Multiplexed Transport Layer Security

In information technology, the Transport Layer Security (TLS) protocol provides connection security with mutual authentication, data confidentiality and integrity, key generation and distribution, and security parameters negotiation. However, missing from the protocol is a way to multiplex application data over a single TLS session.

Multiplexed Transport Layer Security (MTLS) protocol is a new TLS sub-protocol running over TLS or DTLS. The MTLS design provides application multiplexing over a single TLS (or DTLS) session. Therefore, instead of associating a TLS connection with each application, MTLS allows several applications to protect their exchanges over a single TLS session.

MTLS is currently in draft stage http://tools.ietf.org/html/draft-badra-hajjeh-mtls-05 which expired in October 2009.

Reference : http://en.wikipedia.org/wiki/Multiplexed_Transport_Layer_Security

Advertisements

Near field communication

Near field communication (NFC) is a set of standards for smartphones and similar devices to establish radio communication with each other by touching them together or bringing them into close proximity, usually no more than a few centimetres. Present and anticipated applications include contactless transactions, data exchange, and simplified setup of more complex communications such as Wi-Fi. Communication is also possible between an NFC device and an unpowered NFC chip, called a “tag”.

NFC standards cover communications protocols and data exchange formats, and are based on existing radio-frequency identification (RFID) standards including ISO/IEC 14443 and FeliCa. The standards include ISO/IEC 18092 and those defined by the NFC Forum, which was founded in 2004 by NokiaPhilips and Sony, and now has more than 160 members. The Forum also promotes NFC and certifies device compliance.

Uses

N-Mark Logo for certified devices

NFC builds upon Radio-frequency identification (RFID) systems by allowing two-way communication between endpoints, where earlier systems such ascontactless smart cards were one-way only. Since unpowered NFC “tags” can also be read by NFC devices, it is also capable of replacing earlier one-way applications.

Commerce

NFC devices can be used in contactless payment systems, similar to those currently used in credit cards and electronic ticket smartcards, and allow mobile payment to replace or supplement these systems. For example, Google Wallet allows consumers to store credit card and store loyalty card information in a virtual wallet and then use an NFC-enabled device at terminals that also accept MasterCard PayPass transactions. GermanyAustriaLatvia[citation needed]and Italy have trialled NFC ticketing systems for public transport. China is using it all over the country in public bus transport[citation needed] and India is implementing NFC based transactions in box offices for ticketing purposes.

Uses of NFC include:

  • Matching encrypted security code and transporting access key;
  • Due to short transmission range, NFC-based transactions are possibly secure;
  • Instant payments and coupon delivery using your handset, as we do with your credit card or debit card;
  • Marketing and exchange of information such as schedules, maps, business card and coupon delivery using NFC Marketing tags;
  • Pay for items just by waving your phone over the NFC capable devices
  • Transferring images, posters for displaying and printing
  • Social media e.g Like on Facebook, Follow on Twitter via NFC smart stickers in retail stores

Bluetooth and WiFi connections

NFC offers a low-speed connection with extremely simple setup, and could be used to bootstrap more capable wireless connections. It could, for example, replace the pairing step of establishing Bluetooth connections or the configuration of Wi-Fi networks.

Social networking

NFC can be used in social networking situations, such as sharing contacts, photos, videos or files, and entering multiplayer mobile games.

Identity documents

The NFC Forum promotes the potential for NFC-enabled devices to act as electronic identity documents and keycards. As NFC has a short range and supports encryption, it may be more suitable than earlier, less private RFID systems.

Reference : http://en.wikipedia.org/wiki/Near_field_communication

Mobile and Web security will be major topics at Black Hat

Security researchers are expected to disclose new vulnerabilities in near field communication (NFC), mobile baseband firmware, HTML5 and Web application firewalls next week at theBlack Hat USA 2012 security conference.

Marking its 15th year, thousands of security enthusiasts and IT professionals flock to the annual Las Vegas conference to watch some of the industry’s top researchers present their latest findings.

With the rise of smartphones during the last few years, mobile technologies have become a major focus of security research — and for good reason. Many of today’s mobile phones are actually mini computers that store a wealth of sensitive data and this makes them attractive targets for attackers.

Some smartphone vendors have implemented NFC technology to enable contactless mobile payments. Users only have to wave their phones over NFC-capable devices to complete a transaction.

Renowned Apple hacker Charlie Miller, who works as a principal research consultant at security consulting firm Accuvant, has investigated the security of current NFC implementations and found ways in which the technology could be abused to force some mobile phones to parse files and open Web pages without user approval.

In some cases, attackers can take complete control of the phone through NFC, enabling them to steal photos and contacts, send text messages and make calls. Miller will present his findings in what is probably one of the most anticipated talks at this year’s U.S. edition of the conference.

In another mobile security presentation, University of Luxembourg researcher Ralf-Philipp Weinmann will discuss attacks against baseband processors — the phone microprocessors responsible for communicating with cellular networks.

Last year, Weinmann demonstrated how vulnerabilities in the firmware of baseband processors can be exploited to turn mobile phones into remote spying devices after tricking them into communicating with a rogue GSM base station — a scaled-down version of a cell phone tower. The base station had been set up using off-the-shelf hardware and open source software.

This year, Weinmann plans to show that rogue base stations are not even necessary to pull off such attacks, because some baseband vulnerabilities can be exploited over IP-based (Internet Protocol) connections.

If some components of the carrier network are configured in a certain way, a large number of smartphones can be attacked simultaneously, Weinmann said in the description of his presentation.

Mobile malware is viewed as a growing threat, particularly on the Android platform. To protect Android users and prevent malicious applications from being uploaded to Google Play, Google created an automated malware scanning service called Bouncer.

At Black Hat, Nicholas Percoco and Sean Schulte, security researchers from Trustwave, will reveal a technique that allowed them to evade Bouncer’s detection and keep a malicious app on Google Play for several weeks.

The initial app uploaded to Google Play was benign, but subsequent updates added malicious functionality to it, Percoco said. The end result was an app capable of stealing photos and contacts, forcing phones to visit websites and even launch denial-of-service attacks.

Percoco would not discuss the technique in detail ahead of the Black Hat presentation, but noted that it doesn’t require any user interaction. The malicious app is no longer available for download on Google Play and no users were affected during the tests, Percoco said.

Web attacks and vulnerabilities in new Web technologies will also be the subject of several Black Hat presentations this year.

Cybercriminals are increasingly relying on so-called drive-by download attacks to infect computers with malware by exploiting known vulnerabilities in widespread browser plug-ins like Java, Flash Player or Adobe Reader.

Jason Jones, a security researcher with HP DVLabs, Hewlett-Packard’s vulnerability research arm, is scheduled to present an analysis of some of the most commonly used Web exploit toolkits, like Blackhole or Phoenix.

Some of the trends observed by Jones in Web exploit toolkit development this year include an increased reliance on Java exploits and faster integration of exploits for new vulnerabilities.

In the past, Web exploit toolkits targeted vulnerabilities for which patches had been available for over six months or even a year. However, their creators are now integrating exploits for vulnerabilities that are a couple of months old or even unpatched by vendors, Jones said.

Reference : http://www.itworld.com/security/286827/mobile-and-web-security-will-be-major-topics-black-hat