Proceed to WirelessDevNet Home Page
Publications, e-books, and more! Community Tutorials Store Downloads, tools, & Freebies! IT Career Center News Home
newnav.gif
Newsletters
EMail Address:
   Content
  - Articles
  - Columns
  - Training
  - Library
  - Glossary
 
   Career Center
  - Career Center Home
  - View Jobs
  - Post A Job
  - Resumes/CVs
  - Resource Center
 
   Marketplace
  - Marketplace Home
  - Software Products
  - Wireless Market Data
  - Technical Books
 
   News
  - Daily News
  - Submit News
  - Events Calendar
  - Unsubscribe
  - Delivery Options
 
   Community
  - Discussion Boards
  - Mailing List
  - Mailing List Archives
 
   About Us
  - About WirelessDevNet
  - Wireless Source Disks
  - Partners
  - About MindSites Group
  - Advertising Information
 

WirelessDevNet.com Press Release

CSS Uncovers SCEP Vulnerability For Mobile Devices In The Enterprise

Researchers at Certified Security Solutions, Inc. (CSS), a leading information security company, have uncovered a potentially serious security issue pertaining to the use of the Simple Certificate Enrollment Protocol (SCEP) in conjunction with mobile devices. Organizations that leverage SCEP to issue digital certificates to mobile devices may be subject to a privilege escalation attack.

The problem is not caused by an implementation error in a single product, or by an issue with the SCEP protocol itself, but rather by a combination of features, configurations, and use cases that, together, open up a previously unforeseen avenue of attack. Mobile Device Management (MDM) systems that leverage SCEP to issue certificates for authentication into enterprise systems such as Wi-Fi, VPN, or ActiveSync are among the most critically affected scenarios.

Certified Security Solutions has been working for several weeks with US-CERT and CERT/CC at Carnegie Mellon to facilitate notifications and information disclosure through the proper channels. The official US-CERT vulnerability report can be found at the following link: http://www.kb.cert.org/vuls/id/971035

"We strongly encourage every organization that uses SCEP or a Mobile Device Management system along with an enterprise Public Key Infrastructure to take a deeper look to see whether they're affected and at risk," said Ted Shorter, CSS' Chief Technology Officer. "We've setup an area on our website that takes a deeper dive into explaining the vulnerability, and the steps for enterprises to protect themselves."

Visit this informational portal online at www.css-security.com/scep

About CSS

CSS is an information security services company with operations throughout North America and headquartered in Cleveland, Ohio. We specialize in three critical areas of information security: identity & access management, secure infrastructure & governance, and risk & compliance. CSS provides consulting services, managed security services, security as a service and security software tools in order to meet our clients' needs. For more information and for a complete list of branch offices, visit www.css-security.com or email marketing@css-security.com
Sponsors

Search

Eliminate irrelevant hits with our industry-specific search engine!





Wireless Developer Network - A MindSites Group Trade Community
Copyright© 2000-2010 MindSites Group / Privacy Policy
Send Comments to:
feedback@wirelessdevnet.com