“You tune to the right frequency,” says Kocher, who described the hacking procedure as involving use of a radio device much like a common AM radio that will be set up [...]]]>

At next month’s RSA Conference, researchers will demonstrate how the simple use of radio waves can be used to steal encryption keys.

“You tune to the right frequency,” says Kocher, who described the hacking procedure as involving use of a radio device much like a common AM radio that will be set up within about 10 feet from the smartphone. The radio-based device will pick up electromagnetic waves occurring when the crypto libraries inside the smartphone are used, and computations can reveal the private key. “We’re stealing the key as it’s being used,” he says, adding, “It’s independent of key length.”

Kocher says the goal of the hacking demo, which Cryptography Research will demonstrate throughout the RSA Conference at its booth, is not to disparage any particular smartphone manufacturer but to point out that the way crypto is used on devices can be improved.

“This is a problem that can be fixed,” he says, noting Cryptography Research is working with at least one of the major smartphone makers, which he declined to name, on the issues around these types of radio-based attacks.

via Stealing smartphone crypto keys using plain old radio

If you’ve even begun the journey into mobile device forensics, you’ve already likely encountered the dreaded “lock [...]]]>

The upcoming issue of Digital Forensics Magazine will focus on mobile device digital forensics, including a feature article “Circumventing & Cracking the Android 3Ps – Patterns, PINs and Passwords” written by viaForensics’ Andrew Hoog and Thomas Cannon.

If you’ve even begun the journey into mobile device forensics, you’ve already likely encountered the dreaded “lock screen” on a device secured by a pattern, PIN or password. This article provides background on how Android implements the lock screens and techniques for circumventing and cracking them. Like many forensic techniques, this information could be used for nefarious purposes; however, our intentions are to empower practitioners who use forensics for legal purposes.

Subscribe online and watch for the full issue of Digital Forensics Magazine to hit soon.

Courses come with our virtual machine build containing useful forensic utilities, as [...]]]>

Join us for our May mobile forensic training in Chicago IL May 21-25! We are offering our full five day series containing the following courses:

• Introduction to Linux in Forensics
• iPhone Forensics
• Android Forensics
• Advanced Mobile Forensics
• Advanced File Carving & Analysis

Courses come with our virtual machine build containing useful forensic utilities, as well as the tools needed for Android physical recovery.  At the end of these five days investigators will be intimately familiar with the Linux environment and the data carving process through physical and logical recovery on iPhone and Android devices.  Investigators will also learn how to bypass the pattern code on certain devices.  Follow the link on the course name above to learn more about each course.

The training is open to both law enforcement and non-law enforcement!  The exact venue for this event is TBD.  If your agency is in the Chicago area and would be interested in hosting this event you would qualify for a hosting agency discount.  Contact us for more information!

Law Enforcement $4295 and non-LE is $6295 for the entire series . Individual course pricing is available – please contact us for details.

For banking and financial organizations, Jan. 1 looms large as deadline day for a new set of regulations under the supplements added to the Financial Institutions Examination Council FFIEC “Authentication in an Internet [...]]]>

The updated FFEIC supplement has been a topic of significant discussion for financial institutions and the deadline is fast approaching:

For banking and financial organizations, Jan. 1 looms large as deadline day for a new set of regulations under the supplements added to the Financial Institutions Examination Council FFIEC “Authentication in an Internet Banking Environment” guidance. First developed in 2005 to require multifactor authentication, the new guidance released this past June added stronger requirements for increased layers of security to combat the increased threats of fraud that are assaulting institutions by the hour.

via Financial Institutions Shoring Up Compliance Plans For FFIEC Deadline – Dark Reading.

The new supplements were developed to deal with the increasing threats in the environment, according to FFIEC’s Division of Risk Management senior policy analyst, Jeff Kopchik. ”In the intervening five years since the guidance first came out, the threat environment in terms of fraudsters and cybercriminals simply kept getting worse and worse, to the point where they were defeating multifactor authentication. It was appropriate for us to put out a supplement.”

These regulations do much to encourage security in online banking including fraud protection, emphasizing layered security, ongoing risk assessments and the differences in risks for consumer vs. business banking. While the focus for many FIs has been on multifactor authentication, the supplement really provides great advice from a broader perspective. Layered security, and in particular systems on the backend which can spot potential fraud issues, are a key approach to securing the Internet Banking environment.

viaForensics recently spoke at an FDIC conference about mobile banking and how this quickly evolving area requires focused attention from FIs. While traditional check fraud far exceeds fraud in mobile banking, the potential for a serious breach is ever present. Luckily, there are steps which can be taken to secure mobile banking and mobile apps and I would expect to see recommendations on this topic over time. And, of course, viaForensics provides a numbers of resources that FIs can leverage today including:

• appSecure
• Mobile Security Risk Report
• Mobile Security Audits

“Many people were upset at the revelation, reported here in May, that the Honeycomb version of Android would not be open sourced. But Google promised that the next version, Ice Cream Sandwich, would have full source available. Now that ICS [...]]]>

Is Android source code gone for good? A poster on Slashdot offers this observation:

“Many people were upset at the revelation, reported here in May, that the Honeycomb version of Android would not be open sourced. But Google promised that the next version, Ice Cream Sandwich, would have full source available. Now that ICS is out, though, the source is nowhere in sight. In the thread, Android’s Jean-Baptiste Queru offers the following, as to the question of whether source will ever be made available: ‘At the moment I don’t have anything to say on that subject.’”

via Android Source Code Gone For Good?

Update: Google states that it will open source its Android 4.0 Ice Cream Sandwich operating system:

Google’s recent release of Android 4.0 Ice Cream Sandwich left some wondering if the company would continue to release the source code for the popular operating system. Google engineer Dan Morrill wrote in a Google Groups post, “We plan to release the source for the recently-announced Ice Cream Sandwich soon, once it’s available on devices.”

via Google commits to open source Android 4 and calendar API

With this mobile focus [...]]]>

Apple’s Enterprise Innovation Summit traditionally provides a forum for European C-level executives and industry thought leaders to discuss business challenges of digital media with peers in an interactive environment. The 2011 summit will focus specifically on the impact that mobile devices are having on the business world and the challenges presented by this.

With this mobile focus in mind, viaForensics has been invited to speak on mobile security. Andrew Hoog, CIO of viaForensics, will present a session on mobile security issues and what strategies organizations should be implementing to ensure adequate protection. viaForensics has emerged as a leader in the mobile security arena with the launch of its appWatchdog service and its expertise in applying the power of forensic methods proactively to improve digital security.

The Enterprise Innovation Summit 2011 is scheduled for Nov 16-17, 2011, in Lucerne, Switzerland. Around 50 executives from top European enterprise organizations with an IT orientation will be in attendance. Attendance is by invitation only.

Tuesday, October 4, 2011 2:00 – 4:00 PM

Presentations by: Sprint ”Consumerization of IT – Driving a collaborative approach to Managed Security” & Andrew Hoog, CIO, viaForensics ” Mobile Security – Strategies for deploying secure mobile apps and devices”

Register here.

VMware already offers the View desktop virtualization client for Android and the iPad (but not the iPhone), allowing remote access to a Windows desktop from a mobile [...]]]>

VMware’s mission to bring virtualization to the mobile market gained a major supporter last week when Samsung pledged to use VMware software to build business-friendly smartphones and tablets.

VMware already offers the View desktop virtualization client for Android and the iPad (but not the iPhone), allowing remote access to a Windows desktop from a mobile device.

But a more ambitious project known as Horizon Mobile will let Android phones use virtual machine technology to run a second instance of Android, in much the same way virtualization works on servers and desktops. The user essentially has two completely separate phones running on one device, and can switch from the personal one to the corporate one by clicking a “work phone” icon. VMware believes this will appeal to IT departments by isolating an employee’s work environment from his or her personal environment, while giving IT a Web-based management console to control what the employee may do on the work portion of the phone.

via Two phones, one device: Samsung to support VMware’s Android virtualization push