by Robert Westervelt
Google’s NFC service will be thoroughly vetted for vulnerabilities, access for cybercriminals. Cloning may be possible.
The Google Wallet service, announced this week uses the PayPass credit or debit system by Mastercard. For now the new payment system only works with Google’s Nexus S smartphone, but Google reportedly will sell kits so other Android devices could support the technology. In order to work, merchants must support Mastercard PayPass, a service which has gained acceptance with the payment card data security standards (PCI-DSS). Supported devices must also run Google’s payment app to complete transactions.
Google has set up a FAQ on Google Wallet security and privacy for merchants considering supporting the service. Google said it has designed “multiple elements” at the hardware level into its service to help prevent snooping or tampering.
According to Google, credit card credentials are stored using hardware-based encryption. The app itself is sandboxed. Sandboxing isolates the app from other processes to make it more difficult for cybercriminals to leverage device or other application vulnerabilities to gain access to the sensitive data.
Jimmy Shah, a mobile security researcher at McAfee wrote that up until now, researchers have focused on “ghost and leech attacks” as a threat to NFC technology.
“You’re more likely to be hit by a crook brushing by you with an RFID reader to steal or transmit your credentials to a fake RFID card,” Shah wrote.
The good news is that Google has introduced a third layer of protection, a PIN number, to initiate a tap-and-pay transaction. Google Wallet data won’t be transmitted without the user inputting the PIN. Shah said the step prevents anyone from stealing usable NFC data via a reader.
Researchers will have to wait for Google Wallet to reach consumers before it can be fully vetted, he said. No doubt, Google has put it through various tests to ensure device configuration errors and other issues don’t expose it to attacks.
The Google Wallet app has not yet been widely released, so it’s difficult to properly identify possible weaknesses. Once it’s available on more phones, we’re bound to see more research from both the criminal element and legitimate security researchers.
Reverse engineering, cloning may be possible
The Google Wallet app will likely be reverse engineered by cybercriminals, Shah said. It’s a feat that is not too difficult today with the availability of free tools on the Internet. A possible hole, according to Shah is its secure chip, which uses asymmetric encryption to authenticate access to the data. “This implies that an attacker has a good chance of extracting the authentication key from the Google Wallet app,” he said.
The next step would be to create a malicious application that emulates the official Wallet app to fool the “secure element” chip into giving up your credentials. From here, the attacker can collect account information for sale or for attempts at cloning the data to new NFC cards.
It’s a safe bet that the PCI Council (and Mastercard) will be watching developments closely. The council said earlier this year that its new mobile payment task force would review NFC payment systems and other mobile payment technologies.
“We’re trying to dissect the mobile area now because there are just so many unknowns out there and so many different devices that don’t have any security we can see,” said the Council’s General Manager Bob Russo in an interview with SearchSecurity.com back in March.
SmartCard Alliance on NFC payment systems
The SmartCard Alliance, a non-profit organization backed by a number of technology companies pushing mobile payment systems, issued a video last month addressing NFC payment systems. The Alliance is supporting “chipless pin.” (Chipless is seen as cheaper, though the rest of the world is moving toward chip and PIN.) The video is an interview with payment systems consultant Steve Mott. He said everyone has a stake in providing services and technology to the “mobile ecosystem.” New NFC infrastructure could ultimately do away with the old mag stripe, physical card payment system.
“It’s clearly outlived its usefulness,” Mott said of current credit card payment systems in the interview.
“It’s too costly, it’s too fraud prone, it creates ungodly expenses like PCI compliance. We’ve spent enough in the United States on PCI compliance since 2004 to implement EMV chipless PIN three times over.”
by Robert Westervelt
Acquisition of Clearwell Systems Inc. bolsters Symantec’s eDiscovery capabilities in a crowded market for software that helps contain civil litigation costs.
Symantec Corp. has agreed to acquire privately-held data achiving and backup vendor Clearwell Systems, Inc., in a $390 million deal that launches the security vendor into the eDiscovery market.
The agreement is subject to customary closing conditions, including regulatory approval, and is expected to close in September.
The market for electronic discovery software has been booming as businesses are required to tap into archived emails and other documents during the discovery process in civil litigation cases. Specialized software helps reduce the costs and risks associated with legal discovery.
Storage and database vendors have tapped into the market, including EMC Corp acquired Kazeon Systems Inc. in 2009 for $75 million. It also sells RSA’s Archer platform for eDiscovery and compliance management. Gartner Inc. calculates the annual growth rate for eDiscovery at 14% and estimates that it will reach $1.7 billion by 2014.
Brian W. Hill, an analyst with Forrester Research Inc. said Clearwell and Symantec have had a longstanding partnership across their archiving and eDiscovery offerings. Clearwell has been focused on processing, search and review to support eDiscovery, he wrote in the Forrester Research blog.
Clearwell offerings have some overlap so I anticipate a period of assessment and rationalization. The two vendors, however, have joint partners and some existing product integration and Symantec certainly recognizes the importance of the intersection of archiving and eDisovery.
Symantec, which acquired Veritas in 2004, will add the eDiscovery capabilities as an offering for its customers. The company said it would integrate Clearwell’s capabilities into its Enterprise Vault archiving product.
“As information continues to grow at unprecedented rates, the biggest challenge for customers is to protect, manage and backup this information as well as have the ability to categorize and discover it efficiently,” said Deepak Mohan, senior vice president, Information Management Group, Symantec in a statement.
Symantec said the Clearwell platform can also be integrated and cross-sold along with its NetBackup, Data Loss Prevention and Data Insight software.
Some experts say the market is still immature and includes a myriad of small vendors. Forrester’s Hill said enterprises have had difficulties with the complexity of using different eDiscovery providers with different applications. Clearwell competed against Autonomy Corp., Recommind Inc. and ZyLAB North America LLC. In addition, Informatica, Oracle and SAP offer their own branded eDiscovery software suites.
According to Hill:
Given how long litigation and investigations often take, buyers want to make sure that their provider will be there when it counts. With about 200 employees, Clearwell is bigger than many of its counterparts, but Symantec will clearly be around for the long haul.
Posted by InfoSec News on May 27http://www.care2.com/causes/womens-rights/blog/manal-al-sharif-imprisoned-for-10-more-days-for-driving-in-saudi-arabia/
Posted by InfoSec News on May 27http://www.csoonline.com/article/682990/experts-pressure-scada-developers-on-security-as-you-would-software-vendors
Posted by InfoSec News on May 27http://www.wired.com/threatlevel/2011/05/defense-department-stuxnet/
Posted by InfoSec News on May 27http://english.peopledaily.com.cn/90001/90776/90786/7392068.html
Posted by InfoSec News on May 27========================================================================
Posted by InfoSec News on May 27http://mashable.com/2011/05/26/sony-playstation-network-170m/
Posted by InfoSec News on May 27http://www.cringely.com/2011/05/insecureid-no-more-secrets/