Developers Hack Dropbox

Two developers have penetrated Dropbox’s security, even intercepting SSL data from its servers and bypassing the cloud storage provider’s two-factor authentication, according to a paper they published at USENIX 2013.

“These techniques are generic enough and we believe would aid in future software development, testing and security research,” the paper says in its abstract.

Dropbox, which claims more than 100 million users upload more than a billion files daily, said the research didn’t actually represent a vulnerability in its servers.

“We appreciate the contributions of these researchers and everyone who helps keep Dropbox safe,” a spokesperson said in an email to Computerworld. “In the case outlined here, the user’s computer would first need to have been compromised in such a way that it would leave the entire computer, not just the user’s Dropbox, open to attacks across the board.”

The two developers, Dhiru Kholia, with the Openwall open source project , and Przemyslaw Wegrzyn, with CodePainters, said they reverse-engineered Dropbox, an application written in Python.

“Our work reveals the internal API used by Dropbox client and makes it straightforward to write a portable open-source Dropbox client,” the paper states. “Additionally, we show how to bypass Dropbox’s two-factor authentication and gain access to users’ data.”

The paper presents “new and generic techniques to reverse engineer frozen Python applications, which are not limited to just the Dropbox world,” the developers wrote.

The researchers described in detail how they were able to unpack, decrypt and decompile Dropbox from scratch. And, once someone has de-compiled its source code, how “it is possible to study how Dropbox works in detail.

“We describe a method to bypass Dropbox’s two-factor authentication and hijack Dropbox accounts. Additionally, generic techniques to intercept SSL data using code injection techniques and monkey patching are presented,” the developers wrote in the paper.

The process they used included various code injection techniques and monkey-patching to intercept SSL data in a Dropbox client. They also used the techniques successfully to snoop on SSL data in other commercial products as well, they said.

The developers are hoping their white hat hacking prompts Dropbox to open source its platform so that it is no longer a “black box.”

Source

Is The Tesla Hackable?

It’s the curse of the connected car once it’s linked to the Internet, it’s, well, on the Internet. In the case of the Tesla Model S, this means that mischievous hackers could, in theory, control some functions of the vehicle and even snoop without the owner’s knowledge.

Tesla offers Android and iPhone apps for Model S owners, which can be used to check the vehicle’s battery, track its location and status, and tweak several other settings, like climate control and the sunroof. It can also be used to unlock the doors on the Model S.

Dell senior engineer George Reese says the REST API used by Tesla to provide access for Android and iPhone apps has several fairly serious security flaws, which could offer a way in for unscrupulous hackers.

According to an article written by Reese for O’Reilly, Tesla appears to have broken from accepted best practice when designing the API for the Model S.

“It’s flawed in a way that makes no sense. Tesla ignored most conventions around API authentication and wrote their own. As much as I talk about the downsides to OAuth (a standard for authenticating consumers of REST APIs–Twitter uses it), this scenario is one that screams for its use,” he wrote.

However, Reese notes, this is merely a potential attack vector, not one that could be immediately exploited. That said, a compromised website particularly one designed to provide “value-added services” via the API to Tesla drivers could prove highly damaging.

“I can … honk their horns, flash their lights, and open and close the sunroof. While none of this is catastrophic, it can certainly be surprising and distracting while someone is driving,” Reese wrote.

Automotive hacking has been posited by experts for some time, and several presentations at this year’s Defcon detailed fairly comprehensive methods of compromising some models.

Source

Is Apple Doomed?

The necromancy department of Apple has been summoning the spirit of Steve Jobs in the hope of turning around its current dismal growth figures. For a while now, even amongst Apple fanboys, there has been a belief that Jobs’ Mob has gone done the tubes since Jobs croaked.

It is a myth of course, Jobs’ specialty was not innovation but to market a working ideas as if it were his own. But either way Apple is attempting to try and convince everyone that the new iPhone was personally designed by its former CEO. Even after being dead for a while now, and having no impact over the disasters the company has since suffered, Jobs apparently was on board for the iPhone 5S.

According to Apple’s government liaison Michael Foulkes, Jobs oversaw the design of two models of iPhone to go on sale after his death. We suspect that it will take full resurrection before anyone takes this particular spin seriously. If Jobs could really see into the future and predict where his toys would be three years after he died, we would have thought he would have also seen that was a stupid idea not to accept conventional medical treatment for his cancer until it was too late.

Source

Tech Hiring Up This Year

Hiring of technology professionals has been increasing since the first half of this year, with new IT hires accounting for about 10% of all the job growth in the U.S. in June, according to two independent assessments.

Total tech employment reached 4.47 million in June, an increase of 22,600 jobs from the prior month, or a .51% gain, according to TechServe Alliance, an IT services industry group which tracks employment data month-to-month. The total excludes tech manufacturing employment.

Similarly, Foote Partners, which researches IT employment trends, reported a gain of 18,200 new tech jobs last month.

These gains are coming at the same time that some tech employers are cutting jobs.

IBM has cut more than 3,000 workers over the past few weeks, struggling Hewlett-Packard is still eliminating jobs, and Symantec is seeing layoffs as well.

The U.S. economy added 195,000 jobs overall in June, according to the Labor Dept.

Foote said that IT employment in the first half of this year is averaging 13,500 new jobs per month.

“While the pace of job creation in the national labor force appears stuck at 7.6% unemployment and new jobs are heavily in part-time positions and low wage full-time segments, IT jobs have been on a sustained growth upswing and wages are holding steady if not growing slightly,” said David Foote, chief analyst, in a statement.

Reports on IT employment figures from analyst can differ widely depending on what U.S. labor department categories are use in the calculations.

Another firm that analyzes the labor market, Janco Associates, reported a gain of 9,900 jobs in June based on the categories it tracks.

Despite the increase in hiring, IT salaries remain flat, said Janco.

“Based on our interviews with over 96 CIOs in the last 30 days, we concluded that CIOs are not in a great hurry to hire new staff except to meet short term needs until they see a clear trend as to what is happening with the economy,” said Janco CEO Victor Janulaitis in a statement.

Janulaitis said that “67% of the CIOs we interviewed do not see any real push to expand staffing over the next 12 months.”

Source

MS Office Demand Fizzles

After a promising start, downloads of Microsoft’s free Office for the iPhone quickly nosedived, as the latest data from a mobile app analytics company showed.

But at least 200,000 copies of the small suite — iPhone versions of Word, Excel and PowerPoint — were downloaded in the first six days.

Distimo, a Dutch firm that tracks app store market data for several platforms, including Apple’s iOS, Google’s Android, and Microsoft’s Windows 8 and Windows Phone, said Office Mobile for the iPhone debuted in the No. 10 spot on June 15, the day after Microsoft launched the free app.

That was Office Mobile’s peak: On June 16, Office Mobile slipped to the No. 19 position among all free iPhone apps, then continued to slide throughout the week of June 17-23, starting that seven-day stretch at No. 36, falling to No. 86 by Friday, June 21, and ending at No. 299 on June 23.

From June 24 to July 6, Office Mobile was not on Distimo’s leaderboard, which lists only the top 400 downloaded apps.

The number of downloads of Office Mobile for iPhone is unknown — Distimo requires a paid account to show developers the estimated downloads of their apps and those of competitors, and did not reply to questions Sunday — but the tally was probably significant.

According to Distimo,  to place in the App Store’s No. 10 spot, an app must average 72,000 downloads daily. Office Mobile was ranked No. 10 on June 15. Apps ranked at No. 50 averaged 23,000 downloads daily: Office Mobile held position at No. 50 or lower for five consecutive days.

Those numbers implied that at least 200,000 copies of Office Mobile were downloaded in the six days between June 15 and June 20.

Likewise, the sharp decline of Office Mobile’s position in the App Store’s free list after just a week hints at a pent-up demand that was quickly satisfied.

Although rumors of Office on iOS had circulated since the iPad’s 2010 introduction, they heated up last November when reports claimed Microsoft would launch a mobile version of the suite this year and tie the software to Office 365. At the time, most analysts agreed that Office 365 was the smart move because it could boost interest in the subscription concept Microsoft has bet will result in more, and more regular, revenue from its Office cash cow.

Linking Office on iOS to Office 365 would also let Microsoft avoid the Apple “tax,” the 30% cut that Apple takes from all App Store sales.

Only Office 365 subscribers can use Office Mobile. Subscriptions range from the consumer-grade Office 365 Home Premium, which costs $100 annually, to several business plans that start at $150 per user per year and climb to $264 per user per year.

Source

Collaborating Viruses Showing Up

Two computer viruses are collaborating to defeat clean-up operations. Microsoft researcher Hyun Choi has found that the pair of viruses foil removal by regularly downloading updated versions of their malware partner.

It is the first time that such a defense plan has been noticed before. Choi said that the Vobfus and Beebone viruses, were regularly found together. Vobfus was the first to arrive on a machine, he said, and used different tactics to infect victims. Vobfus could be installed via booby-trapped links on websites, travel via network links to other machines or lurk on USB drives and infect machines they are plugged into.

Once installed, Vobfus downloaded Beebone which enrolled the machine into a botnet. After this the two start to work together to regularly download new versions of each other. If Vobfus was detected and remediated, it could have downloaded an undetected Beebone which can in turn download an undetected variant of Vobfus.

Vobfus become a persistent problem since 2009 when it first appeared.

Source

LinkedIn DropS BWP API

LinkedIn has shut off its API access to “Bang With Professionals,” a Web service that was intended to facilitate more, say, intimate connections among users of the business-oriented social networking site.

The service was designed to allow LinkedIn users to anonymously search for people in their LinkedIn network who would be interested in meeting up for casual sex.

“We all had a good laugh,” the founders of Bang With Professionals said on last Friday on the website, less than a month after its launch. “We all knew it was a matter of time before our API key was revoked.”

LinkedIn said it shut off API (application programming interface) access for the free site, which was intended to work on all desktops and mobile devices, because it violated the social network’s terms of use in a manner that was “inconsistent with the goals of our developer program.”

Among other things, API access isn’t allowed for any application that contains or displays adult content.

Data about the site’s 6,000 subscribers is safe and all their user IDs have been deleted, the founders said. The only thing that remains now is the site’slanding page.

The origins of Bang With Professionals are not unique in the fast-paced social networking landscape. The site was built “by two guys in three days,” the landing page says. The total launch cost was US$57: $40 for stock images, $12 for the domain name and $5 for an account on the server CloudFlare.

The Twitter handle for the site has since been deactivated, but at press time, the Bang With Professionals blog on Tumblr was still accessible.

Source

Developers Gaining Interest In WP8

Developers are becoming increasingly interested in developing apps for Windows Phone and BlackBerry 10.

According to ABI Research, Android and iOS remain dominant platforms, with Android in the lead in the smartphone space and iOS dominating the tablet market.

However, developers are also focusing on Windows Phone and BB10. AI analyst Aapo Markkanen believes 45 million Windows Phone devices will be in use by the end of the year, along with up to 20 million BB10 devices. Redmond will also have 5.5 million Windows powered tablet by the end of the year.

Source…

Mozilla Touts WebRTC

Mozilla has shown off WebRTC integration in its Firefox web browser, demonstrating real-time video conferencing and file transfer capabilities.

All major web browser developers have started to integrate the WebRTC protocol and now Mozilla has shown off how far its integration has come. The firm demonstrated working video conferencing, file transfer and sharing capabilities through the Firefox web browser.

Mozilla was keen to push its implementation of the Datachannels API that is part of WebRTC to allow instant messaging and file transfer. The firm’s impressive demonstration shows off seamless sharing between two clients that had initiated a video conversation, with tabs and files being sent and viewed with little user interaction.

Mozilla’s demonstration does highlight the need for tight sandboxing within the web browser, however as a peer-to-peer protocol that automatically encrypts communications between two hosts, WebRTC could challenge some existing closed communication protocols such as Skype.

Maire Reavy, product lead for Firefox Platform Media at Mozilla said, “WebRTC is a powerful new tool that enables web app developers to include real-time video calling and data sharing capabilities in their products. While many of us are excited about WebRTC because it will enable several cool gaming applications and improve the performance and availability of video conferencing apps, WebRTC is proving to be a great tool for social apps.”

Mozilla didn’t say when its WebRTC implementation will enter the stable release channel, however given the outfit’s rapid release schedule, it should be a matter of weeks rather than months.

Source…

Amazon Goes To Court

Amazon is suing Daniel Powers, its ex VP in charge of global sales for Amazon Web Services because he joined Google in a cloud role.

Taking the new job, asserts Amazon, violates Powers’ non-compete agreement with Amazon, which let Powers go this summer with a reasonable severance package.

There is a risk that Powers could take important information that he learned about the Amazon web services business to its rival, Google, and that is what the firm is seeking to stop.

According to Geekwire Amazon wants an injunction against Powers to prevent him from “engaging in any activities that directly or indirectly support any aspect of Google’s cloud computing business”.

A court filing claims that Amazon has an agreement with Powers that says he will not join a rival for a “limited time following the termination of his employment”.

Powers, it warns, is a veteran who knows the cloud business from “top to bottom”, adding that he has “acquired and currently possesses extensive knowledge of Amazon’s trade secrets and its highly confidential information”.

The complaint says that he has extensive and detailed information about Amazon Web Services’ prospects, business, potential business partners, pricing strategies and goals.

Amazon has not provided us with further comment.

Source…

« Previous Page — Next Page »