Sign up for our Technology Newsletter 
Developers Hack Dropbox
Two developers have penetrated Dropbox’s security, even intercepting SSL data from its servers and bypassing the cloud storage provider’s two-factor authentication, according to a paper they published at USENIX 2013.
“These techniques are generic enough and we believe would aid in future software development, testing and security research,” the paper says in its abstract.
Dropbox, which claims more than 100 million users upload more than a billion files daily, said the research didn’t actually represent a vulnerability in its servers.
“We appreciate the contributions of these researchers and everyone who helps keep Dropbox safe,” a spokesperson said in an email to Computerworld. “In the case outlined here, the user’s computer would first need to have been compromised in such a way that it would leave the entire computer, not just the user’s Dropbox, open to attacks across the board.”
The two developers, Dhiru Kholia, with the Openwall open source project , and Przemyslaw Wegrzyn, with CodePainters, said they reverse-engineered Dropbox, an application written in Python.
“Our work reveals the internal API used by Dropbox client and makes it straightforward to write a portable open-source Dropbox client,” the paper states. “Additionally, we show how to bypass Dropbox’s two-factor authentication and gain access to users’ data.”
The paper presents “new and generic techniques to reverse engineer frozen Python applications, which are not limited to just the Dropbox world,” the developers wrote.
The researchers described in detail how they were able to unpack, decrypt and decompile Dropbox from scratch. And, once someone has de-compiled its source code, how “it is possible to study how Dropbox works in detail.
“We describe a method to bypass Dropbox’s two-factor authentication and hijack Dropbox accounts. Additionally, generic techniques to intercept SSL data using code injection techniques and monkey patching are presented,” the developers wrote in the paper.
The process they used included various code injection techniques and monkey-patching to intercept SSL data in a Dropbox client. They also used the techniques successfully to snoop on SSL data in other commercial products as well, they said.
The developers are hoping their white hat hacking prompts Dropbox to open source its platform so that it is no longer a “black box.”
Is The Tesla Hackable?
It’s the curse of the connected car once it’s linked to the Internet, it’s, well, on the Internet. In the case of the Tesla Model S, this means that mischievous hackers could, in theory, control some functions of the vehicle and even snoop without the owner’s knowledge.
Tesla offers Android and iPhone apps for Model S owners, which can be used to check the vehicle’s battery, track its location and status, and tweak several other settings, like climate control and the sunroof. It can also be used to unlock the doors on the Model S.
Dell senior engineer George Reese says the REST API used by Tesla to provide access for Android and iPhone apps has several fairly serious security flaws, which could offer a way in for unscrupulous hackers.
According to an article written by Reese for O’Reilly, Tesla appears to have broken from accepted best practice when designing the API for the Model S.
“It’s flawed in a way that makes no sense. Tesla ignored most conventions around API authentication and wrote their own. As much as I talk about the downsides to OAuth (a standard for authenticating consumers of REST APIs–Twitter uses it), this scenario is one that screams for its use,” he wrote.
However, Reese notes, this is merely a potential attack vector, not one that could be immediately exploited. That said, a compromised website particularly one designed to provide “value-added services” via the API to Tesla drivers could prove highly damaging.
“I can … honk their horns, flash their lights, and open and close the sunroof. While none of this is catastrophic, it can certainly be surprising and distracting while someone is driving,” Reese wrote.
Automotive hacking has been posited by experts for some time, and several presentations at this year’s Defcon detailed fairly comprehensive methods of compromising some models.
U.S. Cloud Vendors Hurt By NSA
Edward Snowden’s public unveiling of the National Security Agency’s Prism surveillance program could cause U.S. providers of cloud-based services to lose 10% to 20% of the foreign market — a slice of business valued at up to $35 billion.
A new report from the Information Technology & Innovation Foundation (ITIF) concludes that European cloud computing companies, in particular, might successfully exploit users’ fears about the secret data collection program to challenge U.S. leadership in the hosted services business.
Daniel Castro, author of the report, acknowledges that the conclusions are based, so far, on thin data, but nonetheless argues that the risks to U.S. cloud vendors are real.
Indeed, a month prior, the Cloud Security Alliance reported that in a survey of 207 officials of non-U.S. companies, 10% of the respondents said that they had canceled contracts with U.S. service providers after Snowden’s leak of NSA Prism documents earlier this year.
“If U.S. companies lose market share in the short term, it will have long-term implications on their competitive advantage in this new industry,” said Castro in the ITIF report. “Rival countries have noted this opportunity and will try to exploit it.”
To counter such efforts, the U.S. must challenge overstated claims about the program by foreign companies and governments, said Jason Weinstein, a partner in the Washington office of law firm Steptoe & Johnson and a former federal prosecutor and deputy assistant attorney general specializing in computer crime.
“There are a lot of reasons to be concerned about just how significant those consequences will be,” Weinstein said. “The effort by European governments and European cloud providers to cloud the truth about data protection in the U.S. was going on well before anyone knew who Edward Snowden was. It just picked up new momentum once the Prism disclosures came out.”
Weinstein contends that European countries have fewer data protection rules than the U.S.
For example, he said that in the U.K. and France, a wiretap to get content can be issued by a government official without court authority, but that can’t happen in the U.S.
“U.S. providers have done nothing other than comply with their legal obligations,” he said. But because of Snowden’s leaks, “they are facing potentially significant economic consequences.”
Gartner analyst Ed Anderson said his firm has yet to see any revenue impact on cloud providers since the Prism disclosures, but added, “I don’t think Prism does U.S. providers any favors, that’s for sure.”
Nonetheless, Anderson added, “I think the reality is [the controversy] is likely to die down over time, and we expect adoption to probably continue on the path that it has been on.”
One reason why U.S. providers may not suffer is because “the alternatives aren’t great if you are a European company looking for a cloud service,” he said.
Samsung’s Eight-core Chip Goes Hacking
Comments Off on Samsung’s Eight-core Chip Goes Hacking
A Samsung eight-core chip used in some Galaxy S4 mobile devices is now available for hackers to play with on a developer board from South Korea-based Hardkernel.
Hardkernel’s Odroid XU board has incorporated Samsung’s eight-core Exynos 5 Octa 5410 chip, which is based on ARM’s latest processor designs. Samsung recently announced a new eight-core chip, the Exynos 5 Octa 5420, which packs faster graphics and application processing than the 5410. The 5420 has not yet been shipped yet, however.
The Odroid board is priced at $149 through Aug. 31, after which it will be offered for $169. Samsung for many months has said that a board with an eight-core chip would be released, and has shown prototype developer boards at conferences.
Odroid-XU will provide developers an opportunity to write programs tuned for Samsung’s octa-core chip, which has been a source of controversy. Analysts have said the eight-core design is overkill for small devices like smartphones and tablets, which need long battery life.
The eight-core chip design also takes up a lot of space, which prevented Samsung from putting LTE radios inside some Galaxy S4 models. Qualcomm, which hesitantly moved from the dual core to the quad-core design on its Snapdragon chips, on Friday criticized eight-core chips, calling the idea “dumb.”
Despite the criticism, the board will give developers a first true glimpse of, and an opportunity to write and test applications for, ARM’s Big.Little design. The design combines high-power cores for demanding applications with low-power cores for mundane tasks like texting and calling.
Samsung’s iteration of Big.Little in the Exynos 5 Octa 5410 chip combines four processors based on ARM’s latest Cortex-A15 processor design, which incorporates four low-power Cortex-A7 CPUs. The Cortex-A15 is ARM’s latest processor design and succeeds the previous Cortex-A9 core, which was used in popular smartphones like Apple’s iPhone and the Galaxy S3. Samsung said the eight-core chip provides a balance of power and performance, with the high-power cores kicking in only when necessary.
The board has an Imagination Technologies PowerVR SGX544MP3 graphics processor, 2GB of low-power DDR3 DRAM, two USB 3.0 ports and four USB 2.0 ports. Other features include Wi-Fi, Ethernet and optional Bluetooth. Google’s Android 4.2 operating system is preloaded, and support for other Linux distributions like Ubuntu is expected soon. The board has already been benchmarked on Ubuntu 13.04.
Baidu Acquires App Maker
July 26, 2013 by admin
Filed under Around The Net
Comments Off on Baidu Acquires App Maker
Baidu Inc, China’s top search engine, plans to purchase app store 91 Wireless for $1.9 billion to strengthen its position in the country’s highly competitive mobile computing sector.
Baidu will buy a 57.4 percent stake in 91 Wireless, one of China’s earliest appstores, from NetDragon Websoft Inc for $1.09 billion, and the remainder from other shareholders, both companies said on Tuesday.
“It’s good for Baidu because if you look at mobile, currently apps are more popular than mobile sites because Internet download speeds are slow. So with the acquisition of this appstore, Baidu can work more closely with the apps developer and be able to enhance further their search capabilities,” said Elinor Leung, an analyst with CLSA in Hong Kong.
China’s mobile Internet market is expected to double to about 300 billion yuan ($48 billion) in 2014 from 150 billion yuan in 2012, with the number of active mobile Internet users rising to 749 million from 521 million during the same period, according to research firm Analysys International.
NetDragon’s shares lost as much as a fifth of their value on Tuesday and were down 18 percent at HK$19.74 at 0305 GMT (11.05 p.m ET)
NetDragon also said in a statement that it would scrap the planned spinoff and listing of 91 Wireless on Hong Kong’s secondary Growth Enterprise Market if the acquisition is finalized.
WiLan Loses In Court
July 25, 2013 by admin
Filed under Around The Net
Comments Off on WiLan Loses In Court
Wi-Lan has suffered defeat in its patents trial against Alcatel Lucent, Ericsson, HTC and Sony, as a Texas court decided that the firms did not infringe its patents.
Wi-Lan filed a lawsuit against Alcatel Lucent, Ericsson, HTC and Sony in 2010 claiming the firms infringed patents that relate to data transmission over wireless networks. However a Texas court ruled that the four firms did not infringe Wi-Lan’s patents and found one patent Wi-Lan asserted against HTC and two it asserted against Alcatel Lucent invalid.
Wi-Lan had asserted that Alcatel Lucent and Ericsson infringed three patents, none of which claims were upheld by the court. The firm also asserted that HTC and Sony infringed another patent, and there the court not only judged against infringement but invalidated the patent.
Alcatel Lucent and HTC both said that Wi-Lan was trying to stretch its patents to cover technology in their devices.
Sally Julien, a spokeswoman for HTC said, “HTC believes that Wi-Lan has exaggerated the scope of its patent in order to extract unwarranted licensing royalties from entities who have been focused on bringing innovation forward in their own products.”
Kurt Steinert, an Alcatel Lucent spokesman said, “We think this validates our belief that Wi-Lan was stretching the boundaries of its patents, and the jury confirmed that belief.”
Wi-Lan has managed to get several companies to license its technology including Dell and Panasonic, and in May it initiated legal proceedings against Blackberry over a patent relating to Long Term Evolution network technology. However in this case the firm did not prevail against two large telecom equipment companies and two big smartphone makers.
Tech Hiring Up This Year
July 22, 2013 by admin
Filed under Around The Net
Comments Off on Tech Hiring Up This Year
Hiring of technology professionals has been increasing since the first half of this year, with new IT hires accounting for about 10% of all the job growth in the U.S. in June, according to two independent assessments.
Total tech employment reached 4.47 million in June, an increase of 22,600 jobs from the prior month, or a .51% gain, according to TechServe Alliance, an IT services industry group which tracks employment data month-to-month. The total excludes tech manufacturing employment.
Similarly, Foote Partners, which researches IT employment trends, reported a gain of 18,200 new tech jobs last month.
These gains are coming at the same time that some tech employers are cutting jobs.
IBM has cut more than 3,000 workers over the past few weeks, struggling Hewlett-Packard is still eliminating jobs, and Symantec is seeing layoffs as well.
The U.S. economy added 195,000 jobs overall in June, according to the Labor Dept.
Foote said that IT employment in the first half of this year is averaging 13,500 new jobs per month.
“While the pace of job creation in the national labor force appears stuck at 7.6% unemployment and new jobs are heavily in part-time positions and low wage full-time segments, IT jobs have been on a sustained growth upswing and wages are holding steady if not growing slightly,” said David Foote, chief analyst, in a statement.
Reports on IT employment figures from analyst can differ widely depending on what U.S. labor department categories are use in the calculations.
Another firm that analyzes the labor market, Janco Associates, reported a gain of 9,900 jobs in June based on the categories it tracks.
Despite the increase in hiring, IT salaries remain flat, said Janco.
“Based on our interviews with over 96 CIOs in the last 30 days, we concluded that CIOs are not in a great hurry to hire new staff except to meet short term needs until they see a clear trend as to what is happening with the economy,” said Janco CEO Victor Janulaitis in a statement.
Janulaitis said that “67% of the CIOs we interviewed do not see any real push to expand staffing over the next 12 months.”
MS Office Demand Fizzles
After a promising start, downloads of Microsoft’s free Office for the iPhone quickly nosedived, as the latest data from a mobile app analytics company showed.
But at least 200,000 copies of the small suite — iPhone versions of Word, Excel and PowerPoint — were downloaded in the first six days.
Distimo, a Dutch firm that tracks app store market data for several platforms, including Apple’s iOS, Google’s Android, and Microsoft’s Windows 8 and Windows Phone, said Office Mobile for the iPhone debuted in the No. 10 spot on June 15, the day after Microsoft launched the free app.
That was Office Mobile’s peak: On June 16, Office Mobile slipped to the No. 19 position among all free iPhone apps, then continued to slide throughout the week of June 17-23, starting that seven-day stretch at No. 36, falling to No. 86 by Friday, June 21, and ending at No. 299 on June 23.
From June 24 to July 6, Office Mobile was not on Distimo’s leaderboard, which lists only the top 400 downloaded apps.
The number of downloads of Office Mobile for iPhone is unknown — Distimo requires a paid account to show developers the estimated downloads of their apps and those of competitors, and did not reply to questions Sunday — but the tally was probably significant.
According to Distimo, to place in the App Store’s No. 10 spot, an app must average 72,000 downloads daily. Office Mobile was ranked No. 10 on June 15. Apps ranked at No. 50 averaged 23,000 downloads daily: Office Mobile held position at No. 50 or lower for five consecutive days.
Those numbers implied that at least 200,000 copies of Office Mobile were downloaded in the six days between June 15 and June 20.
Likewise, the sharp decline of Office Mobile’s position in the App Store’s free list after just a week hints at a pent-up demand that was quickly satisfied.
Although rumors of Office on iOS had circulated since the iPad’s 2010 introduction, they heated up last November when reports claimed Microsoft would launch a mobile version of the suite this year and tie the software to Office 365. At the time, most analysts agreed that Office 365 was the smart move because it could boost interest in the subscription concept Microsoft has bet will result in more, and more regular, revenue from its Office cash cow.
Linking Office on iOS to Office 365 would also let Microsoft avoid the Apple “tax,” the 30% cut that Apple takes from all App Store sales.
Only Office 365 subscribers can use Office Mobile. Subscriptions range from the consumer-grade Office 365 Home Premium, which costs $100 annually, to several business plans that start at $150 per user per year and climb to $264 per user per year.
Malware Infections On Android Rising
July 8, 2013 by admin
Filed under Around The Net
Comments Off on Malware Infections On Android Rising
An increasing number of Android phones are infected with mobile malware programs that are capable of turning the handsets into spying devices, according to a report from Kindsight Security Labs, a subsidiary of telecommunications equipment vendor Alcatel-Lucent.
The vast majority of mobile devices infected with malware are running the Android operating system and a third of the top 20 malware threats for Android by infection rate fall into the spyware category, Kindsight said in a report released Tuesday that covers the second quarter of 2013.
The Alcatel-Lucent subsidiary sells security appliances to ISPs (Internet service providers) and mobile network operators that can identify known malware threats and infected devices by analyzing the network traffic.
Data collected from its product deployments allows the company to compile statistics about how many devices connected to mobile or broadband networks are infected with malware and determine what are the most commonly detected threats.
The malware infection rate for devices connected to mobile networks is fairly low, averaging at 0.52%, Kindsight said in its report. These infected devices include mobile phones as well as Windows laptops that use a mobile connection through a phone, a 3G USB modem or a mobile hotspot device.
In January the number of infected mobile phones accounted for slightly more than 30% of all infected devices connected to mobile networks, but by June they grew to more than 50%.
The vast majority of infected mobile phones run Android. Those running BlackBerry, iOS and other operating systems represent less than 1% of infected mobile devices, Kindsight said.
When calculated separately, on average more than 1% of Android devices on mobile networks are infected with malware, Kindsight said in its report.
The malware threat most commonly seen on Android devices was an adware Trojan program called Uapush.A that sends SMS messages and steals information, Kindsight said. Uapush.A was responsible for around 53% of the total number of infections detected on Android devices.
HP Aims To Boot ‘Useless’ Data
Hewlett-Packard wants to help organizations rid themselves of useless data, all the information that is no longer necessary, yet still occupies expensive space on storage servers.
The company’s Autonomy unit has released a new module, called Autonomy Legacy Data Cleanup, that can delete data automatically based on the material’s age and other factors, according to Joe Garber, who is the Autonomy vice president of information governance.
Hewlett-Packard announced the new software, along with a number of other updates and new services, at its HP Discover conference, being held this week in Las Vegas.
For this year’s conference, HP will focus on “products, strategies and solutions that allow our customers to take command of their data that has value, and monetize that information,” said Saar Gillai, HP’s senior vice president and general manager for the converged cloud.
The company is pitching Autonomy Legacy Data Cleanup for eliminating no-longer-relevant data in old SharePoint sites and in e-mail repositories. The software requires the new version of Autonomy’s policy engine, ControlPoint 4.0.
HP Autonomy Legacy Data Cleanup evaluates whether to delete a file based on several factors, Garber said. One factor is the age of the material. If an organization has an information governance policy of only keeping data for seven years, for example, the software will delete any data older than seven years. It will root out and delete duplicate data. Some data is not worth saving, such as system files. Those can be deleted as well. It can also consider how much the data is being accessed by employees: Less consulted data is more suitable for deletion.
Administrators can set other controls as well. If used in conjunction with the indexing and categorization capabilities in Autonomy’s Idol data analysis platform, the new software can eliminate clusters of data on a specific topic. “You apply policies to broad swaths of data based on some conceptual analysis you are able to do on the back end,” Garber said.