantee security by storing and processing all sensitive information on the device's SIM card," explains SecurePhone technical coordinator Roberto Ricci at Informa in Italy. "Because biometric data never leaves the device's SIM card and cannot be accessed, except by the verification module which also runs on the SIM card, the user's biometric profile is completely safe. This is important to meet the highest privacy requirements."

Although existing communications infrastructure based on the GSM, GPRS and UMTS mobile systems provides a secure means of communication, it lacks any robust method of user identification. Text, audio and image files can be sent by anyone to anyone with no authentication and there are no guarantees the person you are talking to in a phone conversation, if you've never met them before, is really who they claim to be.

The upshot is that data exchanged over mobile devices is of limited use for legally binding transactions even though mobile devices, given their ubiquity, would be a prime candidate for carrying out e-commerce (or m-commerce), managing business processes such as signing contracts or even in securing the exchange of data in e-healthcare and e-government systems. A digitally signed and authenticated voice recording during a telephone conversation would, for example, give the speaker's words legal value.

"The aim is to enable users to exchange information that can't be disputed afterward. That could be a voice recording that is authenticated to eliminate any doubt about who the speaker is, what they actually said and prove that it has not been manipulated," Ricci explains. "To achieve that it is necessary to digitally sign the data and to ensure that only the legitimate user can perform the signing."


The system developed by the SecurePhone project partners consists of two main elements. The first, an authentication module, uses biometric security applications to verify the user's identity. That in turn gives them access to the second module which digitally signs the data using a Public Key Infrastructure (PKI). 

"Rather than relying on something you possess – you can forget a PIN code or write it down and lose it – biometric security relies on what you are," Ricci notes.

The system, which is designed primarily for PDA-phones but could also be used in new generation smart phones and WiFi-enabled PDAs, offers three methods of biometric identification. One employs the digital cameras that have become commonplace in mobile devices along with a face recognition application to identify the user based on their facial features. Another uses voice recognition software – also detecting any asynchrony between speech and lip movements - and the third verifies the handwritten signature of the user on the device's touch screen. The three methods are used in combination to enhance the overall levels of security and reliability, and most importantly they require no hardware additions to mobile devices.

"The SecurePhone platform is entirely software based. This is important if it is to be adopted by device manufacturers as it keeps costs down and makes implementing it much easier. There is no need to add fingerprint or iris scanners. Instead, the system uses elements that already exist in the device and which serve alternative purposes as well, while the type of verification carried out is non-intrusive for the user," Ricci says.

The project partners are currently working on the final integration of the system ahead of trials of a finished prototype that are expected to begin in August. Ricci notes that so far the different elements of the application have performed well during laboratory testing.

Despite SecurePhone's focus on research, ricci notes the the resultin application is commercialy appealing and that the project partners are planning a further project with the aim of bringing the technology to market.

"We wouldprobably aim at the niche markets at first, such as busy executives, e-government or e- healthcare, and then expand from there," he says. 


Sources : 21 Century

Wi-Fi 'protected set-up' not so protected after all

On Tuesday, the organization, known as US-CERT, cited findings from security researcher Stefan Viehbock, who uncovered the security hole in the so-called Wi-Fi Protected Set-up, or WPS, protocol, which is often bundled into Wi-Fi routers. The WPS protocol is designed to allow unskilled home users to set up secure networks using WPA encryption without much hassle. Users are then able to type in a shortened PIN instead of a long pass-phrase when adding a new device to the secure network.

That method, however, also makes it much easier for hackers to break into a secure Wi-Fi network, US-CERT says. The security threat could affect millions of consumers, since the WPS protocol is enabled on most Wi-Fi routers sold today.

"A few weeks ago I decided to take a look at the Wi-Fi Protected Setup (WPS) technology,"Viehbock said in a blog post. "I noticed a few really bad design decisions which enable an efficient brute force attack, thus effectively breaking the security of pretty much all WPS-enabled Wi-Fi routers. As all of the more recent router models come with WPS enabled by default, this affects millions of devices worldwide."

The basic problem is that the security of the 8-digit PIN falls dramatically with more attempts to key in the password. When an attempt fails, the hacker can figure out if the first four digits of the code are correct. From there it can then narrow down the possibilities on the remaining digits until the code is cracked. Viehbock said a hacker can get into a secure Wi-Fi hotspot in about two-hours using this method to exploit a vulnerability.

Here's how US-CERT describes the flaw:

When the PIN authentication fails the access point will send an EAP-NACK message back to the client. The EAP-NACK messages are sent in a way that an attacker is able to determine if the first half of the PIN is correct. Also, the last digit of the PIN is known because it is a checksum for the PIN. This design greatly reduces the number of attempts needed to brute force the PIN. The number of attempts goes from 108 to 104 + 103 which is 11,000 attempts in total.

It has been reported that some wireless routers do not implement any kind of lock out policy for brute force attempts. This greatly reduces the time required to perform a successful brute force attack. It has also been reported that some wireless routers resulted in a denial-of-service condition because of the brute force attempt and required a reboot.

US-CERT said in its warning that there is no known fix to the security problem. Instead, the group recommends that users disable the WPS function on their routers. The warning lists several wireless router vendors as selling devices that are affected by the security hole: Buffalo, D-Link, Cisco Linksys, Netgear, Technicolor, TP-Link, and ZyXEL.

US-CERT indicated in its warning that it notified router vendors that are affected by the security issue in early December, but so far the vendors have not offered a response nor have any of them issued statements.

CNET also contacted the vendors listed by US-CERT, but has not yet received a response from any of them.

By Marguerite Reardon
Sources : CNET News

Windows 8: The InfoWorld Deep Dive report

It's not the Windows you know and love. Microsoft has revealed a "reimagined" Windows -- code-named Windows 8 -- that boasts a very different, tile-centric user interface called Metro taken from Windows Phone that is touch-savvy, runs on ARM processors as well as Intel x86 chips, takes fewer system resources so it can run on a wider variety of hardware platforms, and works on both tablets and traditional keyboard-and-mouse PCs. It's not mobile versus desktop, it's mobile and desktop together.

The new Windows -- available now in a pre-beta developers version and expected to be formally released in late 2012 -- reflects a changing world, says Microsoft's Windows chief Steven Sinofsky. "Things are a whole lot different now than three years ago. ... Touch is a whole new dimension. Mobility is a whole new dimension. ... We want Windows to respond to that."

InfoWorld's analysis of Windows 8, based on hands-on use of the developer version, is that it is a game-changer for users -- and will be a major shift for users and IT alike in terms of capability, usage, management, and overall technology strategy. And it will introduce huge changes to how developers conceive and deliver their applications.

By InfoWorld Staff
Sources : InfoWorld

New York Times mistakenly e-mails millions about subscriptions

The New York Times is now saying that a believed-to-be bogus e-mail that told millions of subscribers that their subscriptions had been canceled actually did come from the newspaper company. But the e-mail, which was meant for only 300 recipients, was instead sent to more than 8 million subscribers, a tweet from Amy Chozick, a media reporter for the Times states.

(Credit: Screenshot by Anne Dujmovic/CNET)

This morning millions of New York Times subscribers received an e-mail informing them that their subscription had been canceled and then went on to offer a 50 percent discount if they renewed their subscription and used a special code. When CNET tried calling the number listed, there was nothing but a busy signal.

After a flurry of tweets about the e-mail showed up on the social-networking site Twitter, the newspaper responded, stating that the e-mail was a fake.

(Credit: Screenshot by David Hamilton/CNET)

Some people speculated that the e-mail header had been spoofed to make it look like the message had come from the Times, since the same e-mail address had been used to send legitimate correspondence. It turns out the e-mails were legit.

The New York Times reporter covering this story is promising a follow-up to offer details on how this mistake happened.

Here is the text from the original e-mail:

Dear Home Delivery Subscriber,

Our records indicate that you recently requested to cancel your home delivery subscription. Please keep in mind when your delivery service ends, you will no longer have unlimited access to NYTimes.com and our NYTimes apps.

We do hope you'll reconsider.

As a valued Times reader we invite you to continue your current subscription at an exclusive rate of 50% off for 16 weeks. This is a limited-time offer and will no longer be valid once your current subscription ends.*

Continue your subscription and you'll keep your free, unlimited digital access, a benefit available only for our home delivery subscribers. You'll receive unlimited access to NYTimes.com on any device, full access to our smartphone and iPad» apps, plus you can now share your unlimited access with a family member.

To continue your subscription call             1-877-698-0025       and mention code 38H9H (Monday-Friday, 8:30 a.m. to 8:30 p.m.; Saturday, 9 a.m. to 3 p.m. E.D.T.).

By Marguerite Geardon
Sources : CNET news

Looking Forward to 2012: Apple TV, iPhone 5 and Goodnight PCs

Onward, tablets, smartphones and post-PC (yet still just as much “personal computing”) devices — call them whatever you like, 2012 will see a glut of me-too mobiles designed to untether us from stodgy office desktops and augment our everyday, ordinary activities by slipping into our everyday, ordinary surroundings. With that in mind, here’s my list of up-and-coming 2012 tech picks:

Apple TV, the Next Generation

The trouble my 37-inch, four-year-old LG 1080p LCD TV has squeezing inside my mammoth mission-style entertainment center aside, I’ve been eyeballing a new TV all year. I already have an Apple TV, but we’re talking the tiny black box, not a full-blown TV set. So when I say I’m eyeballing an Apple TV, let there be no confusion — I’m speaking of the rumored 32- and 37-inch Apple television sets due sometime this summer, not the device I only use to stream my music library to the living room.

Apple’s challenge, assuming these things are real, is twofold: Leapfrogging the current black box Apple TV’s features, and pricing its televisions competitively (assuming it wants to sell these things mainstream, anyway). Feature-wise, Apple needs to do more than offer access to a few third-party services and stream iTunes media from an Apple computer (it needs to be more than just an Apple TV inside an Apple-branded television, in other words) so here’s my wish list: An Apple TV that could sync wirelessly with iOS devices, allowing video, photos and even apps or games to appear (magically!) on the TV without cables, and a Siri-like voice command feature, making an appearance alongside a motion-control interface similar to (but ideally miles better than) Microsoft’s Kinect. Bring it on, Apple!

(MORE: Looking Forward to 2012: The End of Media Ownership)

iPhone 5 or Android Whatever

The iPhone 4 I picked up last February — my first iPhone, if it matters — has been a mostly up experience. It’s quick, dependable, swarming with apps that cover all my bases and not a total disaster when texting so long as I use just one finger (in lieu of two thumbs). My only complaints: The screen is too small, the phone’s too breakable (all glass, front and back) and I’m still not sold on finger-gaming, especially first-person stuff where I’m fighting just to see around my thumbs (would someone please release a thumbstick snap-around like the 3DS’s add-on already?). I have mixed feelings about most Android phones, but after playing with a friend’s Galaxy Nexus, I’ve sort of done a one-eighty: Unless the iPhone 5 is thinner and has an edge-to-edge 4.65-inch or larger display, I may just pick up a Galaxy Nexus to go hand-in-glove with a new Windows-based, gaming-angled ultrabook.

Goodbye forever, desktop PCs — hello ultrabooks and tablets!

I ditched my tricked-out Windows desktop PC a few weeks ago — good night, good luck (and, with all due respect, good riddance). I barely touched the thing in 2011, and I’ve jettisoned any nostalgic sentiments I once had for screwing around with soldering circuits or tweaking liquid cooling kits. My work machine’s now an 11-inch MacBook Air, though it might as well be a Windows-based ultrabook. I love OS X, but I’m almost as fond of Windows 7, and since I’ve kept my personal and work data agnostic, organized and easy to migrate, I’ll be happy to switch if the right hardware comes along (hello Razer Blade!). The desktop PC is a dinosaur, and Moore’s Law ceased to matter years ago (just because computing power doubles in a given period doesn’t mean app requirements or consumer needs do), so bring on the souped-up ultraportables and 2012′s enhanced tablets (be they Android or iOS based), and may the space beneath (or beside) our desks, chairs and tables remain case- and cable-free forever.

MORE: Looking Forward to 2012: Ultrabooks

By Matt Peckham
Sources : Time