Register for free to join our community of investors and share your ideas. You will also get access to streaming quotes, interactive charts, trades, portfolio, live options flow and more tools.
Register for free to join our community of investors and share your ideas. You will also get access to streaming quotes, interactive charts, trades, portfolio, live options flow and more tools.
Cyber tension follows hacker attack on Israeli credit card users
http://latimesblogs.latimes.com/world_now/2012/01/so-called-saudi-hack-attack-on-israel-turns-cyber-brawl.html
REPORTING FROM JERUSALEM -- Last week, a hacker published credit card information belonging to about 20,000 Israelis on the Internet, along with the personal details of hundreds of thousands more.
Israeli credit card companies swiftly canceled the cards and pledged to reimburse customers for damages caused by fraudulent use.
The suspected hacker, identifying himself as OxOmar, claimed he was a Saudi teenager, based in Riyadh. But Israeli hackers embarked on a search for the credit card culprit and within hours announced he was actually based in Mexico, where he had moved from the United Arab Emirates.
The hacker's identity and location remain unclear. In subsequent messages, he said Israelis got the wrong guy.
Over the weekend, Deputy Foreign Minister Danny Ayalon talked tough on the issue, declaring cyber-attacks to be terrorism and saying that Israel would "retaliate forcefully." Then early Monday, Ayalon, a cyber-savvy politician and prolific user of social media platforms including Facebook and Twitter, found his website had been attacked and defiant comments left behind.
"We don't fear your empty words ... we are ready to be struck by your missiles and die a martyr's death for God," read one message written in Arabic.
Ayalon, for his part, said he would not back down to anyone, including those with computer skills.
"Cyberspace appears to be the new battlefield, and our opponents will not be able to defeat us on this plane either," he said.
Also Monday, a group of Israeli hackers said they got their hands on 1,000 credit cards used on Saudi shopping sites. The hackers threatened to "cause severe damage to the privacy of Saudi citizens" if attacks on Israel continued.
Some Arab media reports said Saudi banks were stepping up security after perceived Israeli threats. In other reports, banking officials dismissed concerns and said Saudi banks already spent a fortune on security and there was no need for extra measures.
Hebrew media reported that Israeli banking officials met with Homeland Defense Minister Matan Vilnai a few weeks ago and told him Israel's banking system, as well as other critical infrastructure like the electric company, trains and ports, were unprepared for cyber-terrorism. Israeli awareness is high but the bureaucracy is sluggish. However, the incident may expedite implementation of security measures.
Wavedreamer, re: "We know how important those Gov't agencies are in the future use of TPM's."
The following is from a blog by Angela Carducci, the marketing manager for XenClient, referring to last weeks' Citrix Synergy in Barcelona.
It shows that the government (more than just the Air Force Research Labs?) has a HAP-like program based on XenClient XT that is generating interest from areas outside of the government.
---------------------------------
XenClient is HIGHLY SECURE
XenClient XT is an edition of XenClient specifically designed for enabling multi-level, secure local virtual desktops. It was built to meet the most extreme isolation, security, and performance requirements for local virtual desktops in public sector customer environments. With XenClient 2.1, all of these great benefits are now extended to laptops and we are starting to see tremendous interest from other highly regulated industries in this solution. What’s the draw? Extreme security! That’s what interested Dr. Ryan Durante from Air Force Research Labs in this technology. During his session at Citrix Synergy Barcelona, he stated the following.
“SecureView, the name of the government program that uses XenClient XT as the basis for a multi-level workstation achieved the highest level of approvals from the NIST 800-53 Security Controls Catalogue available today. Those approvals are: Confidentiality: High, Integrity: High Availability: Medium”
http://blogs.citrix.com/2011/10/27/xenclient-2-1-%E2%80%93-what-does-it-mean-for-your-business/
Halloween effect? XenClient XT stirring after five months of no discernable pulse. Spooooky!
--------------
Citrix XenClient – What’s Happening at Citrix Summit and Citrix Synergy Barcelona?
Your compañeros on the Citrix XenClient team are excited to showcase XenClient and XenClient XT at the Citrix Partner Summit on October 24th – 25th and at Citrix Synergy from Oct. 26th to October 28th in Barcelona, Spain. We have demos, breakout sessions and even a special guest speaker!
Guest Speaker
We are pleased to have Dr. Ryan Durante, Chief of the Cross Domain Solutions and Innovation Section, Air Force Research Lab, AFRL/RIEB at the Citrix Partner Summit and at Citrix Synergy. Dr. Durante will co-present during two of our breakout sessions so we hope you will join us as he discusses his experience with XenClient XT.
------------
More on XenClient XT:
http://www.citrix.com/English/ps2/products/subfeature.asp?contentID=2315434
http://blogs.citrix.com/2011/10/20/citrix-xenclient-what%E2%80%99s-happening-at-citrix-summit-and-citrix-synergy-barcelona/
------------------
Dr. Durante spoke at the Citrix Synergy held last May when XenClient XT was first shown as well.
-------
SYN310: XenClient security: deep dive with Ian Pratt and behind the scenes with the Defense Intelligence Agency
Breakout
Description
This session will explore the unique security and data isolation capabilities of XenClient. Working in close partnership, technologists from the defense sector of the United States government and from Citrix developed key innovations for XenClient, the high-performance bare-metal hypervisor that runs directly on client device hardware, that helps the Defense Intelligence Agency (DIA) meet the most extreme security requirements. This session will go a few clicks down from the Thursday general session, exploring the unique security and data isolation capabilities in XenClient and how this helps the DIA meet is demanding computing needs.
Speaker(s)
Dr. Ryan Durante
Chief of the Cross Domain Solutions and Innovation Section
Air Force Research Laboratory
-------------------------------------------------------------------
Ian Pratt
VP Advanced Products
Citrix Systems, Inc
Ian Pratt is chairman of xen.org—the organization that leads the creation of the open source Xen Hypervisor, a founder of XenSource—acquired by Citrix in 2007, and vice president of Advanced Products in the Citrix Virtualization and Management Division. Mr. Pratt has consulted widely in the technology industry, and was a member of senior faculty at the University of Cambridge Computer Laboratory and a founder of Nemesys Research, which was acquired by FORE Systems.
http://eventkaddy.com/citrixsynergy/presentation.asp?presId=202
-----
More on XenClient XT:
http://www.citrix.com/English/ps2/products/subfeature.asp?contentID=2315434
There's nothing Wave specific in this article, but I liked the metaphore the writer used. When do we get to pop the bubbly?
"Like a restaurant that loses money on food and makes all the profit on wine and cocktails, service providers need to see security for what it is: as profitable as a liquor license."
-------------
Parting Thoughts: The world of security has turned on its head
Security: Risk and Reward By Andreas M. Antonopoulos, Network World
October 11, 2011 10:57 AM ET
For the past several years, I have had the honor of writing for Network World in "Risk and Reward." Unfortunately, that time has come to an end as I am leaving the world of independent analysts to pursue new adventures. In my last column, I'd like to explore some of my recurring themes and offer some predictions for the future.
The world of security has turned on its head. It was always a fast-moving space, but in the last three years it has become a roller coaster. Part of that is because of huge changes in IT itself. Part of it is because of the enormous importance of electronic communications in our lives today. Some of the trends will continue to make security challenging, yet also rewarding and fascinating at the same time.
Mobility: The whole paradigm of security was originally based on immovable systems in concentric perimeters. That model is well past broken, yet it persists throughout most environments. Have a look at how many security systems rely on IP addresses and you will see why mobility breaks everything. Things will get more and more exciting as IT, security and society as a whole come to grips with the idea of enormously powerful sensor and communications platforms, full of every personal detail and experience, permanently carried by almost every person.
Virtualization: I wrote the first article on virtualization security in April 2004 for Network World. At the time, I saw an enormous potential for virtualized security. I saw the possibility of joining endpoint security and network security into a new paradigm that had elements of both but was more powerful than either. Unfortunately, that space is still immature as companies have tried to patch together a strategy to secure virtual systems largely by VLAN segmentation and firewalls. This has ended up weakening security and hampering virtualization too. I fully expect that in the end we will get there. The most important question is not, "How do I secure virtual systems?" but, "How do I virtualize security systems?" Answer the second and the first becomes much easier.
Cloud computing: The cloud is about to achieve a small percentage of the level of hype surrounding it, but that still means a remarkable transformation of IT and IT operations. It also means a huge opportunity for security, as well as a huge problem with security. For providers, security is not the barrier to adoption -- it is the holy grail of profitability in the cloud. You can actually make money off security services, unlike the CPUs which are commoditized to unprofitability. Like a restaurant that loses money on food and makes all the profit on wine and cocktails, service providers need to see security for what it is: as profitable as a liquor license. Security as a service is still in its infancy but growing rapidly. Like virtualization, the question to ask is not, "How do I secure the cloud?" but, "How do I cloud-port my security?" Answering the second makes the first question a lot easier.
Those three themes have made up the bulk of my security writing for several years. It's not because they represent new security technologies or products or vendors. It's because they challenge the foundational models and notions of security that permeate most security implementations. They subvert our security by contradicting the most fundamental assumptions we make in security. In my native culture, there is a word to describe this: skiamorphe, which means a "shadow of the old form." It describes a tendency to incorporate the features of an obsolete technology in a new one when it first emerges. In security, we have not yet emerged from the shadows of a location-centric, perimeter-oriented and static model. Until we do, we will be wandering in the dark.
http://www.networkworld.com/columnists/2011/101111-andreas.html?page=1
SMART Modular Technologies Releases World's Fastest Multi-Level Cell and Highest-Capacity SAS SSD
SMART Modular Technologies today announced the Optimus solid-state drive (SSD) for enterprise storage applications. Featuring a native Serial Attached SCSI (SAS) 6Gb/s interface and up to 1.6TB usable capacity, Optimus is claimed to be the industry's highest capacity and fastest SAS multi-level cell (MLC) SSD.
Available in 200GB, 400GB, 800GB, and 1.6TB usable capacities, the new 2.5" SAS SSD features read/write speeds of 100K/50K random IOPS and 500/500 MB/s sustained transfer rates. It also includes support for wide-port SAS capability, providing up to 1GB/s sustained read performance in applications equipped to support this advanced feature.
The new Optimus SSD incorporates Guardian technology, a suite of innovative proprietary features comprised of FlashGuard, DataGuard, and EverGuard technologies. The FlashGuard technology delivers advanced flash management capabilities, ensuring that the Optimus SSD can be used in mainstream, enterprise storage workloads throughout its warranted 5-year period. Incorporating Aggregated Flash Management and Advanced Signal Processing technologies, FlashGuard extracts higher endurance characteristics out of MLC flash, allowing SMART to offer Optimus SSDs with a comprehensive 5-year warranty at usage rates up to 10 full device-writes per day. The DataGuard and EverGuard technologies ensure that data integrity and drive reliability are never compromised, satisfying the demanding requirements of Tier-1 enterprise storage applications. Additionally, Optimus features full T10 DIF support and TCG enterprise encryption.
The SMART Optimus SSD will begin sampling in September 2011.
http://ixbtlabs.com/news.html
MSi Releases Windows Tablet PC
http://www.tabletpcdevices.com/tag/windows-7/
• AMD Z-Series APU Processors
• Genuine Windows® 7 Home Premium
• 10" 1280x800 wide-view, multi-point touch screen with IPS
• Exclusive smart racker for smooth operation
• TPM embedded security chip and MSI's EasyFace biometric software to provide complete protection for peace of mind
• Exclusive Smart Media Link easily to connect with other devices for performing such actions as sharing information and transferring videos/documents.
• Exclusive O-Easy interface for easier management and use of frequently used functions and software.
• SRS TruMedia offers enhanced acoustic experience
Complete protection for peace of mind
1. TPM (Trusted Platform Module)
Files can be encrypted for twice the security. This means that you can require a password to open a file and then require that it can only be opened in coordination with the TPM chip. Even if a hacker obtains your file, therefore, they can’t actually get at the data without the TPM chip, effectively stopping data loss due to hackers and Trojan horses.
http://www.msi.com/product/nb/WindPad-110W.html
Android Trojan Points Out Mobile Security's Trust Problem
Malware that records your phone calls sounds bad, but there's a bigger problem.
By Laurianne McLaughlin InformationWeek
August 03, 2011 11:59 AM
http://www.informationweek.com/news/231300128
An Android Trojan that security researchers brought to light this week--a piece of malware with the potential to record your phone calls--made some waves on the creepiness scale, though it hasn't been spotted in the wild. This story brings up an unpleasant truth about today's mobile device security: It's sometimes still too hard for smartphone owners to know who to trust.
This Trojan would travel with an app from an untrustworthy source and ask for some unusually generous permissions from you. If you don't download the app and give the permissions, your phone does not get the malware. But how do you know whose apps to trust? Could you be fooled, as hackers get craftier? Apps marketplaces don't yet have foolproof controls to keep malware creators out. InformationWeek.com's Robert Strohmeyer has 5 good pieces of advice on how to fight mobile malware.
You might want to send this article to anyone in your family for whom you are the unofficial IT person. (You do realize you're on the hook for smartphone support now, right? It's enough to make you nostalgic for the days of "Is the printer unplugged by any chance?") Family members confused by security pop-up messages on PCs will be confused by smartphone app marketplaces with unsavory apps that look genuine. Mark my words.
So will some users of company-owned smartphones. It's no mistake that mobile security and mobile device management continue to dominate IT worries about of the consumerization of IT. MobileIron today unveiled Connected Cloud, a new hosted version of their mobile device management tools for enterprises, as InformationWeek.com's Fritz Nelson reports. Tools like this give IT teams remote control power, access control and a unified view of company devices-not new concepts, of course, but could using a hosted version save you IT staff resources and/or money? Check out what Nelson has to say on one missing element in MobileIron's service.
Federal government agencies have just as urgent a need to secure mobile devices. NIST, the agency that creates standards for the federal government's use of technology, is now testing iPhones and iPads to identify the best ways to secure them for government workers and military personnel, reports InformationWeek.com's Liz Montalbano. Next time you want to put your enterprise mobile worries in perspective, consider this: The Defense Information Systems Agency (DISA) recently put out a request for information seeking advice on how to centrally manage up to 1 million devices, Montalbano reports.
Mobile device makers of several kinds would be wise to learn some security lessons from the Google Chromebook, especially related to hardening the operating system code, notes InformationWeek.com's Kurt Marko. Even if the gadget itself isn't a popular smash, it's worth studying for this reason, Marko says.
And on a related security note, stay tuned to InformationWeek.com and Dark Reading for more information on the "Shady Rat" attacks, a five-year cyber-espionage campaign that has hit national governments, global companies, nonprofits, and others, according to McAfee. We'll also keep you up to date on the most interesting news from BlackHat, as the security confab convenes Wednesday in Las Vegas.
Laurianne McLaughlin is editor-in-chief for InformationWeek.com. Follow her on Twitter at @lmclaughlin.
barge, I think there is a very good chance that we will be involved with Dell Divide, but probably not on this China release.
I say this because I suspect that Dell Divide is a rebranded version of the Citrix XenClient. XenClient 2 was announced to be ready for release in June, but there has been complete silence from the company since that time, so I have been awaiting an appearance from one of the OEMs. This could be it. But even so it is going to come in two versions; one utilizing the TPM (XenClient XT), and one without. We know that the Chinese won't allow standard TPMs into their country and are going to use their own version instead, and I haven't heard anything about Wave working with their version, so I don't see Wave in the picture at this time.
When the non-Chinese version of Dell Streak with Dell Divide is released I would expect to see Wave support incorporated, in so far as it is based on the XT version of XenClient.
All just IMHO.
wavedreamer, how about adding this to your list of TPM management/support opportunities?
? Support for user-controlled management of TPM identities.
--------------
http://www.docstoc.com/docs/57707019/User-controlled-Management-Of-TPM-Identities---Patent-7640593
This is a very interesting patent held by Nokia. It allows for delegating limited TPM functionality so the owner's management burden is lightened while simultaneously overall platform security is enhanced, IMO, by placing those responsibilities on entities designed for those tasks. It requires a TPM management program; we will have to wait to see who will provide it.
-------------------
This invention is in the field of security and trustworthy computing. The invention relates to a method for managing identities in a device comprising a trusted platform module. The invention also relates to a device, a system, a module, and a program product.
---------------
The TPM Owner is an entity with a single "super user" privilege to control TPM operation. Thus if any aspect of a TPM requires management, the TPM Owner must perform that task himself or reveal his privilege information to another entity. This
other entity thereby obtains the privilege to operate all TPM controls, not just those intended by the Owner. Therefore the Owner often must have greater trust in the other entity than is strictly necessary to perform an arbitrary task.
This delegation model addresses this issue by allowing delegation of individual TPM Owner privileges (the right to use individual Owner authorized TPM commands) to individual entities, which may be trusted processes.
Consumer user does not need to enter or remember a TPM Owner password. This is an ease of use and security issue. Not remembering the password may lead to bad security practices, increased tech support calls and lost data.
Role based administration and separation of duty. It should be possible to delegate just enough Owner privileges to perform some administration task or carry out some duty, without delegating all Owner privileges.
TPM should support multiple trusted processes. When a platform has the ability to load and execute multiple trusted processes then the TPM should be able to participate in the protection of secrets and proper management of the processes and
their secrets. In fact, the TPM most likely is the root of storage for these values. The TPM should enable the proper management, protection and distribution of values held for the various trusted processes that reside on the same platform.
Trusted processes may require restrictions. A fundamental security tenet is the principle of least privilege, that is, to limit process functionality to only the functions necessary to accomplish the task. This delegation model provides a
building block that allows a system designer to create single purpose processes and then ensure that the process only has access to the functions that it requires to complete the task.
There is no desire to remove the current TPM Owner and the protocols that authorize and manage the TPM Owner. The capabilities are a delegation of TPM Owner responsibilities. The delegation allows the TPM Owner to delegate some or all of the
actions that a TPM Owner can perform. The TPM Owner has complete control as to when and if the capability delegation is in use.
-------------------------
According to a fourth aspect of the present invention there is provided a system comprising an electronic device; a communication network; and a remote device; wherein the electronic device comprises a trusted platform module comprising a
storage; a first component for using an identity related command for performing identity related action; a second component for creating a delegation agent; a third component for creating a storage key for secure storage; a fourth component for creating
a delegation for the identity related command; a fifth component for sealing said delegation using the created storage key to a trustworthy system state; and a sixth component for delivering the sealed delegation to the delegation agent. According to a
fifth aspect of the present invention there is provided a computer program product carrying program code for managing identities in a device comprising a trusted platform module, the program code comprising instructions for using an identity related command for performing identity related action; creating a delegation agent; creating a storage key for secure storage; creating a delegation for the identity related command; sealing said delegation using the created storage key to a trustworthy system state; and delivering the sealed delegation to the delegation agent.
Pentagon hit by huge cyber theft
Cyberspace designated as operational domain as US bolsters military computer security.
Last Modified: 15 Jul 2011 03:03
A top Pentagon official has admitted that a massive amount of data related to new defence technologies were stolen earlier this year.
"It was 24,000 files, which is a lot, but I don't think it's the largest we've seen," William Lynn, the US deputy defence secretary, said on Thursday.
Lynn revealed the theft as he unveiled a new Pentagon cybersecurity strategy that designates cyberspace as an "operational domain" like sea, air and land where US forces will practice, train and prepare to defend against attacks.
He said the theft occurred in March and targeted files at a defence contractor developing weapons systems and defence equipment.
However, he declined to specify the country behind the attack, what company was hit or what the files contained.
The hacking was a dramatic illustration of the rising difficulties the Pentagon faces in protecting military and defence-related networks critical to US security.
Critics say the new strategy doesn't have enough bite to counter those types of breaches, much less the ones that could potentially cripple a nation.
Defence department employees operate more than 15,000 computer networks and 7 million computers at hundreds of installations around the world. The department's networks are probed millions of times a day and penetrations have compromised huge amounts of data.
Lynn said a recent estimate pegged economic losses from theft of intellectual property and information from government and commercial computers at over $1tn.
With millions of hackers on the prowl each day to breech defence networks, it has to be seen whether Washington has the political will to take more aggressive measures to protect its most sensitive secrets.
http://english.aljazeera.net/news/americas/2011/07/201171523834586264.html
OT? Secure Display Server for Xen---NSA
-------------------------------------
Xen Summit 2011 Agenda and Speaker Lineup Announced
Annual North America Event to Feature Open Source Luminaries from Amazon, Bromium, Citrix, HP, Huawei, Intel, NSA, Oracle and Samsung
CAMBRIDGE, UK » 6/22/2011 » Xen.org, home of the open source Xen hypervisor, today announced that its annual Xen Summit North America conference will be held, August 2-3 in Santa Clara, California. This year’s event, which rotates between sponsoring companies, will be hosted by Citrix (NASDAQ: CTXS) at its Silicon Valley headquarters, and will be the first event held at the new state-of-the-art Citrix Conference Center. The annual Xen Summit attracts prominent Xen community members and thought leaders from around the world to hear updates on future plans, research and new developments for technologies based on the Xen Hypervisor, as well as discuss the current state of projects applying Xen technology to areas like cloud computing, mobility and security. A key platform for some of the world’s largest and most successful public clouds, the Xen hypervisor is the collective effort of a global development community representing more than 50 leading technology vendors, universities, and virtualization experts. This year’s agenda brings together some of the best minds in open source to discuss what’s in store for Xen and how it will continue to set the pace in cloud, mobility and virtualization infrastructure.
Agenda Highlights
Mark Templeton, president and CEO of Citrix, will kick off the event with a welcome message. Agenda highlights include some of the world’s leading experts in cloud computing, mobile devices, microprocessors, security, virtualization, deep systems software and open source:
Xen Summit 2011 Opening Keynote – Amazon Web Services
Xen.org Keynote – Ian Pratt, chairman of Xen.org and co-founder and SVP at Bromium
OpenStack and the Cloud – Ewan Mellor, Citrix
Xen on ARM – Sang-bum Suh, Samsung
Xen and Multi-core System Virtualization – Hui Lv, Intel
Xen in Linux 3 and beyond – Konrad Wilk, Oracle
Xen Memory Sharing – Jose Renato Santos, HP Labs
Sub-Millisecond Latency in Xen ARM – Chuck Yoo, Korea University
Xen Memory Sharing and Swapping – Xiaowei Yang, Huawei
Secure Display Server for Xen – Eamon Walsh, National Security Agency (NSA)
Xen Cloud Platform – Mike McClurg, Citrix
Disaggregated Xen – Patrick Colp, University of British Columbia
Improving Debugging support in Xen – Daniel Kiper, Google Summer of Code Student
In-VM Isolation – Boazeng Ding, Chinese Academy of Science
Xen RAS –Donald D Dugger, Intel
Xen in the Cloud – Marco Sinhoreli, Globo.com
Xen Storage Proxies – Caitlin Bestler, Nexenta
Linux as HVM Guest – Stefano Stabellini, Citrix
Xen Hypervisor – Keir Fraser, Xen.org
http://www.citrix.com/English/NE/news/news.asp?newsID=2313442
Inventor of SecurID token has new authentication system
Kenneth Weiss says technology designed for mobile phones, payments and the cloud
By Ellen Messmer, Network World
June 29, 2011 12:19 PM ET
http://www.networkworld.com/news/2011/062911-kenneth-weiss-securid.html
The inventor of the two-factor authentication SecurID token says the latest technology he's come up with is better because it can be used with a voiceprint biometric, plus it can be deployed for purposes of secure authentication in mobile phones, payments and cloud computing.
"This is much more appropriate for emerging cloud technology and financial payments," says Kenneth Weiss, founder of Newton, Mass.-based Universal Secure Registry, says of his company's electronic wallet. The core technology hasn't been deployed in products or services yet, but Weiss says the various elements, which also entail a server component to authenticate the user's identity, is stronger than SecurID because it not only provides a one-time password but can verify identity based on the user's voice biometric for three-factor authentication.
"You enter a PIN and voice, and only then does the unique seed inside the phone produce a random number," says Weiss, who hopes to license the technology.
Part of the core technology in the Universal Secure Registry strong-authentication system relies on the SecurID token technology patents that are now in the public domain, Weiss says.
SecurID has been much in the news since RSA acknowledged earlier this year that it had suffered a stealthy attack into the RSA network in which the attacker managed to steal undisclosed sensitive information related to SecurID. That information was later used by the attackers to try and break into Lockheed Martin. Weiss says the sensitive information at stake is the seed values for the two-factor authentication system associated with SecurID customers.
"The seed is the logical equivalent to a combination to a vault," Weiss says. "Their secret seeds were compromised." Basing an attack on stealing this kind of information would not necessarily be easy because the determined attacker would be trying to emulate a SecurID token, and they'd have to steal a password as well, he said, but it could be done.
Weiss contends that his USR design is better because seed values can be updated at periodic intervals, and "it's a stronger algorithm" than the RSA SecurID, and the password-digit combination is 16 digits long rather than just eight. He believes that despite the infiltration into the RSA corporate network, SecurID remains fundamentally sound "but there are many things it cannot do."
Weiss adds he and RSA, now part of EMC, aren't on particularly congenial terms because of a dispute over certain business practices he objected to vehemently in the 1990s when he was founder of Security Dynamics, which acquired RSA Data Security. The security industry has gone through many permutations since then, and Weiss is out to prove his latest technology feat will outdo his first.
Hi wavedreamer. Watching 'Trusted Computing' transition from theory to reality makes watching the grass grow almost thrilling. Actually the metaphor that I hope is the best fit is that of plate tectonics; a little rumbling here and there, almost imperceptable movement being the norm, mostly long periods of no movement, on the surface anyway, maybe now and then a jolt that brings greter attention, but then one day the accumulated pressures become so great that a major rupture occurs and suddenly everyone is in awe of the power of the move and eagerly striving to find out what has happened, and how the landscape has changed.
Like you, I believe that the combination of isolation kernel, secure hypervisor, TMP, TXT, SED, and the VPro suite is a powerful mix. Signed OS's and applications that are released from their encrypted format on the SED only when an Authenticated Code Module, running in the TXT space, authorizes the release, and then only into a VM running on a vetted, secure hypervisor will be an earthquake like shock to the PC world. Hopefully this will be at least a 9.0 on the Richter scale for my portfolio as well. ;))
http://www.intel.com/technology/advanced_comm/322287.pdf
24601, this patent verbage indicates clearly that SKS was making the proper distinction when he differentiated between "machine" and "device"; "computing platform" standing in here for "machine".
-----------------------\
Trusted computing platform using a trusted device assembly
United States Patent 6988250
In a computing platform, a trusted hardware device (24) is added to the motherboard (20). The trusted hardware device (24) is configured to acquire an integrity metric, for example a hash of the BIOS memory (29), of the computing platform. The trusted hardware device (24) is tamper-resistant, difficult to forge and inaccessible to other functions of the platform. The hash can be used to convince users that that the operation of the platform (hardware or software) has not been subverted in some way, and is safe to interact with in local or remote applications.
In more detail, the main processing unit (21) of the computing platform is directed to address the trusted hardware device (24), in advance of the BIOS memory, after release from ‘reset’. The trusted hardware device (24) is configured to receive memory read signals from the main processing unit (21) and, in response, return instructions, in the native language of the main processing unit (21), that instruct the main processing unit to establish the hash and return the value to be stored by the trusted hardware device (24). Since the hash is calculated in advance of any other system operations, this is a relatively strong method of verifying the integrity of the system. Once the hash has been returned, the final instruction calls the BIOS program and the system boot procedure continues as normal.
Whenever a user wishes to interact with the computing platform, he first requests the integrity metric, which he compares with an authentic integrity metric that was measured by a trusted party. If the metrics are the same, the platform is verified and interactions can continue. Otherwise, interaction halts on the basis that the operation of the platform may have been subverted.
http://www.freepatentsonline.com/6988250.html
Only two days left in the month. Will Citrix ship XenClient XT on time, thus spurring the TPM management market, or will this be another delay? At $500 a pop you've gotta believe they want to get this out on time.
-------------------
Introducing XenClient XT
Extreme Desktop Isolation - XenClient XT augments the XenClient hypervisor with hardened components and a unique new network isolation architecture that allows users to run multiple securely isolated local virtual desktops in separate security domains and completely isolated networks, all on a single physical system.
Extreme Security - provides hardware-assisted security that leverages security capabilities in the Intel Core vPro platform. This includes a trusted boot capability powered by Intel Trusted Execution Technology (TXT) to ensure that XenClient XT is checked against a known good configuration on every boot, ensuring no unauthorized modifications to the system.
Extreme Performance - capable of running the most graphically and computationally demanding desktop environments without compromise, while ensuring advanced security, isolation and performance.
Multi-level Desktop Consolidation - allows customers to run a large number of securely isolated desktop computing environments on a single physical system, especially useful for public sector customers who need to work on multiple sensitive contracts and projects simultaneously with full network and desktop isolation.
This is a great example of why SEDs are better than software FDE. My apologies if previously posted.
-------------------------------
Lost NHS medical records: Laptops had unused encryption software
Ron Condon, UK Bureau Chief
16 Jun 2011
The loss of 20 unencrypted laptop computers at London Health Programmes, a medical research organisation based at the NHS North Central London health authority, could result in the biggest ever health care data breach suffered by the NHS.
According to a report in The Sun newspaper this week, the laptops went missing in May, and only three have been recovered. One missing machine, which was password-protected but not encrypted, contained details of 8.63 million people and the NHS medical records of 18 million hospital visits, operations and procedures. It has now been reported as stolen to the police.
Although patients’ names were not included, it is feared that individuals could be identified from their post codes, and other details, such as gender, age and ethnic origin.
The loss is just the latest in a long series of breaches suffered by the NHS over the last few years. Back in 2009, the Information Commissioner’s Office issued a public warning to the NHS to tighten up security, saying the number of breaches sustained by the NHS exceeded those in local and central government combined.
In the wake of the latest loss, the Department of Health issued a statement saying all NHS organisations should ensure laptops are encrypted.
So far, the ICO is watching developments, and issued the following statement: “Any allegation that sensitive personal information has been compromised is concerning and we will now make inquiries to establish the full facts of this alleged data breach."
Don Smith, European vice president of engineering and technology for Dell SecureWorks, said in a statement: “The news shows the importance of protecting data and applying basic data protection principles. Personal data is not an abstract commodity and the onus should be on organisations to create the proper culture, policies, processes and procedures for data handling and protection.”
Christian Toon, head of information risk for Iron Mountain, urged health authorities to improve their whole approach to managing both electronic and paper records. “All public authorities handle sensitive data and need to ensure that they have robust policies and processes in place for managing, storing and tracking information,” he said. “This is not just good practice. The public have a right to expect that information about them is protected.”
Perhaps the most concerning factor of the breach, however, is that the laptops could have been encrypted all along. David Tomlinson, managing director of Taunton-based Data Encryption Systems, said the NHS has a licence to run McAfee software on all its computers, including the SafeBoot disk encryption product.
"If someone wasn't encrypting their laptops, questions should be asked," he said, "because they've paid for [the encryption]."
http://searchsecurity.techtarget.co.uk/news/2240037024/Lost-NHS-medical-records-Laptops-had-unused-encryption-software
Interesting demonstration.
Intel Labs' Collaborative Efforts Speed Technological Breakthroughs, Shape Future of Computing
Posted by IntelPR on Jun 7, 2011 10:31:30 AM
.
.
.
.
.
A Glimpse into the Future of Technology, Today
Demonstrations at the Research at Intel event spanned such areas as visual computing, security and authentication to user experience and cloud computing, among others, and are the result of ongoing, collaborative efforts between Intel and its industry and academic partners. For example:
.
.
"Authentication of the Future" shows how identify theft can be avoided when using a trusted client with advanced authentication and user presence techniques by locally establishing your identity and confirming it with Web-based services, improving both the security and user experience.
http://newsroom.intel.com/community/intel_newsroom/blog/2011/06/07/intel-labs-collaborative-efforts-speed-technological-breakthroughs-shape-future-of-computing?cid=rss-258152-c1-267769
24601, yes. e./
Bromium "calculus of trust".
----------------------------
Xen virt-wizards jump ship from Citrix to start 'Bromium'
Agnostic hypervisors to finally deliver IT security?
By Timothy Prickett Morgan
Posted in Virtualization, 22nd June 2011 14:57 GMT
The co-founders of the open source Xen server hypervisor project at Cambridge University who commercialized it as XenSource and sold it for $500m to Citrix Systems in September 2007 have left Citrix to do their fourth startup, called Bromium.
The startup, which is still operating in stealth mode, announced its existence and the securing of $9.2m in Series A funding at the Structure 2011 conference in San Francisco on Wednesday. Andreessen Horowitz, Ignition Partners, and Lightspeed Venture Partners are all kicking in the dough.
Bromium is co-founded by Ian Pratt, who is chairman of the Xen.org hypervisor project and who just left his position as vice president of advanced products in the Virtualization and Management Division at Citrix. Pratt will be senior vice president in charge of products at Bromium, and is deferring to his two other co-founders to run the company and be the chief techie.
Simon Crosby, a colleague from Cambridge who was CTO at XenSource before it was acquired by Citrix and who was CTO of the Data Center and Cloud Division and Citrix, is co-founding Bromium with Pratt. So is Gaurav Banga, who is being tapped as president and CEO at Bromium and who was previously CTO and senior vice president of engineering at computer BIOS maker Phoenix Technologies.
Banga was responsible for the creation of the Unified Extensible Firmware Interface (UEFI) for modern system BIOSes, and also created the HyperSpace baby, "instant-on" Linux environment that Hewlett-Packard acquired from Phoenix in June 2010, and FailSafe, a system for tracking stolen computers that was sold to Absolute Software for $6.9m in April 2010.
Bromium is not revealing exactly what it is up to quite yet, but Pratt gave some hints to The Register, and as you might expect, it involves virtualization on PCs, servers, and other kinds of devices. But the focus for Bromium is not on virtualization – so don't expect an uber-hypervisor that spans all platforms or something like that – but on using virtualization as a means to better secure machines.
"The way that virtualization is being used today is in the management domain," Pratt explains to El Reg. "But it is our belief that you can do a lot more with it, and the big thing we are interested in is security. There are all sorts of malware out there and we are not doing a very good job of protecting against it.
"This is one of those problems I like because this is hard."
With the Bromium tools, which should be ready by the end of the year if all goes according to plan, Pratt says that the idea is to shift away from trusting data files and application files explicitly like antivirus and firewall tools do today for operating systems and virtual machines and to move toward a model where you assign different levels of trust to threads, applications, users, data, and other aspects of the system and then perform a "calculus of trust" as applications are running. This brings context to the security, so you can start thinking about who is doing what with what data to see if it is likely to be harmful or not, for instance. If that sounds a bit vague, Pratt's description was intentionally designed to obfuscate.
Whatever the Bromium software does, Pratt confirmed that a portion of it would run inside the hypervisor that is used to carve up and isolate OS images on PCs, servers, and soon smartphones and tablets; another piece of Bromium would run inside the OSes inside the virtual machines implemented by the hypervisor. The Bromium code is designed to be independent of operation system, hypervisor, and processor architecture, says Pratt, although he concedes that the hypervisors and operating systems that are open source will be the quickest and easiest to snap up the Bromium security.
"We're going to be hypervisor and operating system agnostic," he declares.
The Bromium board of directors includes Peter Levine, venture partner at Andreessen Horowitz, who was previously the CEO at XenSource and an executive vice president at file system maker Veritas before Symantec ate it a few years back.
Frank Artale, managing director at Ignition Ventures, is also on the board, as is George Kurtz, who is CTO at Intel's McAfee security software division. Bromium has hired a bunch of engineers Microsoft, VMware, Oracle, McAfee, and Nvidia and is looking to hire to build out its software development labs in Cupertino, California and Cambridge, England. The company will be headquartered in Cupertino. ®
http://www.theregister.co.uk/2011/06/22/xen_founders_bromium_startup/
More on Bromium. Excerpt from 'Toward Trusted Infrastructure for the Cloud Era' By Simon Crosby · Published June 22, 2011
-------------------------------------------------
•Finally, I observed that the majority of attacks on enterprise infrastructure occur via compromised enterprise clients. I cited by way of example the recent RSA attack, and the first Chinese attack on Gmail. You can’t protect your cloud unless you protect your clients, so the same infrastructural requirements therefore apply to enterprise clients: TPM/TXT based attestation and continuous protection of the computing environment, encryption at rest for all data, and granular isolation of employees’ personal and corporate activities, such as afforded by XenClient, can help to reduce the attack surface.
Whether you cast these challenges into the context of the consumerization of IT, cloud computing, desktop virtualization, data loss prevention or a broader lack of security, the technological challenges remain the same. There is an urgent need to dramatically shift the odds in favor of the good guys, and I remain firmly of the view that virtualization can offer a new toolset that can help to deliver a more secure and trustworthy computing infrastructure. So much so, that with the goal of delivering trustworthy infrastructure for the cloud Era, Ian Pratt and I have announced today that we are leaving Citrix to join Gaurav Banga (the creator of Phoenix Hyperspace) to co-found a new company, Bromium, Inc..
Bromium is not ready to disclose its technology or products. We are fusing deep virtualization and security systems DNA to build a powerful set of tools that can offer continuous endpoint protection. Bromium does not intend to compete with any virtual infrastructure or security vendor. There is much more to tell, but we have a lot of work to do first.
Bromium is proud to have as investors Andreessen Horowitz (board member: Peter Levine), Ignition Partners (board member: Frank Artale) and Lightspeed Venture Partners. We are also proud to welcome George Kurtz, Worldwide CTO and EVP at McAfee, as a board member. Ian and I will remain active in our stewardship, contribution to, and promotion of the key building blocks of open infrastructure: xen.org, OpenStack.org, OpenVSwitch.org, the Open Networking Foundation and other projects. Bromium will remain in stealth mode for some time, but we are actively recruiting gods and goddesses of deep systems software and security to join our teams in Cupertino, CA and Cambridge, UK.
http://blogs.citrix.com/2011/06/22/toward-trusted-infrastructure-for-the-cloud-era/
We should follow the development of this company, Bromium. IMO it will be another catalyst for TPM usage.
--------------------------
Virtualization Pioneers Crosby, Pratt Tackle Cloud Security
Simon Crosby and Ian Pratt resigned from Citrix to found Bromium, a startup that will attack the problem of guaranteeing the security of executing code to protect "the cloud in your pocket."
By Charles Babcock InformationWeek
June 22, 2011 06:13 PM
Simon Crosby, CTO of the data center and cloud division, and Ian Pratt, VP of advanced products, have resigned from Citrix Systems to found a security company, Bromium, that will seek to protect "the cloud in your pocket."
The proliferation of mobile end user devices will be the principal way that individuals do their computing in the future, thanks to their links to powerful servers on the Internet, said Crosby in a talk at the Structure 2011 show in San Francisco on Wednesday. He termed mobile smart devices "the cloud in your pocket."
At the same time the explosion of personal devices is leading to increasing strain on security measures. "The recent breaches at RSA and Gmail came in through the client (carried inside company walls by unsuspecting employees)," said Crosby after his talk. "No one broke in through the perimeter. It was someone bringing in an exploit in a Flash presentation (RSA) or a user with an unprotected browser. If you can't protect the client, you can't protect the cloud," Crosby said.
Bromium will draw on Pratt and Crosby's experience in building the Xen open source hypervisor and use the hypervisor as a control point for monitoring and maintaining secure application execution. Crosby was not prepared to divulge how the company plans to pull off the feat, but Pratt had been working closely with the U.S. Air Force and Defense Intelligence Agency to build more secure clients that could accompany U.S. forces as they undertake missions behind enemy lines.
Today's user desktops, whether on a laptop, tablet, or smartphone, are providing more and more avenues of access to the corporate network once they've been carried inside the employee's workplace and are behind the firewall. Crosby and Pratt propose to use new virtualization technology to address this issue.
"We have the technology that gives you an elegant and assured solution to that problem," said Crosby, sitting down for an interview during a break at the show.
"What you want is continuous, fine grained monitoring of executing code," Crosby said. Previous attempts to put firewalls on the hypervisor, which protect it from invasive code, and to check the validity of the application as it arrives and inspect it for malware, would have been inadequate to protect against the recent RSA and Gmail breaches, he said. They were launched by internal users who had malware planted on their machines that they inadvertently activated while at work.
Crosby said the Bromium form of security will work closely with Intel chip security features and be embedded in the BIOS of a PC or laptop device. Users will not need to know that it's there or that they are working in a virtual machine. Users of Citrix Systems client software need to decide what environment they wish to work in and toggle between virtual machines to go from personal use to a more secure workplace.
The security of the client is becoming a more pressing issue as workers carry more than one of them in and out of their workplaces, and mix personal online activities and workplace activities on the same devices.
Bromium is being co-founded by Crosby and Pratt with Gaurav Banga, a former CTO and VP of engineering at Phoenix Technologies. It has three employees as of Wednesday; it will have 11 by the end of the month, Crosby said. It will have offices in Cupertino, Calif., and Cambridge, U.K. Its first product will be delivered in about six months, Crosby said.
Pratt, as VP of advanced products, was working with the U.S. Air Force Research Lab to create a secure virtual client that can disappear from a mobile machine, leaving no trace of the data it was working with. Pratt spoke about the effort at the Citrix user group meeting, Synergy 2011, in San Francisco in May.
Pratt is the Cambridge University researcher who correctly emulated in software the Intel x86 instruction set and built the Xen hypervisor as a result. He was preceded in the feat, once thought impossible, by Wendell Rosenbloom, founder of VMware. When Citrix Systems sought to compete with VMware, it acquired XenSource, the company behind the Xen code.
http://www.informationweek.com/news/231000236
Hi wavedreamer, thanks for that find. It confirms my expectation re Hyper-V and upcoming Windows. We will have to wait and see, but I expect/hope to see support for the entire V-Pro suite of technologies, including TXT, although initially only in the high-end versions (Professional, Enterprise, Ultimate), of Windows 8.
Hi New Wave,
So the military wants FDE for their smartphones and the 'NSA wants bulletproof smartphone, tablet security', and they want to have them leverage the cloud.
I know that Citrix and VMWare have been developing virtualization for smartphones.
I think if one were to exchange 'PC' with 'smartphone' or 'tablet' that wavedreamer has laid out the basic scenario for all these devices going forward.
"Have the PC boot from a SED using the SED as the core root of trust and do a measured launch of the BIOS/Masterboot record/Hypervisor/What ever multiple OS's you want in the Virtual machines, all using a TPM in the transitive chain of trust. Plus you have kick ass data at rest encryption."
I wonder if Wave's Trusted Drive patent could be of some value here. The 90 days is almost up.
"In order to meet the encryption objective, DARPA said it is looking for industry and universities to submit a whitepaper with ideas/concepts that describe an innovative existing technology approach that can be deployed in less than 90 days."
--------------------
Military wants full disk encryption for iPhone, Android smartphones
DARPA seeking full disk encryption tech for Apple, Google smartphones
By Layer 8 on Tue, 04/12/11 - 12:21pm.
The US military wants to take no security chances with the smartphones it is deploying. That's why the engineers at the Defense Advanced Research Projects Agency (DARPA) today said they are "looking to discover new technologies and methods to support full disk and system encryption of the commercial mobile devices -- specifically Apple and Android platforms - to include a pre-boot environment to load the operating system."
More on security: 20 hot IT security issues
DARPA said the systems it deploys must use an Advanced Encryption Standard (AES)-256 bit encryption algorithm compliant with Federal Information Processing Standard (FIPS) 140-2, o government security standard. In order to meet the encryption objective, DARPA said it is looking for industry and universities to submit a whitepaper with ideas/concepts that describe an innovative existing technology approach that can be deployed in less than 90 days.
Securing smartphones has been an ongoing project for the military. In January the US Air Force said it was looking to decide whether or not to use commercial off-the-shelf (COTS) smart phones, such as Android-based devices or iPhones, and how it can securely process classified voice and data using them.
The Air Force has issued a request for information, not a formal contract solicitation as it is trying to come up with the best plan. Securing smartphones for military use is an absolute necessity if the devices are to find wide applications for field use. The Army has made smartphone development a priority as well.
The military is very interested in getting smartphones out in the field. Last year the Pentagon awarded $6.4 million to the Corporation for National Research Initiatives to build a smartphone app store.
In DARPA's words: "A military apps marketplace will be created to enable rapid innovation to meet user needs based on a direct collaboration between a vibrant and highly competitive development community and involved communities of end-users. The program will address all the challenges - technical, business, and operational - faced to make the new capabilities available for use in the field. The end objective is to transition the resulting systems to the end users in the Services, and to foster a new model for rapidly and effectively acquiring, introducing, maintaining, and enhancing software."
DARPA said the program will lean heavily on existing commercial handhelds for the initial development efforts. Initially, at least two distinct repositories are envisioned: one holding beta apps that are queued for initial app evaluations, and a separate repository holding apps that have been vetted, certified and approved for use.
http://www.networkworld.com/community/blog/military-wants-full-disk-encryption-iphone-an
NSA wants bulletproof smartphone, tablet security
NSA says commercial smartphones and tablets are OK but need to be based on agency's security design
By Ellen Messmer, Network World
June 20, 2011 11:59 AM ET
NATIONAL HARBOR, Md. -- The National Security Agency, America's high-tech spy agency which also plays a key role in approving hardware and software for use by the Department of Defense, wants to be able to outfit military personnel with commercial smartphones and tablets -- but based on a NSA security design.
The forces in the Department of Defense, including the U.S. Army and Air Force, today are piloting several different commercially available smartphones and tablets which the NSA is working to harden and secure, said Debora Plunkett, director of the NSA's information assurance directorate, speaking at the Gartner Security and Risk Management Summit 2011 here today. "It's not our intention to rely on any one platform," she said. The goal is to have perhaps four main devices, plus a couple of infrastructure support services, and let U.S. forces pick the one they like best, she said.
Finding a way to bring commercially available smartphones and tablets into the classified security environment is "our No. 1 challenge today," Plunkett said.
Right now, commercial smartphones and tablets are seen as carrying considerable risks from a national-security perspective, but the NSA is working to figure out how to add its own security to compensate for the risks.
"We are not saying there are no vulnerabilities in COTS [commercial off-the-shelf] products," Plunkett said. "The intention is to be able to layer the commercial products and alleviate and obviate the vulnerabilities."
For the NSA, it's all adding up to an evolving concept of "'good enough' security," Plunkett said, based on the idea that there are situations where information is highly "perishable" and retained only in minutes as compared with days or years, and that it's worthwhile taking the risk to use COTS products that themselves may be regarded as more perishable as well.
Certainly, though, for many of the more traditional NSA strategists who advocated the agency build network equipment and security products itself as was the practice in the past, "it's almost blasphemy," she added. Going to commercial products takes "a lot of control out of your hands."
NSA firmed up its mobility strategy last August, Plunkett said, and there are now several pilot tests in the armed forces of many of the leading smartphones and tablets. The goal is to find ones that can be approved, with specialized NSA security controls, for analysis and network use all around the world.
In its future secure mobile capability, now referred to as the "Mobile Virtual Network Operator," the NSA wants to be able to establish a way that sensitive content can be provided to the military and intelligence in a way that roughly emulates what Amazon does with Kindle, Plunkett said.
The NSA plans to have specific types of integrity checks, among other security measures, for authorized mobile users in the future. In addition, the fundamental idea of relying on the cloud for storage is part of the current strategy. "We use the cloud for storage," she said, with the idea that content is sparingly held on a device, so if it's lost, you simply "move on" to another device.
But the NSA still regards the current smartphone and tablet market as not terribly advanced in terms of security. Not surprisingly, the NSA is coming up with its own ways to manage applications and provision them securely.
The market reality is that smartphones and tablets are coming onto the market at a frenetic pace, much faster than the NSA typically takes to test and approve products, which used to be slightly more than two a two-year cycle and has now been cut to a third of that for some types of security classifications, she said. So the NSA is struggling with the terrific pace of new entries of smartphone and tablets. (Also see: "NSA product accreditations lag behind IT security advances")
One risk is that many of the smartphones and tablets are from manufacturing sites in countries outside the U.S., and that is seen as raising risk due to interests from some countries to try to spy on or otherwise diminish national security of the U.S.
"Vulnerabilities could be in products unintentionally or intentionally," Plunkett said, alluding to the risk of supply-chain safety or lack of it. "It's a global economy, and we rely more on products and components that come from around the world."
http://www.networkworld.com/news/2011/062011-nsa-smartphone-security.html
I think the term 'chutzpah' fits here.
After claiming responsiblity for the CIA website outage, LulzSec continued to taunt those it had wreaked havoc on with this tweet: "Lulz Security, where the entertainment is always at your expense, whether you realize it or not. Wrecking your infrastructures since 2011."
http://technolog.msnbc.msn.com/_news/2011/06/15/6868568-hacking-group-lulzsec-says-it-takes-out-cia-website
Sometime in the next three weeks, if Citrix and its partners stays on schedule, the very first COTS ultra secure PCs utilizing Intel's TXT, VTx and VTd technologies, securing the XenClient XT hypervisor, will come to market. This of course is going to take some time to ramp, but it is a real game-changer and it will prove to be a meaningful new revenue stream for Wave. This is an enterprise offering and enterprises will manage their TPMs which of course as we all know by now underpin TXT. Watch especially for new Dell machines with this package preinstalled, but they won't be the only vendor. Congratulations to Steven and the entire management team for positioning the company to profit from this exciting new paradigm shift in VDI.
-------------
http://webcache.googleusercontent.com/search?q=cache:4J3XTblUQhQJ:www.citrix.com/English/NE/news/news.asp%3FnewsID%3D2311981+xenclient+xt+citrix+partners&cd=1&hl=en&ct=clnk&gl=us&source=www.google.com
-------------
XenClient XT is a flexible, secure and adaptable multi-level secure local virtual desktop solution. It provides security rooted deep in the hardware through integration with Intel® vPro™ technology. One of the features of Intel vPro is Intel® Trusted Execution Technology (Intel® TXT), which ensures that XenClient XT is checked against a known good configuration on every boot and unauthorized modifications have not been made to the system. Additionally, system secrets, like VPN security keys, are encrypted and safely stored within the trusted platform module. XenClient XT also utilizes Intel® Advanced Encryption Standard-New Instructions (Intel AES-NI), which speeds up data protection by accelerating encryption operations by as much as four times.
XenClient XT is customized for organizations demanding the highest levels of security like the public sector. As the public sector continues to strive for a cost-effective PC environment, federal agencies like the U.S. Defense Intelligence Agency are planning to deploy XenCient and Intel TXT on vPro . Since security is top of mind issue, XenClient XT and Intel provide an intelligent desktop virtualization solution that utilizes the strength of hardware-based security.
http://webcache.googleusercontent.com/search?q=cache:0CIzKmFVUe0J:communities.intel.com/community/openportit/vproexpert/emergingcomputing/blog/2011/05/25/intel-powers-smart-security-on-xenclient-xt-xenclient-2+xenclientxt&cd=6&hl=en&ct=clnk&gl=us&source=www.google.com
U.S. Marines Say Yes Sir to Tablets
The military branch intends to buy more than 400,000 PCs and 15,000 tablet devices during the next five years.
By Elizabeth Montalbano InformationWeek
June 09, 2011 01:40 PM
The U.S. Marine Corps is preparing to spend $880 million on a major hardware buy for hundreds of thousands of PCs over the next five years, a planned purchase that also includes the acquisition of 15,000 tablet devices.
The military arm plans to buy more than 400,000 laptop and desktop computers from multiple vendors, mainly through indefinite delivery-indefinite quality contracts with a one-year base and four one-year options, according to a request for proposal (RFP) posted on FedBizOpps.gov. The guaranteed minimum amount each firm awarded a contract will receive is $3,000, according to the RFP.
Specifically, the Marines aim to buy 131,965 general-purpose laptops and 141,838 general-purpose workstations, as well as 16,256 high-performance workstations. The RFP also allows for the purchase of 15,860 netbooks, 15,860 lightweight laptops, and other hardware, including thousands of servers.
The new hardware will provide "standardized computing equipment and worldwide integrated logistics support" for both the Marine Corps and the Department of Navy, according to the RFP. The military arm also is seeking lifecycle logistical support and specific cybersecurity and configuration requirements for the products.
Of the tablets the Marines seek to buy, 7,220 are commercial devices, while the other 7,880 are ruggedized tablets, which are typically more expensive because they are built to withstand harsh weather conditions and significant wear and tear.
The Marines seem to be embracing a trend in the federal government to explore the use of tablet devices and their effect on personnel productivity.
The military in particular seems keen to use mobile devices and tablets as part of their technology arsenal. The Army currently has several programs exploring the effect of giving soldiers--both in the battlefield and the classroom--a range of mobile and table devices on their performance.
http://www.informationweek.com/news/government/enterprise-architecture/230500149
The country's CEOs have apparently been concentrating so closely on their bottom lines and their compensation packages that they are just now developing a 'awareness' of security problems. I assume that if they were concentrating on their entire businesses they would have perceived the issue a tad bit earlier. Apparently no time for keeping up with the headlines for these hard working exec's.
Attacks Up, Security Budgets Down
No wonder our sales have been lackluster. Government is going to have to eventually force the issue IMO. The good news is that executives are 'gaining awareness' of security risks? They can't be serious!
Attacks Up, Security Budgets Down
Half of security professionals see their budgets getting squeezed, even as attack volume increases, according to reports from nCircle and McAfee.
By Mathew J. Schwartz InformationWeek
June 02, 2011 11:55 AM
http://www.informationweek.com/news/security/management/229900035
Information security budgets are continuing to be squeezed by the economic downturn, with half of businesses reporting that their security spending has decreased in the past year. In comparison, only 37% of security professionals reported similar budget decreases in 2010.
That finding comes from a new study released by vulnerability and IT compliance management vendor nCircle, and is based on a survey of more than 550 information security professionals it conducted in March.
Beyond security spending cuts, 18% of businesses, up from 12% in 2010, report that they've also cut IT compliance-related spending. But these budget decreases can cause problems. For starters, 30% of security professionals said that their companies aren't adequately enforcing security policies, and 44% don't think they're effectively measuring security risk or regulatory compliance effectiveness.
"On a positive note, this is the second consecutive year security teams believe executives are more aware of security risks," said Elizabeth Ireland, VP of marketing for nCircle, in a statement
Unfortunately, the survey found, management awareness may come at the expense of a proactive information security profile. Indeed, security professionals' top job concern is "providing management reports on network security effectiveness and risk," followed by having meaningful metrics, enforcing security policy compliance, and maintaining a consistent approach. Reducing network and information security risk, meanwhile, ranked last on their list of priorities.
What are the top challenges facing security programs today? Security professionals listed their number-one concern as meeting security compliance requirements (for 26%), followed by cloud computing (16%), advanced persistent threats (16%), Web application vulnerabilities (14%), and smartphones (13%). Interestingly, compliance, cloud computing, and Web application vulnerability concerns decreased slightly from 2010. Meanwhile, worries grew over advanced persistent threats, VoIP vulnerabilities, and especially smartphone security.
Reflecting the challenge of securing enterprise IT systems today, 95% of respondents also expect the number of data breaches their company experiences to increase this year.
According to a new report from Intel-owned McAfee, security professionals' concerns are justified, as the volume of many types of attacks continues to increase. "Malware has just posted its busiest quarter in history. Fake anti-virus software seems to be on the rise again and password-stealing Trojans are demonstrating a consistent level of activity," according to the study, which reviewed the most malicious threats seen in the first three months of 2011.
"It's been a busy start to 2011 for cybercriminals," said Vincent Weafer, senior VP of McAfee Labs, in a statement. "We're seeing a lot of emerging threats, such as Android malware and new botnets attempting to take over where Rustock left off, that will have a significant impact."
Thankfully, however, security professionals aren't having to deal with so much spam or malware. "Globally we have seen a significant reduction in spam as well as a corresponding shift in botnets due to the Rustock botnet's being taken mostly offline," according to the McAfee report. Indeed, spam volumes are now half what they were just one year ago. While spam still accounts for 1.5 trillion messages per day, it now only outnumbers legitimate email by a three-to-one ratio.
Hi wavedreamer. Gee, if I wasn't bothered by things that are fuzzy relating to virtualization I wouldn't be bothered by much at all ;)
As to your last post, all I can offer is that VDI is currently in the market sans TPM. Authentication to the server can be accomplished in any of the normal ways from user name/password to tokens and smartcards. Once a VPN session is established the VD session is delivered. No integrity checks of the client; code integrity would be maintained at the server. Obviously this could be greatly improved upon by utilizing a TPM to securely boot the client hypervisor and to generate the VPN session keys, IMO anyway.
I will look forward to seeing what V3 Security comes out with.
Hi alea. There are probably posters here that can give a better explanation, but I'll lay out how I understand it.
Virtualization comes in different varieties and can be used in different ways. The common denominator is that software running on a virtual machine isn't interacting directly with the hardware platform, but rather with virtualized hardware, i.e. other software. Where the environment supports more that one virtual machine there needs to be a VMM, a virtual machine monitor, AKA a hypervisor. It is the VMMs job, along with an incorporated separation kernel, to allocate the resources of the hardware to the needs of the virtual machines and keep the virtual machines sand-boxed. Hardware extensions like Intel's VT-d can fortify this by masking where data is being stored on the drive. Not all hardware can necessarily be virtualized without its' firmware being reworked. Graphics cards are a case in point.
Virtual machines may run full operating systems like Windows or scaled down OS's that are designed to support a single application, like an anti-virus program. Don't shed any tears for Microsoft because there are licensing requirements for each instantiation of Windows running. Fortunately they are working with Citrix. Some years back (2007)Redhat announced that they were going to develop a virtual appliance OS to run on VPro and utilize VT-d. It turned out that they were going to build it on Windows ME and Microsoft wouldn't give them a license to do it, and we never heard anything more about it. MS is actively managing the transition to the virtualized PC world IMO.
http://investorshub.advfn.com/boards/read_msg.aspx?message_id=29426442&txt2find=redhat|intel
Microsoft also has a server level hypervisor called Hyper-V that is more that likely IMO to show up in the next version of Windows. One author says it's there now but not activated.
http://www.brianmadden.com/blogs/brianmadden/archive/2011/03/31/benny-tritsch-wonders-if-hyper-v-is-microsoft-s-bare-metal-client-hypervisor.aspx
Hypervisors have generally been referd to as either Type I, or a bare metal hypervisor, or Type II which is contained within another OS. The real issue is at what privilege level the hypervisor is running on the CPU. A bare metal hypervisor runs at Ring 0 whereas a Type II is less privileged and Runs at Ring 3. Now just as we are all coming to understand this the industry is muddying the waters with a KVM, a Linux hypervisor that is contained in another OS but is privileged to ring O. (Sorry wavedreamer.)
http://code.ncultra.org/wp-content/uploads/2011/04/kvm-not-what-you-heard1.pdf
As far as the article goes, I have no doubt that the Seals had a HAP system, probably from GD. The new systems with XenClient XT will start showing up this month and I expect Dell to be first to announce an offering. Michael Dell was a keynote speaker at Citrix Synergy in 2010 and Dell recently announced a Virtual Desktop Solutions initiative.
Regarding Identity/authentication, recall that TPMs are designed to have owners and users. In the case of the Seals, the government, at some level (Special Ops, Navy, DOD?) has ownership of those TPMs. The individual sailors were authorized users. All of the measures to take ownership, grant user privileges, and register as users can be done with Wave's ETS. This will be the same for XenClient XT systems that are owned by enterprises for employee use. It is not totally clear to me how this is going to work where employees are in BYOC environments. I guess that it could work in reverse where the employee is the owner and s/he grants user privileges to the employer. I don't think this will be an issue for a while because I expect the initial machines won't be sold to the consumer. It will be interesting to see what transpires with the Google Chrome systems. Will Google 'own' the TPMs? Apple 'owns' the TPMs but hasn't so far allowed the consumers to be users. In any event, owners can not access users secrets (keys), and vice versa.
Identity within a known relationship is of course different from creating and using trusted anonymous identities which will be necessary for the TPM technology to thrive in the consumer world, a la NSTIC.
wavedreamer, while I am excited to see the release of XenClient XT. that excitement is tempered by the fact that Citrix differentiated the product. In a vanilla XenClient the integrity of the hypervisor is apparently taken for granted; not what I was hoping to see. Whether the user would still feel the need for encryption for data at rest will depend on the users individual situation. As I see it in a pure VDI model there isn't any need for disk encryption because all data can be stored on the server. Using XenClient means that data needs to be stored locally until the next networked session with the server, so data is at risk if the system becomes compromised. If one cares enough about security to ensure the integrity of the hypervisor, i.e. XenClient XT, than it follows that FDE would be utilized as well, IMO. If that FDE is a SED, then in that case it seems natural that the owner would use the TPM in conjunction with it and go with a single management tool for both TPM and SED. So I agree with the way you see this working out.
"We've failed to innovate in the area of information security,"
Bull....!
-------------------------
US arms makers said to be bleeding secrets to cyber foes
Over 100 foreign intelligence groups have tried to break into US networks
By Jim Wolf
Reuters
WASHINGTON — Top Pentagon contractors have been bleeding secrets for years as a result of penetrations of their computer networks, current and former national security officials say.
The Defense Department, which runs its own worldwide eavesdropping, spying and code-cracking systems, says more than 100 foreign intelligence organizations have been trying to break into U.S. networks.
Some of the perpetrators "already have the capacity to disrupt" U.S. information infrastructure, Deputy Defense Secretary William Lynn, who is leading remedial efforts, wrote last fall in the journal Foreign Affairs.
Joel Brenner, the National Counterintelligence executive from 2006 to 2009, said most if not all of the big defense contractors' networks had been pierced.
"This has been happening since the late '90s," he told Reuters Tuesday. He identified the main threats as coming from Russia, China and Iran.
"They're after our weapons systems and R&D," or research and development, said Brenner, now with the law firm of Cooley LLP in Washington.
Lockheed Martin Corp, the Pentagon's No. 1 supplier by sales, said on Saturday that it had thwarted "a significant and tenacious" attack on its information systems network that it detected May 21. Ten days later, the company says its still working to restore full employee access to the network while maintaining the highest level of security.
Lockheed, which is also the government's top information technology provider, said it had become "a frequent target of adversaries from around the world." A spokeswoman said it said it used the term "adversaries" only in a general sense.
Lockheed builds F-16, F-22 and F-35 fighter jets as well as Aegis naval combat system, THAAD missile defense and other big-ticket weapons systems sold to U.S. allies. It has not disclosed which of its business units was targeted.
Cyber intruders were reported in 2009 to have broken into computers holding data on Lockheed's projected $380 billion-plus F-35 fighter program, the Pentagon's costliest arms purchase.
Other big Pentagon contractors include Boeing Co, Northrop Grumman Corp, General Dynamics Corp, BAE Systems Plc and Raytheon Co. Each of these declined to comment on whether it believed its networks had been penetrated.
James Miller, the principal deputy undersecretary of defense for policy, said last May that the United States was losing terabytes of data in cyber attacks, enough to fill "multiple Libraries of Congress." The world's largest library, its archive totaled about 235 terabytes of data as of April, the Library of Congress says on its web site.
"The scale of compromise, including the loss of sensitive and unclassified data, is staggering," Miller told a Washington forum.
U.S. Senator Sheldon Whitehouse, who led a Senate Intelligence Committee cyber task force last year, said in March that cybercrime has put the United States "on the losing end of what could be the largest illicit transfer of wealth in world history."
Retired Air Force General Michael Hayden, a former director of central intelligence and ex-head of the Pentagon's National Security Agency, said no network was safe if it had Internet access.
"You can isolate a network, a classified network," he told Reuters in an interview last year. "Maybe you can get a certain level of confidence that you are not penetrated. But if you are out there connected to the world wide web you are vulnerable all the time."
Anup Ghosh, a former senior scientist at the Pentagon's Defense Advanced Research Projects Agency, or DARPA, said there had been a string of intrusions into networks of U.S. defense contractors, security companies and U.S. government labs, including the U.S. Energy Department's Oak Ridge National Laboratory, since the start of this year.
The advantage is with the intruders, said Ghosh, who worked on securing military networks for DARPA from 2002 to 2006 and now heads Invincea, a software security company.
"We've failed to innovate in the area of information security," he said in an email Tuesday. "We're fighting today's battles with the equivalent of cold-war era defenses."
http://www.msnbc.msn.com/id/43230826
This is a must read article. It looks to me like Wave's Embassy got to ride along with Seal Team 6 when they nailed bin Laden. That alone makes me happy enough, but the likelihood of selling into the entire DOD is icing on the cake.
--------------------------------
Military Finds Security In Virtualized Desktops
The Defense Intelligence Agency and Air Force are working on a secure, mobile end user client, and they believe virtualization is the key to achieving it.
By Charles Babcock InformationWeek
May 31, 2011 06:52 PM
Like IT managers elsewhere, the U.S. Department of Defense would like to supply its forces with mobile computing, but doing so risks the possibility that data being carried on a device will fall into the wrong hands.
"The challenges we face are the same ones you face in the corporate world," says Michael Metrovich, senior technology officer for the Defense Intelligence Agency, although he was referring to risks over and above the possibility that a laptop will disappear at airport security. Nevertheless, if virtual desktops are the DOD's answer to end user computing security, IT managers should pay attention to how they do it.
Last week at Citrix Systems annual user group meeting, Synergy, two different spokesmen involved in creating a secure mobile DOD client said a new form of virtual desktop was available and part of their approach to equipping their forces with more computing power. Indeed, they elevated the discussion of virtual desktops away from how can we engineer them for easier, less costly operations to how secure can we make the desktop and how far afield can we let it roam? It was explicit that not only was the virtual desktop locked down but that it could be readily adapted to run on different mobile devices.
As IT faces the overwhelming problem of supporting employees who have brought their preferred consumer device to work and plan to take it with them on their next business trip and European vacation, the DOD effort clearly offers some lessons learned about launching, managing and controlling virtual desktops.
More work has been accomplished on this front than I realized, until I heard Metrovich talk about his own desktop. Metrovich is responsible for secure communications between his agency and commanders of the war in Iraq, the war in Afghanistan, NATO headquarters in Europe, NATO operations in Libya--you get the idea. Because of that, he once had 16 physical PCs, each tied by its own cabling to the wiring closet with switches for secure networks, as his personal, composite desktop.
Today he has one physical machine and 16 virtual desktops, each tied by a virtual network through one cable to a switch in the wiring closet. The virtual desktops he needs have different characteristics and the networks he uses require different degrees of security, but that's not a problem because in both instances, the desktop and its network are running in their own virtual machines.
The transformation that's taken place on his desktop is now taking place throughout the agency as it implements end user virtualization using new security controls. So far 400 desktops have been virtualized. There's still a long ways to go with his agency's 50,000 users in 200 countries, but Metrovich said Thursday at Synergy, "There have been no major security issues to report so far."
That reflects growing confidence to provide secure client hypervisor operation, even when the hypervisor may have entered enemy territory. Citrix Systems and other virtualization vendors are making use of new capabilities built into the latest generation of Intel vPro chips and motherboards that check the 70,000-line hypervisor as its components are assembled from the client's disk.
When the user calls for his hypervisor to be activated, a client using Intel's Trusted Execution Technology can measure the hypervisor components as they are booted and check those measurements against its knowledge of their exact specifications, which has been stored on the motherboard. If the hypervisor has been intruded upon, tampered with, or experienced some unanticipated update, the boot is interrupted and a fresh version downloaded from a trusted server.
"We believe XenClient has the potential to be very secure," Metrovich says. He's created his agency's virtualized desktops with XenClient XT, the lightweight hypervisor Citrix designed to run on client machines and announced May 25. VMware is a user of a Intel's TXT self-checking capability as well with its ESXi hypervisor, the one that's built into and ships with servers that will serve as hosts for multiple virtual machines.
Metrovich says he recently had to supply a secure network to "a small community" that planned and executed the mission to invade Osama bin Laden's compound in Pakistan. Secrecy was an absolute priority and was maintained, he says.
In the past, U.S. agents or military teams could not take sophisticated computing devices across potentially hostile borders, "the threat of losing the device was too great." But he suggested that ample client computing power had accompanied the Navy SEALs incursion into Pakistan in their pursuit of Osama bin Laden. "With virtual desktops, all the data remains on a central server, with a remote user able to access and work with it, regardless of where he might be," he says.
"The key is nothing permanently resides on the computing device," says Metrovich, which opens up new possibilities for missions behind enemy lines. U.S. intelligence agencies and the military are extremely interested in what missions secure virtual desktop might enable, he says.
A Model For DOD?
Granted the virtual desktop distributes no data to the locale of the end user. In what other ways is the virtual desktop more secure today than it was before? A view into what's being done was offered by Ian Pratt and Air Force researcher Ryan Durante in a Synergy session May 26. Pratt is the Cambridge University professor who deciphered the x86 instruction set for the Xen open source hypervisor. He did so after Mendel Rosenbloom had accomplished that feat in the U.S., so he sometimes gets less recognition than the founder of VMware, but I doubt if the small amount of time separating their respective efforts made the job any easier.
The Air Force is part of the DOD effort to come up with a secure desktop and Durante, chief of the cross-domain solutions and innovation section of the Air Force Research Laboratory, says it is seeking to virtualize its desktops in a manner similar to that of the Defense Intelligence Agency. Pratt has been the lead liason with the Air Force Research Laboratory work in that effort and the pair hosted the session on XenClient security. If the Air Force's version of a virtualized end user desktop is convincingly secure, it will be used as a model for adoption throughout the Department of Defense, Durante says.
Pratt joined Citrix as VP of advanced products when it purchased XenSource, the company behind the Xen hypervisor. He's using, as might be expected, XenClient XT, the version also announced May 25 that makes use of Intel's trusted boot process for the hypervisor. If someone has modified the virtual machine, the Intel TXT checking will detect it and kill off the boot. The process makes it difficult for an intruder to get any spyware or system alterations planted on a virtual machine. It's available with motherboards built with Xeon 5600 chips.
XenClient is a Type 1 hypervisor that enforces strict isolation on each virtual machine, so different types of virtual machines may run on one client without risking exposure to each other. Likewise, different networks are each booted in their own VMs and run alongside each other without intruding on or compromising each other's traffic, even if one has a much lower security rating than the other, Pratt said in an interview at the end of the May 26 session.
If a virtual machine were in some way compromised on a user device, the fact that the network is in its own virtual machine prevents the malady from spreading to other VMs, Pratt says. Pratt also says XenClient relies on Pascal and other research languages more than the C family, often used in the world of PC exploits. "Another key technical barrier is the narrow interfaces between XenClient components," he says. A strictly defined interface between, say, the hypervisor and client network controller offers a smaller attack surface. The interface can also be inspected quickly for integrity.
Citrix is clearly using these security features as credentials for secure operations in the larger corporate market. It is expanding the usefulness of XenClient by giving it a companion piece of client software that adapts to different devices, allowing the same XenClient virtual machine to run on each. That added piece is Citrix Receiver.
Think of Citrix Receiver as the software that does for XenClient what the Java Virtual Machine did for Java. To meet Sun's boast of having a write once, run anywhere language, it needed to create a virtual machine environment that could be written for individual hardware devices. The JVM differed from machine to machine, but the Java compiled code could run in any JVM. Likewise, a version of Citrix Receiver can be created for different PCs, tablets, and smartphones but run the same virtualized desktop in each. So far, Receiver runs on 1,000 different PC models, 149 smartphone, 37 tablets, and 10 different thin clients. There's a Receiver for Apple iOS, Google Android, HP's webOS and Google ChromeOS. So far, the Apple iPad, HP TouchPad, Blackberry Playbook and Google Chromebook are covered, along with a many laptops and PCs.
Many problems of end user virtualization remain to be worked out. But if virtual desktops provide secure computing for wide ranging Defense Intelligence Agency staffers, they may be the answer for highly mobile enterprise workers as well. Desktop virtualization in a new secure form is about to emerge, and it may help not only the DIA but those IT managers perpetually under siege as well.
Charles Babcock is an editor-at-large for InformationWeek.
http://www.informationweek.com/news/software/app_optimization/229700224
A major milestone for Trusted Computing, and by extension Wave Systems, has been (finally) announced, but seems to have gone unnoticed. (My appologies if I am wrong about that.)
The first commercial release of a product that requires the TPM to be utilized will be released in June. (Only two years late!)
Pop the champaign wavedreamer!
Introducing XenClient XT
Drumroll please............. :))
------------------------------
Citrix Announces XenClient 2 and XenClient XT
XenClient 2 Supports 3x More Laptops, While New XenClient XT Delivers Advanced Isolation and Security for Extreme Use Cases
San Francisco » 5/25/2011 »
San Francisco » 5/25/2011 »
Today at Citrix Synergy™, where virtual computing takes center stage, Citrix Systems officially unveiled Citrix XenClient™ 2, the second generation of its innovative bare-metal client hypervisor developed in collaboration with Intel, which allows centrally managed virtual desktops to run directly on corporate laptops, even when they are disconnected from the network. The new version of XenClient, which is available today as a technology preview, adds extensive new ease-of-use and scalability features, and will be certified to run on an estimated 45 million1 PCs and laptops, more than three times that of previous versions. In addition to the new XenClient 2 announcement, Citrix also launched XenClient XT, a new standalone product that delivers advanced levels of security, isolation and performance for customers with the most extreme client computing requirements.
What’s New In XenClient 2
Expanded Hardware Compatibility – supports 3x as many laptops and PCs as previous versions, making it an ideal way to deliver virtual desktops “to go” on a broad selection of leading enterprise laptop brands and models. The new release also features support for the 2nd generation Intel® Core™ vPro™ platform, building on the existing support for Intel’s 2010 and 2009 enterprise platforms.
Expanded Graphics Support – expanded support for Intel® HD Graphics, available on 2nd Generation Intel® Core™ processors, and introduces support for discrete graphics architectures from AMD including the FirePro™ and Radeon™ series of GPUs.
Production-scale Synchronizer – helps customers deploy XenClient-enabled laptops across larger and more complex enterprise environments, while still managing all virtual desktops centrally, including full synchronization of user desktops, apps and data with the corporate datacenter.
Simplified User Experience – Combined with new enhancements to the Citrix Receiver software client, XenClient 2 users will enjoy a simpler, more responsive, more intuitive user experience.
Introducing XenClient XT
Extreme Desktop Isolation – XenClient XT augments the XenClient hypervisor with hardened components and a unique new network isolation architecture that allows users to run multiple securely isolated local virtual desktops in separate security domains and completely isolated networks, all on a single physical system.
Extreme Security – provides hardware-assisted security that leverages security capabilities in the Intel Core vPro platform. This includes a trusted boot capability powered by Intel Trusted Execution Technology (TXT) to ensure that XenClient XT is checked against a known good configuration on every boot, ensuring no unauthorized modifications to the system.
Extreme Performance – capable of running the most graphically and computationally demanding desktop environments without compromise, while ensuring advanced security, isolation and performance.
Multi-level Desktop Consolidation – allows customers to run a large number of securely isolated desktop computing environments on a single physical system, especially useful for public sector customers who need to work on multiple sensitive contracts and projects simultaneously with full network and desktop isolation.
Why It Matters
Desktop virtualization is being widely adopted by both enterprises and government agencies as a more secure way to deliver desktops, apps and data to their employees, while improving security and agility with centralized desktop management. Citrix XenClient plays an integral role in this transition by enabling virtual desktops “to go” for millions of mobile workers, while simultaneously enabling fully isolated environments for advanced multi-client and high-security client computing use cases.
Supporting Quotes
Gordon Payne, senior vice president and general manager, Desktop Division at Citrix
“Desktop virtualization is helping organizations of all kinds transform desktop computing into a secure, on-demand service. XenClient extends the benefits of virtualization from the data center to physical PCs. With XenClient 2, we’re adding new levels of scalability and support for millions more laptop and PC models. And, by extending the product family with XenClient XT, we are taking this industry-leading technology to new areas like high-security desktop computing in the public sector, helping these organizations manage the costs and ensure the security and isolation of their desktop environments.”
Rick Echevarria, vice president, Intel Architecture Group and general manager, Business Client Platform Division
“The Synergy release of the XenClient 2 tech preview and announcement of the new Citrix XenClient XT product further illustrate Intel’s strong collaboration with Citrix. We have worked together to enable and optimize the XenClient 2 tech preview for the 2nd Generation Intel® Core™ vPro™ processor family. Our collaboration has produced an intelligent approach to desktop virtualization that delivers uncompromised performance, security, and manageability to IT and a great user experience for workers. XenClient was built from the start to utilize the powerful capabilities of Intel vPro technology. XenClient XT now takes it a step further by incorporating the additional hardware security benefits of Intel’s Trusted Execution Technology (TXT) to provide a verified platform on every boot. These innovations enable solutions delivered by Intel and Citrix with vPro and XenClient and our ecosystem to set a new bar for desktop virtualization.”
Chris Wolf, research VP, Gartner
"The client hypervisor has been an integral part of Gartner's virtual desktop and application delivery reference architecture for multiple years. Many of our clients see the bare-metal client hypervisor as not only core to their mobile user support strategy, but also essential for the complex office worker who has normally required multiple physical workstations due to various security, privacy, and regulatory compliance considerations."
Supporting Partner Blogs
Intel: Intel Powers Smart Security on XenClient XT, XenClient 2
AMD: Graphics Virtualization Just Got Easier
HP: Reality Check: Server Insights
Lenovo: Lenovo Cloud and Virtualization Offerings on Display at Citrix Synergy
Availability
XenClient 2 tech preview, which includes both XenClient and the Synchronizer for XenClient is available today for free download by any IT pro who wants to try the technology for up to 10 clients.
The new XenClient XT product will be available in June 2011.
Related Announcements
New Citrix XenDesktop release extends benefits of desktop virtualization to millions of laptop users
Citrix Accelerates Virtual Desktop Revolution with XenDesktop 5
http://www.citrix.com/English/NE/news/news.asp?newsID=2311981
Anti-FUD?
Intel's Purchase of McAfee Already Paying Dividends for Embedded Security
Posted by MarkScantlebury
on Apr 25, 2011
Nearly 10 months ago, Intel acquired computer and software security software company McAfee. For many, this delivered a strong message about Intel's commitment to helping protect computing and embedded devices of all kinds from the ever-increasing cyber threats around us. According to an August 2010 Intel press release:
"The acquisition reflects that security is now a fundamental component of online computing. Today’s security approach does not fully address the billions of new Internet-ready devices connecting, including mobile and wireless devices, TVs, cars, medical devices and ATM machines, as well as the accompanying surge in cyber threats. Providing protection to a diverse online world requires a fundamentally new approach involving software, hardware and services."
At the time of the purchase, McAfee was known for its software-related security solutions, including end-point and networking products and services focused on helping to ensure Internet-connected devices and networks are protected from malicious content, phony requests and unsecured transactions and communications. For the embedded market, McAfee introduced in 2009 McAfee Embedded Security, a new spin on its former Solidcore product. McAfee Embedded Security is designed to enforce software change control policies and provide protection against existing and any unknown zero day polymorphic threats via malware such as worms, viruses, Trojans and buffer-overflow threats, etc. To do this, the product uses a mainframe technique known as whitelisting, which defines the actions allowed on a device. The product runs on a variety of Windows*, Linux*, and Solaris* platforms. Manufacturers announcing support of McAfee Embedded Security include NCR, NEC Infrontia, Sharp, Schweitzer Engineering Laboratories, Meridian, Clearwave, PFU and Sysmex.
The obvious question now for embedded developers is what else McAfee will add to Intel's full-on security push for the rapidly growing Embedded Internet. This is a terribly important question. For tens of thousands of reasons. The McAfee Threats Report: Fourth Quarter 2010 reports that the identification of new malware went from 16,000 per day in 2007 to 60,000 per day in 2010. And before you say that's just for personal computing devices and servers, consider this: today a person anywhere in the world can talk to an embedded device almost anywhere else. This creates opportunities for great services and experiences, but also exposes connected devices to malware from increasingly sophisticated adversaries. Consider Stuxnet, the worm that targeted embedded industrial controllers in an Iranian nuclear plant. I shudder to think of the damage malware attacks could inflict on embedded systems that control our food supply, transportation systems, healthcare delivery and electric power.
Thoughts like this lead me to be excited about a new partnership between McAfee and Wind River (a wholly owned subsidiary of Intel and an Associate member of the Intel® Embedded Alliance). The two companies are developing, marketing and supporting security solutions for non-PC devices. The first product of this partnership is the Common McAfee Agent (CMA) for Wind River Linux. CMA enables all devices to which it is connected to report into the McAfee ePolicy Orchestrator (ePO) console. This gives customers a complete picture from a single console of their security posture on all CMA-connected devices. This includes the usual servers desktops, laptops, mobile devices, and databases, plus – and here's the important part for all of us in the embedded world – devices running Wind River Linux. This means devices such as printers, SCADA systems, medical devices, POS systems, and much more.
With the CMA, policies and tasks can be pushed onto embedded devices and data captured and reported back to the central console. Using the ePO and CMA framework will make new McAfee security products easier to deploy and manage as they're introduced. It's an important first step to providing complete security on embedded systems. As more and more embedded devices are added to the network, CMA and ePO will help security administrators know if the devices have the appropriate level of security and help them control different policies on those devices. Add Intel® Active Management Technology (Intel® AMT) and its out-of-band capabilities to the picture and administrators will be able to perform these actions even if a device is turned off or no longer functional.
This is just the start. McAfee and Wind River will continue to collaborate to offer purpose-built security and management solutions for the burgeoning embedded market. The two companies are already developing whitelisting to prevent unauthorized applications from running against Wind River for Linux, as well as adding McAfee-provided network-access control functionality. Anti-malware will come later.
While the vast majority of known malware attacks are still oriented toward Windows-based operating systems, the hardening of an industrial operating system such as Wind River's will benefit infrastructure far less visible to the public. But no less important.
Have ideas for how to improve the security of embedded devices as billions more devices are connected to the Internet over the next five to 10 years? Let's hear them.
http://embedded.communities.intel.com/community/en/hottopics/blog/2011/04/25/intels-purchase-of-mcafee-already-paying-dividends-for-embedded-security
orda, don't be so down. Cybersecurity is going to be an ongoing endeavor and is still very much in its early stages. Trusted computing technologies are just a part of the answer, not the end-all, be-all of all things 'cybersecurity'. That's not to say that I don't expect the TPM to a necessary component to future solutions; I do. What we want to see, IMO, is more companies producing more products that utilize TCG approaches.
Northrop Grumman is prominently mentioned in this story and as we know they are employing TC technology already. The story conveyed a positive message for me.
OT: Cybersecurity Valley
------------------
Cybersecurity Powerhouse in the Baltimore-Washington Corridor
A UMBC research park emerges as front line of defense in Cyberwars.
By Bruce Goldfarb | Email the author | April 17, 2011
http://severnapark.patch.com/articles/cybersecurity-powerhouse-in-the-baltimore-washington-corridor
In the last year, more than a dozen cybersecurity companies have moved into a research park near the University of Maryland Baltimore County (UMBC). Until now, they've been under the radar, so to speak.
Some call it a "Cyberhive"--a swarm of activity by a vast army of the country's most innovative thinkers in internet security. Their mission--to counter by mouse click the constant threats against the nation's digital networks.
It’s a corporate incubator where promising start-ups can mingle with large defense contractors such as Northrop Grumman and Science Applications International Corporation (SAIC) to develop emerging technologies for the newly formed U.S. Cyber Command down the street at the National Security Agency in Ft. Meade, MD.
“This region is becoming the center of cybersecurity,” says Armando Seay, senior executive vice president of Ross Technologies, which provides cybersecurity services for the Department of Defense and private-sector clients. In May, his company is moving its offices from Columbia, MD, into the UMBC park called bwtech.
“It’s like a beehive, a cyberhive, a hotbed of critical thinking and innovation,” Seay says. “There’s no reason why this campus won’t become Cybersecurity Valley.”
According to state representative Del. James Malone, 51 cybersecurity companies have recently relocated to Maryland, bringing about 5,000 jobs. This is on top of a get gain of up to 60,000 employees expected to move into the state in coming years from the Pentagon’s base realignment and closure program.
“Our goal is to make Maryland the epicenter of cybersecurity in the country,” Maryland Governor Martin O’Malley told Arbutus Patch.
Vast portions of the country’s critical infrastructure rely on computerization, from banking and finance to power grids, phone systems, air traffic control and nuclear power plants. Computers run everything in daily life from elevators to supermarket checkouts and medical diagnostic machines, and personal information is maintained in electronic databases. Americans can’t effectively vote, shop, drive, pay tolls, communicate or access information without digital technology.
“Without us being aware of it, we as a society are becoming networked, from how we drive to how we use the phone to how we turn on the lights,” says Seay. “The technology that empowers our ability to have our daily lives is also subject to abuse. There are people around the world taking advantage of vulnerabilities and engaging in espionage and all sorts of things.”
Cyber threats are growing at an alarming rate, both in absolute numbers and also in terms of the information at stake.
A report released on April 5 by software security firm Symantec disclosed a massive volume of threats on the Internet, with 286 million new threats recorded in 2010–a 93 percent increase over the previous year. Mobile devices and social networks such as Facebook are areas of burgeoning cyber threats, according to the report.
“The nature of the threats has expanded from targeting individual bank accounts to targeting the information and physical infrastructure of nation states,” the Symantec report said.
In the wake of a serious breach of military network security, in June of 2009 Secretary of Defense Robert Gates approved a plan to consolidate the cybersecurity activities of the Army, Navy, Marines, Air Force and Coast Guard into the U.S. Cyber Command, located at Ft. Meade and led by Keith B. Alexander, chief of the NSA–the agency in charge of foreign communications, signals intelligence and code-cracking.
Just as the U.S. Strategic Command is responsible for the nuclear arsenal and defending against hostile incursions into the nation’s air space, the new U.S. Cyber Command protects against threats to the country’s virtual space.
The Cyber Command “is going to mean a tremendous number of jobs throughout the state,” says O’Malley. “This will do for information technology what the National Institutes of Health has done for medicine.”
Providing a space for collaboration and the percolation of cutting-edge ideas is vital to the health of the Cyberhive.
UMBC now offers a post-graduate certificate and a master’s degree in cybersecurity, which draws candidates from across the country.
“Cybersecurity is a growing area,” says bwtech Executive Director Ellen Hemmerly. “The demand for this kind of talent is strong and very competitive.”
Northrop Grumman and SAIC are “good examples of companies with a vested interest in ensuring that innovation comes out of our universities,” Hemmerly says. “Having cybersecurity companies located on campus presents a lot of opportunities for students.”
SAIC created a Cyber Innovation Center nearby in Columbia, MD, which it describes as an “agile collaboration space” for its far-flung technical people and outside vendors to fuse cybersecurity ideas, services and technology.
Last fall, Northrop Grumman created a “scholarship program” at UMBC for early-stage companies with promising cybersecurity ideas. Northrop is looking for high-potential technology to develop and commercialize, and through the scholarship program offers small companies around the country a spot in UMBC’s incubator park and access to the cyberhive.
“There are benefits to having other companies in your vicinity to partner with,” says Ayinde Stewart, chief executive officer of Clear Resolution Consulting, a cybersecurity start-up with 15 employees based at bwtech.
“UMBC is a huge producer of technical talent,” Stewart says. “This is a good place to be.”
This October, SAIC and UMBC are launching a statewide Cyber Challenge, a conference and competition of white-hat hacking for high school students, college students and professionals.
Co-founders of the Cyber Challenge include the National Cyber Security Alliance, a national nonprofit group that includes Microsoft, McAfee, PayPal, Visa, Google, Cisco and other major corporate interests.
“It’s a huge, huge business,” Seay says. “Every aspect of our lives has some vulnerability. There is a huge demand for personnel to protect the nation, our corporations, everything that’s computerized.”
This video, XenClient Installation on a Dell Notebook, from DellTechCenter shows how to set up the BIOS for installing XenClient. Viewers are told to select the first two options but not the third. So we wait.
Virtualization support:
1. Enable Intel Virtualization Technology
This option specifies whether a Virtual Machine Monitor (VMM) can
utilize the additional hardware capabilities provided by Intel Virtualization technology.
2. Enable VT for direct I/O.
This option specifies whether a Virtual Machine Monitor (VMM) can utilize the additional hardware capabilities provided by Intel Virtualization Technology for Direct I/O.
3. Trusted Execution.
This option specifies whether a Measured Virtual Machine Monitor (MVMM) can utilize the additional hardware capabilities provided by Intel Trusted Execution Technology. The TPM, Virtualization Technology, and Virtualization Technology for Direct I/O must be enabled to use this feature.