“The sleight of hand discovered by Heffner involves establishing an attack site which runs malicious script that means a visitor’s own IP address is presented as one of the site’s alternative IP addresses, thereby granting a trusted status to a malign site. Modern browsers are designed to block earlier types of such attacks but not with this particular scenario, for reasons Heffner is due to explain at Black Hat.”

Present in a variety of router models by companies such as Linksys, Belkin and Dell, the flaw is a vulnerability to a classic hacking technique called DNS rebinding, in which hackers use malicious code to “trick” a device into controlling it. While Heffner’s discussion will hopefully include preventative measures for the manufacturers of these routers, there is currently a list of vulnerable kits and sensible workarounds to address this flaw at Notebooks.com.

Apple ranks first, ahead of runner-up Oracle, and Microsoft in the number of security bugs found in all their products in 1H 2010. During the first six months of 2010, Secunia logged 380 vulnerabilities within the top-50 most prevalent packages on typical end-user PCs, or 89 per cent of the figure for the entire year of 2009.

This is the first time since 2005 that Apple has topped the list of vendors in Secunia’s yearly security vulnerability report. According to Secunia, the rising number of total vulnerabilities can be partially attributed to the wide variety of mechanisms required to keep software updates current. Additionally, more risks were found in systems with a higher number of third-party applications installed.

Good Technology–whose solutions can be found in some of the most sensitive government and business settings–needed a portable, universal crypto solution and the proven expertise of a smart device security leader. They chose Mocana. NanoCrypto is Mocana’s super-fast, super-small, government-certified cryptographic engine, purpose-built for the entire ecosystem of smart devices, of which smartphones are just one category.

Click here to view the full press release.

“TubeSat is different because it lets and hobbyist engineers and astronomers build the satellite themselves. Each TubeSat kit includes the satellite’s structural components, a printed circuit board, Gerber files (essentially blueprints), electronic components, solar cells, batteries, transceiver, antennas, microcomputer and some programming tools.”

Once TubeSat has been assembled, it is returned to Interorbital and scheduled for flight into space, with the first launch currently scheduled for Winter 2010. It’s yet to be seen whether the do-it-yourself kits will hold up during the rigorous launch, but for their money customers are offered a second chance for free should the first attempt fail.

“It is envisioned that the SGIC portal will be the essential gateway that connects the smart grid community to the relevant sources of information that are currently scattered and distributed on the worldwide web. The portal will also direct its users to other pertinent sources or databases for additional data, case studies, etc. It will serve as a decision support tool for both state and federal regulators in their deliberations for rule-making and evaluating the impact of their investments in the smart grid technologies and software.”

This site will likely prove to be an invaluable reference library for those involved in any aspect of the smart grid, with information available on a wide variety of subjects all aimed at providing awareness and furthering the development of the smart grid community.

Earlier this week, Google unveiled new device management features for its Google Apps suite aimed at the enforced use of data encryption and password security. Implemented for a variety of platforms such as Windows Mobile, iPhone, and Nokia Series E, the Apps will now wipe passwords after a series of failed attempts, mandate new passwords periodically and automatically trash old passwords. These changes will also reach Google’s own Android platform later this year.

Similarly, Research In Motion introduced an upgrade for its BlackBerry smartphones that targets enterprise use. Included in its 7th release of BlackBerry Enterprise Server Version 5.0.2 is the new Individual-Liable Devices Policy, which enables segregation of corporate and personal BlackBerry use. The new revision also enables remote wiping of corporate data.

As reported by Venturebeat, the new Droid phone contains “eFuse” technology designed to render itself inoperable, should the smartphone be user-modified.

[eFuse] runs when the phone boots up, and it checks to make sure that the phone’s firmware, kernel information, and bootloader are legit before it actually lets you use the device….If the eFuse failes [sic] to verify this information then the eFuse receives a command to “blow the fuse” or “trip the fuse”. This results in the booting process becoming corrupted and resulting in a permanent bricking of the Phone. This FailSafe is activated anytime the bootloader is tampered with or any of the above three parts of the phone has been tampered with.

Motorola insists that eFuse is a customer-focused security measure that helps to protect user data.

At Intel, Dr. [Joshua] Smith, working with the researcher Alanson Sample of the University of Washington, created an electronic “harvester” of ambient radio waves. It collects enough energy from a TV station broadcasting about 2.5 miles from the lab to run a temperature and humidity sensor.

The device collects enough power to produce about 50 microwatts of DC power, Dr. Smith said. That is enough for many sensing and computing jobs…. The power consumption of a typical solar-powered calculator, for example, is only about 5 microwatts…and that of a typical digital thermometer with a liquid crystal display is one microwatt.

Dr. Smith and his colleagues have built a second device, powered by radio waves, that collects signals from an outdoor weather station and transmits them to an indoor display. The unit can accumulate enough energy to send an updated temperature every five seconds.

Thanks to the virtually endless supply of radio waves in the air, these technologies could soon create wireless devices that can run continuously on an endless power supply — battery-free.

Ericsson reports that mobile broadband subscriptions are also growing at a rapid pace, and are expected to reach over 3 billion by 2015, a massive increase from the 360 million subscriptions active in 2009. Experts now believe that soon 80% of all people connecting to the internet will doing so from a mobile device.

The FBI website describes the phony phone call scheme:

During these TDOS attacks, online trading and other money management accounts are being accessed by the perpetrators who are transferring funds out of those accounts. The perpetrators will obtain account information of their victims in some way and then contact the financial institutions to change their victims’ profile information such as email addresses, telephone numbers and bank account numbers. The purpose of the malicious phone calls is to occupy the victim phone numbers on record with the financial institutions managing the accounts so that when the institutions contact the victim to verify the changes and transactions, the institution is unable to reach the victim. Consequently, the victim has no idea what has really transpired until it’s too late.

The calls, typically made in such a volume as to overwhelm the targeted line, can be identified as dead air (silence on the other end), an ‘innocuous recorded message’, advertisement or even a phony telephone sex menu. The FBI recommends anyone who suspects they may be the target of such an attack should contact their telephone service provider in addition to alerting their financial institutions.

Mocana’s NanoSSH and NanoSSL are embedded in ClearCube’s Remote Management Module (RMM) in the chassis, centralized in a remote datacenter, to secure all communication between the RMM and ClearCube’s Sentral management software suite. Sentral and the RMM provide a wide range of management functions for virtual machines, centralized PC blades, servers, chassis, and more. Mocana’s technology will help organizations leverage the power and flexibility of ClearCube’s Centralized and Virtualized solutions while securing the management channels.

NanoSSL is Mocana’s SSL/TLS solution designed to speed product development while providing best-in-class device security in resource-constrained environments like the thin clients used by ClearCube. NanoSSL is open-standards-based, extensible, platform-agnostic and includes an optional government-certified FIPS 140-2 level-1- validated crypto core. NanoSSL includes a full-featured key generator and certificate management client, and supports government Suite B crypto algorithms and the new RFC standard for TLS 1.2.

NanoSSH is Mocana’s SSH client/server solution with support for X509.v3 certificate-based authentication and comes with RADIUS client, specifically designed to speed product development while providing best-in-class device security services for resource-constrained environments. NanoSSH provides a holistic approach for securing networked devices and services, and is ideally suited for resource-constrained devices as well as high-traffic enterprise and federal environments where performance is critical. NanoSSH is open-standards-based, extensible, extremely small footprint, platform-agnostic and features an optional government-certified FIPS 140-2 level-1-validated crypto core.

Both NanoSSH and NanoSSL solutions are GPL-free, so developers can feel confident about the long-term integrity of their intellectual property. New developers can request a free trial of Mocana products at www.mocana.com. “ClearCube’s model is helping to lead the shift towards centralized and cloud computing, but with appropriate care taken for device security,” said Adrian Turner, CEO of Mocana. “The addition of heterogeneous client-side devices to this model adds another dimension to the security challenge. That’s why ClearCube is using Mocana, to make sure that today’s most flexible centralized computing architectures are safe for mission-critical users, like those in government. ”

“One of the key value propositions of our centralized and virtualized solutions is our ability to keep the management of the different components in the system simple and secure”, said Raj Mellacheruvu, Director of Engineering at ClearCube Technology. “With Mocana’s technology we are able to securely communicate with our remote management modules over the network.”

About Mocana

Mocana secures the “Internet of Things” – the 20 billion datacom, smartgrid, federal, consumer, industrial and medical devices that connect across every sector of our economy. These devices already outnumber PC’s on the Internet by five to one, representing a $900 billion market that’s growing twice as fast as the PC market. Every day, millions of people use products sold by over 100 companies that leverage Mocana’s Device Integrity software, including Dell, Cisco, Honeywell, General Electric, General Dynamics, Avaya, Harris and Radvision, among others. Mocana won Frost & Sullivan’s Technology Innovation of the Year award for 2008 for Device Security, and was named to the Red Herring Global 100 as one of the “top 100 privately-held technology companies in the world” in January 2009.

A new report from VisionMobile aims to demystify the current mobile development landscape, with a comprehensive study based on research conducted with over 400 developers for various platforms such as iPhone, Symbian, Android and Windows Mobile. According to the report,

Android stands out as the platform most popular among mobile developers. Survey results suggest nearly 60 percent of all mobile developers recently developed on Android, assuming an equal number of respondents with experience across each of eight major platforms. Second in terms of developer mindshare is iOS (iPhone), outranking Symbian and Java ME, which were in pole position in 2008.

In addition, the research document contains data regarding:

• the number of apps available for various platforms and in various markets
• the differences in the learning curves that developers face for different platforms
• the effect of app stores and advertising on sales and revenue

With this in mind, Datakey Electronics produces an anti-counterfeit memory token system that is not only rugged, but can survive repeated sessions of high temperature sterilization without failure, while retaining data. And according to Datakey,

[Using] removable memory for product authentication/anti-counterfeit…opens up a host of other capabilities, including: tracking (and limiting) the number of times an attachment has been used, automatically identifying the model of the attachment and uploading any model-specific parameters, uploading any calibration information that is unique/specific to that particular attachment, and recording settings and other usage data to ensure the device was used properly according to the manufacturer’s instructions.

In addition, the Receptacle on the base controller can be used for secondary uses, including: in-field firmware updates, medical personnel access control, rights management, and more!

But how to prepare for a war waged in the digital realm? And what are the stakes? As more and more of the world’s infrastructures are given access points on the web, the possibility of collateral damage inflicted by electronic attacks becomes increasingly real. Of particular concern is the security of the smart grid systems that will one day encompass our electrical networks. Opinions vary on the vulnerability of SCADA systems (networks that regulate industrial systems like power plants), however the consensus is that serious risks are present.

The future of cyber-warfare is uncertain, yet it will undoubtedly present myriad new challenges for peacekeepers such as NATO and governments themselves.

Perfect Citizen will use sensor-based surveillance tools to monitor computer networks, both private sector and government-operated, that connect the nation’s critical infrastructure systems–including the power grid, nuclear plants, air traffic control and others–in an effort to detect and prevent serious cyber attacks.

According to The Wall Street Journal,

Perfect Citizen will look at large, typically older computer control systems that were often designed without Internet connectivity or security in mind. Many of those systems—which run everything from subway systems to air-traffic control networks—have since been linked to the Internet, making them more efficient but also exposing them to cyber attack.

The goal is to close the “big, glaring holes” in the U.S.’s understanding of the nature of the cyber threat against its infrastructure, said one industry specialist familiar with the program….

The information gathered by Perfect Citizen could also have applications beyond the critical infrastructure sector…serving as a data bank that would also help companies and agencies who call upon NSA for help with investigations of cyber attacks, as Google did when it sustained a major attack late last year.

We recently posted about the 60 MINUTES investigation into critical infrastructure security that not only declared the U.S. unprepared for cyber attacks on the infrastructure, but described how it was already being hacked.

Among the suspects apprehended are several government officials, reportedly including a police officer, judge and a former member of Parliament. Other suspects include businessmen, doctors and engineers who used the spying software for a variety of purposes including the real-time monitoring of phone calls, retrieval of SMS text logs and even transforming the affected phone into a remote bugging device. While the FlexiSPY software suite was still being offered online as of this writing, it is unclear whether other countries will pursue measures against sellers of this questionable application.

A new report provides a concise explanation of how this security protocol functions. Download the full PDF here.

As we recently posted, smart grid security is becoming a booming industry unto itself, with billions of dollars to be spent in the coming years.

But even more concerning, Engadget reports that–while still unconfirmed–these rogue book apps were catapulted up the sales chart by fraudulent charges to unknowing iTunes customers for downloading the books — purchases these customers never authorized.

Since the initial report, Apple has confirmed the situation and has responded by removing the developer in question, and all of his apps, from the iTunes store. Apple has not commented, however, on any fraudulent credit card charges reportedly linked to this scenario.

The full PDF is available here.

Originating in the days of simplistic cell phones, these threats have evolved along with the devices themselves, and an independent security researcher recently traced their development in a post on the meedabyte blog.

In the article, security expert Cristofaro Mune cites online app stores–carrying thousands of smartphone applications from thousands of third-party developers–and the high-speed data capabilities of today’s 3G and Wi-Fi devices as two of the recent advancements that make today’s mobile phones increasingly vulnerable to viruses and malware.

It is estimated that 15 percent of total investments in the grid will be for cybersecurity, as governments develop security protocols to ward off the possibilities of sabotage. We’ve previously posted about the existing vulnerabilities in the millions of smart meters already in use across the United States and the concern among experts that, in a rush to take advantage of federal stimulus money, the 60 million smart meters being deployed in the U.S. this year alone could be critically under-secured.

The report also identifies five major areas in which smart grid security issues may arise: “transmission upgrades, substation automation, distribution automation, electric vehicle management systems, and advanced metering infrastructure.”

CNET News also reports:

…[S]ome of the apps were found to have the ability to do things like make calls and send text messages without requiring interaction from the mobile user. For instance, 5 percent of the apps can place calls to any number and 2 percent can allow an app to send unknown SMS messages to premium numbers that incur expensive charges, security firm SMobile Systems concluded in its Android market threat report. [...]

The report found that dozens of apps have the same type of access to sensitive information as known spyware does, including access to the content of e-mails and text messages, phone call information, and device location….

But CNET notes that these apps aren’t necessarily malicious or suspect. Additionally, Google has responded that Android users are specifically advised what access permissions they are granting an app when they install it, giving the user control over the visibility of their data. However, users are still being advised to be aware of the potential vulnerability of their personal data when installing any kind of app.

They are part of a new wave of smart implantable devices that is transforming the care of people with heart disease…. The hope is that the devices, now being tested in clinical trials, will save lives, reduce medical expenses and nudge heart patients toward managing their symptoms…. Patients, who often are frail or live far from their doctors, can be spared frequent office visits. Doctors can learn immediately if devices are malfunctioning or if patients’ hearts are starting to fail. [...]

The big leap forward came a few years ago when device companies figured out how to make transmitters that send data over a broader range, 20 or 30 feet. That meant that…[a patient] did not have to wait till her doctor could put a receiver directly on her chest. Instead, she simply went near a small box, which is attached to a phone jack near her bed. Once a week…that information is automatically transmitted to her doctor. If there are problems, the machine alerts her doctor.

According to one manufacturer’s study, heart patients with a heart device that transmitted information to their doctor spent less time admitted to the hospital than did those with traditional, non-communicating devices. And the hospital costs were also significantly less per admission for those patients with smart defibrillators.

We’ve previously posted a number of articles on medical device technology and the security concerns that come along with them.

While the proposed hardware and software regulations would be specific to home computers, the internet-connected mobile device market is increasingly threatened by the very same kinds of malware and crime that have plagued PCs for years. Similar requirements for devices could plausibly follow close behind.

Using Android software tools, Raytheon engineers built a basic application for military personnel that combines maps with a buddy list. Raytheon calls the entire framework the Raytheon Android Tactical System, or RATS for short. [...]

Every part of RATS is tailored for use on a battlefield. A soldier could make an unmanned plane a “buddy,” for instance, and track its progress on a map using his phone. He could then access streaming video from the plane, giving him a bird’s eye view of the area. Soldiers could also use the buddy list to trace the locations of other members of their squad.

According to an executive at Raytheon, the US Department of Defense, the Department of Homeland Security as well as law enforcement agencies could possibly adopt this technology as well.

We announced earlier this month that Mocana has earned the government’s first FIPS 140-2 level one validation for Android crypto software with NSA Suite B cryptography.

4G makes the situation more accelerated…. And what will really accelerate the growth of mobile malware and spyware will be the volume of traffic that people will be able to use. Data usage will increase and there are going to be more places that will get infected.

This is expected to become a serious concern for enterprise IT, as more executives use smartphones — and the various apps downloaded to these phones — to access corporate data in and out of the workplace. The Network World article describes a number of tactics integral to protecting enterprise security in the presence of mobile devices, including:

• remote wipe functionality on all mobile devices, (in the event that a device is lost or stolen)
• native application control capabilities allowing IT to specify which apps are and aren’t permitted on a company network-connected device

Network World also notes that anti-malware technology specifically designed for these high-powered mobile devices is still in its infancy.

CNET News

According to the CNET report, the vulnerabilities in today’s smart meters could allow for a number of malicious attacks, including the theft of private consumer data, the disruption of power to specific buildings, and even the targeted outage of entire utility grids. Many experts quoted in the article believe that US smart meter manufacturers and utility companies are treating security as an afterthought in order to quickly take advantage of Federal stimulus money.

There are about 250 active smart-metering projects worldwide, with about 49 million meters already installed and 800 million planned for installation…. Projects in the U.S. are being accelerated because of the $3.4 billion in stimulus funds set aside for smart-grid technologies. About 60 million smart meters will be deployed in the U.S. this year, covering about half of households…. Security appears to be a casualty of this haste….

“Since there is no federal mandate as to how much security to have in the meters, there aren’t the right motivation factors for security to be a major factor…It’s an afterthought.”

According to one expert, “Prominently missing are signed and encrypted firmware, secure (smart card) chips for key storage, unique cryptographic keys, and physical tamper protection.”

We’ve previously discussed the growing concern surrounding the security weaknesses in today’s smart grid technology. In addition, we recently reported on the 60 Minutes investigation into the malicious hacks that have already hit the nation’s critical infrastructures.

According to PC Authority:

The dashboard pulls in a wealth of information from both inside the house and externally. [...]

Key to this is ZigBee…[the] low-power wireless technology designed for home appliances. For our demo this took the form of a dummy dryer that reported its energy use back to the dashboard. This not only showed just how much of the monthly power bill was down to the dryer, but it also gave the option of running the dryer during off-peak energy periods. There was even a screen designed to help users upgrade to a more energy efficient model, pulling in product data with energy star ratings from other manufacturers.

PC Authority notes that the prototype will not likely enter production for the mass market but exists to demonstrate the coming possibilities in the area of energy management.

A recent article on The Register reports that a downloadable game for the Windows Mobile platform — 3D Anti-Terrorist Action — has been discovered to contain a Trojan that could potentially cost its victims a considerable amount of money. The infected version of the game, available from a number of Windows Mobile download sites, contains the “Terdial-A” Windows-CE Trojan, which makes expensive, international calls with the user’s phone. Victims are typically unaware of the malware until they receive the shocking mobile phone bill.

Internet security firm Sophos believes the infected game is the work of a Russian-speaking hacker who is likely attempting to access some of the money from the pricey calls.

A recent article on The Register describes the malware — pre-installed on the camera’s internal memory card — as an auto-run code intended to contaminate Windows PCs connected to the camera via USB.

It is estimated that approximately 1,700 of the cameras shipped with the virus which, as The Register notes, could have originated from an infected PC at the manufacturing or testing facility.

Although investigations are still ongoing, the ambulance manufacturer believes that it was an error in the embedded software that controls the built-in oxygen system that ultimately caused the unexpected failure. Pending further investigation, the fire department has placed portable oxygen systems in all the ambulances.

60 Minutes correspondent Steve Kroft spoke with retired Admiral Mike McConnell who, as former chief of national intelligence,  oversaw the National Security Agency, the Defense Intelligence Agency, and the Central Intelligence Agency.

“If I were an attacker and I wanted to do strategic damage to the United States, I would either take the cold of winter or the heat of summer, I probably would sack electric power on the U.S. East Cost, maybe the West Coast, and attempt to cause a cascading effect. All of those things are in the art of the possible from a sophisticated attacker,” McConnell explained.

“Do you believe our adversaries have the capability of bringing down a power grid?” Kroft asked.

“I do,” McConnell replied.

Asked if the U.S. is prepared for such an attack, McConnell told Kroft, “No. The United States is not prepared for such an attack.”

In addition to the potential for an attack on the utilities infrastructure, the report also discusses in-depth the current vulnerabilities of the banking and financial system, as well as military and defense computer networks, all of which are reported to be unprepared for or under-secured against the threats of hackers and international cyber attacks.

With this increasing use of wireless and CPU-controlled technology in cars, The Sydney Morning Herald recently published a comprehensive look at growing concern that today’s–and tomorrow’s–automobiles are becoming increasingly vulnerable to hackers.

The big problem for car makers…will be those who open up their vehicles to add-on software applications, or “apps”….

In much the same way as we add software to a mobile phone today, some car makers envisage a future where owners can add functionality to their car via an internet connection. [...]

Ford has recently asked its US customers to nominate applications they would like to see in the connected car of the future, a move that suggests makers are getting serious about rolling them into vehicles.

Ford is developing apps for products such as the iPhone, so the car’s infotainment system can, say, recognise when a friend posts a comment on Twitter and then read you what was posted….

However, download from the wrong, untrustworthy source and – just like a computer – you could get more than you’ve bargained for.

The article also describes a number of new network-connected features in automobiles from Audi, Mercedes-Benz, Volvo and Toyota.

The breach was discovered by security research group Goatse Security, who successfully captured approximately 114,000 iPad owner email addresses and their corresponding ICC-IDs.

According to Gawker,

Goatse Security obtained its data through a script on AT&T’s website, accessible to anyone on the internet. When provided with an ICC-ID as part of an HTTP request, the script would return the associated email address, in what was apparently intended to be an AJAX-style response within a Web application. The security researchers were able to guess a large swath of ICC IDs by looking at known iPad 3G ICC IDs, some of which are shown in pictures posted by gadget enthusiasts to Flickr and other internet sites, and which can also be obtained through friendly associates who own iPads and are willing to share their information, available within the iPad “Settings” application.

To make AT&T’s servers respond, the security group merely had to send an iPad-style “User agent” header in their Web request. Such headers identify users’ browser types to websites.

The group wrote a PHP script to automate the harvesting of data.

Even more shocking is the list of compromised iPad owners. Gawker reports that among the victims of the breach are:

• multiple devices registered to DARPA (US Dept. of Defense)
• House of Representatives, US Senate, Dept. of Homeland Security, FCC and NASA staff members
• a US Air Force Commander
• Diane Sawyer of ABC News
• New York City Mayor Michael Bloomberg
• New York Times CEO Janet Robinson
• high-level executives at Dow Jones, HBO, Viacom, and Time Warner
• White House Chief of Staff Rahm Emanuel

The security researchers who discovered the breach notified AT&T (who has since publicly confirmed the vulnerability) and the issue has been corrected.

“Mobile phones are a huge source of vulnerability,” said Gordon Snow, assistant director of the Federal Bureau of Investigation’s Cyber Division. “We are definitely seeing an increase in criminal activity.”

The FBI’s Cyber Division recently began working on a number of cases based on tips about malicious programs in app stores, Mr. Snow said. The cases involve apps designed to compromise banking on cellphones, as well as mobile “malware” used for espionage by foreign nations, said a person familiar with the matter. To protect its own operations, the FBI bars its employees from downloading apps on FBI-issued smartphones.

The article points out that while some believe Google’s Android Market to be less secure than other mobile app stores, (due to its apparently less strenuous vetting process for new apps), even apps from Apple’s iPhone App Store could pose potentially harmful security threats to users.

The Register has posted a portion of IBM’s apology note, which was sent to participants of the conference.

At the AusCERT conference this week, you may have collected a complimentary USB key from the IBM booth. Unfortunately we have discovered that some of these USB keys contained malware and we suspect that all USB keys may be affected.

Recipients of the malware-infected USB drives were asked to refrain from using them and to return them via mail to IBM for disposal.

According to a press release from The University of Bristol,

Our scheme allows for computations to be performed on encrypted data, so it may eventually allow for the creation of systems in which you can store data remotely in a secure manner and still be able to access it.

Professor Smart’s milestone development could prove practical for a number of applications such as maintaining the data in encrypted medical records, electronic auctions and voting systems.

We’ve entered this really problematic situation where we have insecure infrastructure everywhere, communications being broadcast in the air around us, and anyone with a bit of radio equipment can reach out and intercept communications…. Individuals need to start taking steps to protect their privacy and the confidence of their communications.

According to the article, the number of wiretaps made legally has “exploded” since the passage of the Communications Assistance for Law Enforcement act of 1994, which required developers to include backdoors for law enforcement in their products.

Marlinspike plans to submit his apps to Apple for use on the tightly-controlled iPhone as well, though the company’s strict review process may present a challenge.

As reported on The New York Times,

The new tablets will offer a bevy of high-tech parts, including a full high-definition video encoder and 3-D graphics chip, which will enable them to interact with software like Adobe Flash. In addition, the tablet will have a built-in video and still camera, a multitouch display and a soft keyboard similar to that of the Apple iPad. [Project founder Nicholas Negroponte] said the new keyboard would also have haptic feedback so users will feel the keys vibrate on the screen as they type.

The new model tablets will emphasize open source technology, while they could ship initially with Android, Windows Mobile or Ubuntu operating systems. One of Marvell’s founders, Weili Dai, has stated her company’s intent to show the first version of the tablet at January’s Consumer Electronics show in Las Vegas.

As recently reported in InformationWeek, protecting medical devices from cyber threats has become one of the department’s “critical challenges,” according to assistant secretary for information and technology Robert Baker.

The major challenge with securing medical devices is that, because their operation must be certified, the application of operating system patches and malware protection updates is tightly restricted…. This inherent vulnerability can increase the potential for cyber attacks on the VA trusted network by creating risk to patient safety.

The VA states that not only do these security compromises have the potential to diminish the quality of patient care, but that the process of cleansing malware-infected devices has proven extremely costly. Over 122 VA medical devices have been infected with malware during the last 14 months and these attacks have occurred despite extensive preventative measures implemented last year. The department of Veteran Affairs is currently working to ensure that their more than 50,000 medical devices are equipped with isolation architecture by the end of 2010.

Official FIPS 140-2 Validation for Mocana NanoCrypto Android Should Make it Easier for Military, Government and Contractors to Specify Android Devices

San Francisco, CA (PRWEB) June 2, 2010 — Mocana Corporation, a company that focuses on securing non-PC connected devices, today announced that it has earned the government’s first FIPS 140-2 level one validation for a binary cryptographic module with Suite B cryptography running on the Android™ platform.

Mocana was in the news last week after receiving a significant strategic investment from Symantec. The resulting technology partnership will help Symantec expand its offerings from the PC into the faster-growing “smart device” market.

The 140-2 FIPS (Federal Information Processing Standards) are used to accredit the cryptographic “engines” that drive secure software or hardware implementations, and most federal agencies and contractors working on sensitive government projects are prohibited from buying products containing security software that is not officially FIPS-validated. Up until now, FIPS-validated security hasn’t been commercially available for Android devices. Today’s announcement clears an important obstacle to the more widespread use of these devices in the federal government.

NIST, the National Institute of Standards and Technology, wrote the FIPS 140 Publication Series to standardize federal cryptography requirements. Most federal agencies and departments require that any computer security implementations contain only FIPS-certified cryptographic modules. The FIPS 140-2 program tests security software and hardware approved for government “sensitive, but un-classified” information. The application and testing process is rigorous and non-trivial, but for companies selling security products to the federal government, their contractors or allies overseas, formal FIPS validations are a prerequisite to eligibility for government contracts.

Mocana applied for and received FIPS 140-2 Level 1 validation for its NanoCrypto Android product compiled for Linux on ARM-based CPUs; the FIPS-validated NanoCrypto binary will run on all current Android phones and devices. NanoCrypto is a sophisticated cryptographic engine designed for device developers. It’s purpose-built for non-PC devices and resource-constrained embedded systems. It is one of the smallest, fastest and most comprehensive cryptographic cores on the market, in addition to being one of the most popular: the cryptographic engine that drives NanoCrypto is already installed on millions of devices from hundreds of device OEMs worldwide, on everything from networked medical devices to unmanned military drones (“UAVs”). With built-in support for over 30 operating systems, NanoCrypto enables device OEMs and ISVs to add sophisticated cryptographic security features to almost any type of device or application.

“This makes it easier for developers to start building cost-effective, security-oriented commercial Android apps for use in federal and military settings,” said Adrian Turner, CEO of Mocana. “Many government buyers couldn’t purchase Android phones ‘off the shelf’, because FIPS 140-2 validated solutions weren’t available. Now this incredibly popular platform is a more viable, cost-effective option for sensitive federal and military applications that need strong cryptography.”

FIPS certification should make it easier for Android to penetrate the medical market, too – another device ecosystem where security is key. Specifying FIPS 140-2 validated encryption software in purchasing contracts is an easy, “best practices” way for hospitals and health networks to take a high assurance approach to data confidentiality and integrity protection, especially as it relates to the security and privacy of patient records. Mocana’s CEO, Adrian Turner, was interviewed recently by Maria Bartiromo on CNBC regarding the state of medical device security, and interested parties can view that video at http://www.mocana.com/video-cnbc-040110.html.

NanoCrypto, like every Mocana product, is available as a FIPS-validated binary for specific platforms or as platform-independent ANSI C source code. Designed exclusively for developers; NanoCrypto is not a “finished app” or utility for end-users. Developers can request a free trial of the NanoCrypto product at http://mocana.com/nanocrypto.html

About Mocana
Mocana secures the “Internet of Things” – the 20 billion datacom, smartgrid, federal, consumer, industrial and medical devices that connect across every sector of our economy. These devices already outnumber PC’s on the Internet by five to one, representing a $900 billion market that’s growing twice as fast as the PC market. Every day, millions of people use products sold by over 100 companies that leverage Mocana’s Device Integrity software, including Dell, Cisco, Honeywell, General Electric, General Dynamics, Avaya, Nortel Networks, Harris and Radvision, among others. Mocana won Frost & Sullivan’s Technology Innovation of the Year award for 2008 for Device Security, and was named to the Red Herring Global 100 as one of the “top 100 privately-held technology companies in the world” in January 2009.

A new report from technology research firm ABI Research estimates that in 2013 nearly half (46%) of flat panel TVs will be sold with built-in internet capability, and the report anticipates the unique challenges and opportunities created by this development. For example, due to the tight relationship between hardware and software in TVs, applications will have to be developed uniquely for each manufacturer.

However, despite the hurdles in programming, the analysts at ABI expect the growing popularity of internet-connected TVs to create a new array of opportunities for advertising and cross marketing in addition to new roles for manufacturers.

Fastcompany reports that Ford has followed the unveiling of Sync with a contest for University of Michigan engineering students to show what cloud-based computing can do for cars. The first prize was claimed by Caravan Track, whose designers intended to create a social networking app for communication between multiple vehicles on a road trip.

Most of the entries displayed a similar tendency toward social networking and GPS, such as The GreenRide Challenge, which helps users to organize carpools and accrue points for a future reward system. The winning app was displayed at this year’s Bay Area Maker’s Faire.

According to HP CEO Mark Hurd, “We expect to leverage WebOS into a variety of form factors, including slate computers and web-connected printers.”

As recently reported at InformationWeek, industry analysts–expecting HP to use WebOS primarily within the mobile device market–were not expecting printers to become the next device category for WebOS development.

Over the next year and a half, Porras and a crack team of top-level analysts from across the industry dubbed themselves the “Conficker Cabal”, and have relentlessly pursued the containment of the “Conficker” worm virus as well as its dubious origins. As of now, these cyber-sleuths have been engaged in a high tech game of chess with the worm’s creators and remain baffled as to its source, or even its intended purpose. What they do know is that an estimated 6.5 million infected PCs lie in wait to the worm’s command, their owners none the wiser.

The thrilling saga of the Conficker Worm is detailed at length in a new article in The Atlantic, and is astounding not only because it borders on espionage, but also because the virus’ mystery remains unsolved.

More on today’s announcement:

• The Wall Street Journal
• Mocana press release
• VentureBeat

As reported on The Register,

The networking giant on Wednesday urged users of the Cisco Network Building Mediator products to patch the vulnerabilities, which among other things allow adversaries to obtain administrative passwords. No authentication is required to read the system configuration files, making it possible for outsiders to take control of a building’s most critical control systems.

“Successful exploitation of any of these vulnerabilities could result in a malicious user taking complete control over an affected device,” a Cisco advisory stated.

A recent article on Embedded.com addresses the technical requirements for optimal antenna performance in medical device design through four parameters: Gain Ratio, Return Loss, Efficiency and Operating Bandwidth. Because implanted transmission occurs in an environment of skin, fat, blood, muscle and bone, the potential for data loss and detuning is higher than in radiation from open air sources.

Through specialized geometry and material selection, there can be seen a great difference in antenna efficiency. As an example, the implantable patch antenna is shown to achieve optimization of geometric design, superior in transmission to a loop antenna design wherein most of the radiated power becomes dissipated within the body. Through successful antenna design, the practical power of implantable devices is increased as greater communication power is realized.

“What we have learned from decades of rapid development of information technology is that the key is relentless focus on ‘better, faster, cheaper’ — in everything,” Mr. Grove said in a statement. “The best results are achieved through the cooperative efforts of different disciplines, all aimed at the same objective.”

As reported by The New York Times, this type of interdisciplinary approach to the growing field of “translational medicine” is gaining steam, viewed by many as yielding greater results than traditional research and development within big pharmaceutical companies.

“The adoption of the iPhone and other mobile devices in the healthcare industry is just the latest example of how technology is creating greater transparency and an improved experience for consumers when dealing with service providers of all kinds. As a result, we see this as a natural use of ENOVIA V6’s data management and federation capabilities,” says Michel Tellier, CEO, ENOVIA, Dassault Systèmes.

As reported at Product Design & Development, the convenience of secure medical record access on mobile devices like the iPhone will ensure a more consistent patient experience with multiple providers, as well as freeing up 30-50 percent of doctor’s time spent entering patient data.

Check out this footage from the 5th annual Hexagon Robotic Dance Championship!

However, as an article in eWEEK Europe reports, HP may be shipping to meet that demand at the expense of security. At the company’s Executive Energy Conference in Dubai, HP’s utilities industry director Ian Mitton admitted that security has been an afterthought in smart grid and metering projects, with an emphasis being placed on early deployment to meet stimulus demand and experiment with the new technology. As we’ve previously discussed, security experts have been concerned about under-secured smart grid technology being rushed to market for some time.

Called the “Cyberspace Badge”, this medal of honor will be worn exclusively by officers who’ve proven their digital grit by completing the “X-Course”, also known as the Distance Learning Cyberspace Operations Transition Course. Its institution reflects the updated role of the Air Force mission – “to fly, fight and win in air, space and cyberspace”.

The new wings symbolize “the projection of cyber power world-wide” and will be worn by members of the 24th Air Force, the USAF’s network security organization. While this branch of the armed forces is still being built, it is expected to be on the front line of defense in cyberspace.

With formerly analog, “offline” industrial and utility systems becoming increasingly networked — such as the “Smart Grid” — IT solutions are often being applied for security. And, according to Weiss, this is part of the problem.

As reported on CNET,

The IT community views control systems as just another computer. A control system is two pieces–the human machine interface, the screens people see in the control room, which are now moving toward Windows, Unix and Linux. These systems also use TCP/IP. So people look at this and say “Aha! That’s IT. I know this.” What they don’t see are all of the devices in the field that sense, measure, control,and monitor physical processes. These devices don’t look like a computer and don’t use Windows. They use either proprietary real-time operating systems systems or fully embedded systems. There is no security at this level even though this where you go “boom in the night.” What IT sees is the engineer sitting in front of a Windows workstation and they say “I know that.”

He also warns that the existing vulnerabilities within the utility and industrial control infrastructures are already being exploited:

There are people who are starting to believe control system cyber is real, but it is still a small fraction. All I have are facts and physics. I’ve got an incident database with over 170 control system cyber incidents worldwide. Unfortunately, most incidents are not public. CERT (Computer Emergency Response Teams) and other IT security monitoring organizations are not designed to collect information for control systems. There is an unfortunate tendency to simply want to declare victory. The Department of Energy and the Department of Homeland Security both have work ongoing in this field. But neither has connected the dots on incidents that have actually happened to identify relevant R&D.

According to Businessweek, Jack’s rootkit is a first because in the past, thieves were only able to hit ATMs by installing skimmers and cameras to steal card numbers. Instead of using the machine as a point of access to user accounts, the hacker’s new method goes after the ATM itself, exploiting software vulnerabilities to get at what’s inside.

In addition to demonstrating these vulnerabilities, Jack will discuss ways that the ATM industry can protect itself from attack methods such as his own. The presentation will occur at the Black Hat Las Vegas conference, held July 28 and 29.

Official text from the application, featured at AppleInsider, describes a series of intervals within a single heartbeat that can be used as biometric data. This data can be used not only to identify the distinct pattern of the phone’s owner, but also as a way to judge the user’s heart rate and mood, which can then potentially be implemented within fitness and entertainment applications.

As reported on AppleInsider,

…[T]he electronic device can identify media having beats per minute or other characteristics that are associated with or related to a user’s cardiac signal or heart rate, and play back the identified media…. As another example, the media provided can have beats per minute faster or slower than the user’s current heart rate to direct the user to work harder (e.g., during a workout) or to cool or calm the user down (e.g., at the end of a workout).

As reported in the New York Times,

“We demonstrate the ability to adversarially control a wide range of automotive functions and completely ignore driver input — including disabling the brakes, selectively braking individual wheels on demand, stopping the engine, and so on,” [researchers] wrote in the report….

The research teams also claim that they were able to access a vehicle, remotely insert malicious code, and then completely remove any evidence of their intervention.

With the increasing popularity of wireless, internet-connected technologies in cars–such as “OnStar,” and other similar navigation and communications systems–more and more automobiles are becoming accessible through external networks. And as this technology proliferates, securing cars against hackers and viruses will become increasingly critical for driver safety.

As reported in the New York Times, current FDA policy requires manufacturers of life-sustaining devices to conduct clinical trials of new designs, however the agency is known to clear them for sale without testing based on their similarity to existing products. While infusion pumps are the immediate focus of these new guidelines, it is expected that other products will also be subject to more rigorous testing, and that this higher level of scrutiny will slow down the approval of new devices. The FDA has also supplied its own open-source testing software to manufacturers, in an effort to help them determine the effectiveness of their products.

But the problems plaguing the infusion pump market are creating more serious consequences for device manufacturers than just the delaying of new devices. As reported on Medical Device Network, the FDA has ordered Baxter Healthcare–a leading infusion pump manufacturer–to recall and destroy all of their “Colleague” model pumps due to the company’s failure to remedy a number of longstanding technical defects.

Remarkably, the prosthetic can be controlled in a fairly natural manner, allowing Claudia to perform simple tasks much in the same way she would with a real arm. It’s one of the first cases of nerve-rerouting surgery to enable control of a prosthetic via electrodes, whereas prosthetics in the past were controlled by muscle movement in the neighboring limbs.

One plan for UAVs is to achieve a 1:1 soldier-drone ratio, effectively arming each troop with his own airborne recon robot. And through the use of nanotechnology, these devices could become small and powerful enough to function as personal, guided ammunitions–enabling soldiers to fire accurately from behind cover.

Another plan is to convert existing Army vehicles into optionally piloted craft, allowing any vessel to operate autonomously in a drone mode, or switch back to a traditionally-piloted function.

But with military technology, device security is absolutely critical. As we reported last year, U.S. surveillance drones were easily hacked by insurgents who were able to intercept video feeds, allowing dodge U.S. operations and monitor surveillance routines.

A crucial shortcoming of RFID technology is the chip’s inability to determine the distance to a device attempting to gain access. By manipulating this weakness, hackers can easily intercept communications between chips and readers, giving themselves an “in” for future attacks on whatever systems they control. In order to enable an RFID to determine the location of an access point, a power source would be necessary, which is counterintuitive to their passive design concept.

Eslam Gamal Ahmed, a researcher at Cairo’s Ain Shams University, and his colleagues have devised a new security protocol for implementation between the tags and their readers. Whereas other approaches required an exchange of random numbers between a powered RFID and its reader, Eslam’s new protocol generates strings at the source and stores them on the passive chip, minimizing the potential for unauthorized access. While this breakthrough technique has yet to prove itself in real-world application, it could be the key to securing the increasingly valuable assets protected by RFID technology.

Watch CBS News Videos Online

The device is called “Didget,” and it’s a blood glucose meter that connects to the Nintendo DS — the popular internet-connected portable gaming system. When connected to a DS, the Didget transmits information about how regularly its owner has performed a blood sugar test, and DS games with Didget compatibility reward the player with special unlocks and online leaderboard points.

While it remains to be seen how the glucose meter will ensure the security of potentially sensitive patient health data when connected to a WiFi network device such as the DS, Bayer hopes its new gadget will provide incentive to kids living with diabetes. As reported in the New York Times, Dr. Phyllis Speiser of Cohen Children’s Medical Center of New York agrees that “any device, any technology that will encourage children to do what they need to do is a good development.”

For those willing to accept the risks, the process can be completed relatively quickly and easily. As reported on ReadWriteWeb, the jailbreak is completed using a freeware tool called “Spirit,” which loads the iPad with modified firmware and a program called “Cydia”, which enables access to a bevy of downloadable tweaks and programs. Once the jailbreak is performed, the device can be restored to factory settings via iTunes, effectively removing any trace of the process.

However, while a jailbroken device offers a wider range of customization and access to previously unusable applications, there are serious security concerns when running this kind of system modification. As we have previously reported, jailbroken iPhones have been targeted by malicious hackers and viruses that put private user data–banking passwords, SMS messages–at risk.

“An embedded device that meets the requirements of the ISASecure EDSA specification earns the ISA Secure EDSA certification; a trademarked designation that provides instant recognition of product security characteristics and capabilities, and provides an independent industry stamp of approval similar to a ‘Safety Integrity Level’ Certification (ISO/IEC 61508).”

The ISA Security Compliance Institute, founded in 2007, is composed of leaders from major organizations in the industrial automation and control community for the purpose of providing the highest level of assurance possible for industrial automated systems. Having donated the ISASecure specifications to the ISA99 Standards Committee for consideration in their standards development process, the institute also welcomes public comment from individuals and organizations through its web site.

One such innovation is multi-core computing, which fits multiple processing units in one chip to save on energy and speed operations. However, applications must be specially programmed to take full advantage, as is the case with Intel’s Core 2 Duo. Another approach is to design processor cores in a system-specific manner, like Apple’s A4, specifically built for the iPad device.

Other manufacturers are exploring three-dimensional architectures for new processors, employing a multi-layered design to shorten the distance between cores and reduce energy consumption. As chips get smarter, faster and smaller simultaneously, they become more versatile and require less energy to run and this creates new opportunities in device design.

The new Bluetooth could pop up anywhere because if its low power usage. For example, a standard-sized wristwatch could alert its wearer to incoming calls and text messages, whereas previous Bluetooth watches have been cumbersome in size and required a frequent charge. Small medical devices such as glucose monitors could also incorporate the standard, making them cheaper and easier to integrate than with existing proprietary options.

Executive Michael Foley anticipates that the interface will open up connectivity for a wide variety of items that were previously too small for wireless connection. “It’s going to enable an entirely new market for Bluetooth and allow it to be used in a category of products that Bluetooth just couldn’t be used in before.”

Representative Ed Markey (D-Mass.), the bill’s co-sponsor, emphasized the vulnerability of the electrical grid as a major threat to our most essential infrastructures. “Every one of our nation’s critical systems – water, healthcare, telecommunications, transportation, law enforcement, financial services – depends on the grid.”

Users savvy enough to attempt this feat can do so with the help of OpenBTS systems, who created the project as a means to provide cellphone service in areas without the proper infrastructure. So far it has been implemented on the South Pacific island of Niue and at the Burning Man Festival in Black Rock Desert, Nevada.

The system can operate with the aid of a basic PC setup running an open-source software called Asterisk, can be powered by batteries normally used in boating and requires a simple universal software radio peripheral for connection. And by recreating the technology used in the global GSM network, OpenBTS is compatible with most consumer handsets. However, how this kind of “DIY” network solution affects the security of the data being transmitted remains to be seen.

As one researcher described it:

If I want to find Brad Pitt, I find his number using the caller ID database, use Home Location Register access to figure out what provider he has. T-Mobile is vulnerable to voice mail spoofing so I get into his voice mail and listen to his messages…. But I can also have the system tell me the numbers of the callers and I can take those numbers and look them up in the caller ID database and use the Home Location Register system to find their providers and break into their voice mail, and so on.

Hoewver, as described in yesterday’s New York Times, a federal judge has rejected the plea arrangement.

According to The Times,

Donovan W. Frank of United States District Court said the provisions of the agreement were “not in the best interest of justice and do not serve the public’s interest because they do not adequately address Guidant’s history and the criminal conduct at issue.” [...]

Judge Frank said that prosecutors should have sought probation for Guidant and its parent, Boston Scientific. Probation would have required the companies to take certain steps, like helping to rebuild public confidence in the safety of heart devices, in addition to paying a fine.

The judge also outlined other provisions that might be suitable in a new plea deal, including charitable activities by Guidant to improve heart device safety and improve medical care among minority patients.

According to Bank Info Security,

In March, the national fabric store chain [Hancock Fabrics] publicly confirmed the breach…sending an open letter to its customers, revealing: “PIN pad units at a limited number of Hancock Fabrics stores were stolen and replaced with visually identical, but fraudulent, PIN pad units. This may have allowed criminals to capture – or “skim” — payment card data during transactions.”

Hancock didn’t reveal the locations or number of stores where point of sale scanners were compromised — nor the number of customers who had their card data taken — but at least 140 reports from customers in California, Wisconsin and Missouri show the pervasive nature of the fraud.

One option is password protection, yet obvious questions arise. Where would these passwords be stored? Could they be easily compromised? And of course, if a patient were unconscious and in need of emergency treatment, they would be unable to provide this information. That is, unless the password were tattooed somewhere on the patient’s body.

This unconventional solution has been proposed by a Microsoft researcher as a way to guarantee access to implantable devices in case of emergency. Using invisible ink that could be exposed under ultra-violet light, the tattooed passwords would be nearly undetectable under normal conditions. According to the researcher’s proposal, patients would have the option of “user-chosen” phrases, random character strings or hieroglyphic-like designs for their permanent identifiers. Whether many of those wearing implanted devices would actually be willing to get tattooed remains to be seen.

In an official blog post, an employee in Verizon’s Risk Intelligence unit has taken aim at researchers who disclose security flaws, calling them “Narcissistic vulnerability pimps” and comparing them to criminals.

“Have you ever heard of a terrorist referred to as a ‘demolition engineer?’…How about a thief as a ‘locksmith?’ No? Well, that’s because most fields don’t share the InfoSec industry’s ridiculous yet long-standing inability to distinguish the good guys from the bad guys.”

The post goes on to propose that a person who discloses security flaws henceforth be labeled a “narcissistic vulnerability pimp,” which the writer defines as “One who – solely for the purpose of self-glorification and self-gratification – harms business and society by irresponsibly disclosing information that makes things less secure.”

The full blog post can be read here.

According to the NIST,

The second draft of the document contains the updated overall security strategy for the Smart Grid and updated logical interface diagrams, privacy, bottom-up analysis, and vulnerability class analysis sections. In addition, new chapters on research and development themes and standards assessment have been included. Finally, an overall functional logical Smart Grid architecture is included.

The full second draft is available here.

With continuing advancements allowing for increasingly smaller-footprint, lower-power wireless sensors, large scale collections of these autonomous, connected, smart sensors offer solutions for a wide range of applications.

But many questions remain for this emerging technology. Conference topics will range from power consumption and performance to system architecture and protocols–and of course the security and integrity implications posed by a vast number of sensors that may, or may not, have built-in security features.

Nearly half of those surveyed claim to have an internet-connected gaming console at work, and 8 in 10 held no record of who was using them. The competitive online play, messaging systems and fully functional browsers within these consoles could potentially be used for denial of service attacks, data leaks, and more.

According to Sunbelt, the best way for companies to provide entertainment consoles, while minimizing the risk of a security breach, is by limiting them to offline use only.

With presentations from medical technology industry leaders and experts, including representatives from the FDA, this year’s conference will address a range of topics aimed at regulatory compliance and design quality, including best practices to:

- Manage compliance with the amended Medical Device Directive

- Organize your structure and process to address new regulatory requirements

- Achieving shorter development cycles without sacrificing compliance and quality

- Plan a process where SQA works closely with stakeholders in the early stages of project development

- Integrate human factors engineering into medical devices to make them safe, effective and efficient to use

But a recent New York Times blog post reports that Google has announced its plan for printing to–and from–the cloud. Anticipating a new generation of cloud-aware printers, and making use of currently networked ones, Google Cloud Print will aim to allow printing from any device to any printer in the world. In Chrome, a device will send print instructions to the could where they will be delivered to a cloud-aware printer, or delivered back to the device and translated into print commands understood by today’s non-cloud-based printers.

Naturally there are concerns over data security and privacy with this scenario, which would require all documents be sent through the cloud for printing whether it be from smartphones, netbooks or PCs.

As reported on DarkReading, over the past five years,

Cybersecurity incidents in…water and wastewater [control systems] have increased 300 percent, and power/utilities by 30 percent, according to the 2009 Annual Report on Cyber Security Incidents and Trends Affecting Industrial Control Systems.

Nearly half of all security incidents were due to malware infections — viruses, worms, and Trojans…. With only a fraction of control systems connected to the Internet, these infections are occurring in other ways: “A lot of control systems are connected to their business networks which in turn may be connected to the Internet. It’s several layers removed, but once there’s a virus [on the business network], it finds its way into the control systems”…. “And you see USB keys bringing in malware”…or via an employee’s infected laptop….

In addition, with some of these control systems running on Windows-based platforms, the lack of internet connection means operating system security patches are rarely applied, leaving the entire system vulnerable to attack once a rogue worm or trojan horse finds its way onto the network.

According to the RISI report, direct and intentional attacks accounted for 25 percent of these security incidents. The other 75 percent consisted of malware-based breaches and equipment failures, in roughly equal measure.

In an interview with NPR, Anderson reveals the dangerous potential in this possible harvesting of stolen identities. He refers to the 2008 attack on the Royal Bank of Scotland, when hackers simultaneously drained bank accounts using stolen identity information, netting over $9 million. Anderson suggests that a similar attack by hackers and/or terrorists on the U.S. economy — on a much larger scale — could have crippling effects, warning that our entire financial system could be “brought down.”

“A different government from ours could use these [stolen identities] to attack our system on a Monday morning at 9am, extracting funds from many millions of stolen identities simultaneously and bring down our economy.” And according to FBI Director Rob Mueller, a hack attack could be “as damaging as a well-placed bomb.”

According to Mark Anderson, he wants “to encourage those who haven’t prepared yet to get prepared. You have to be in the game. You can’t ignore it. And that’s all one can do.”

But, as recently reported on Australia’s IT News, the iPhone could soon be enterprise-ready, thanks to the coming iPhone OS 4.0 update from Apple.

A prominent feature of the new OS is a “Mobile Device Management Service” which allows IT managers to remotely configure and monitor a corporate fleet of iPhones — similar to what many enterprise networks already use for Blackberry and Windows Mobile smartphones. This would also allow for the remote locking or wiping of iPhones in the event of loss, theft, or security breach. The update also offers more advanced data encryption and password management features, as well as enterprise-wide app distribution.

Additionally, the new iPhone OS will have support for SSL VPN applications, as well as Microsoft Exchange Server 2010 — important features if the iPhone is to become widely accepted for enterprise email use.