Tech Firms Form OTrP To Support IoT Security
Comments Off on Tech Firms Form OTrP To Support IoT Security
A bunch of tech firms including ARM and Symantec have joined forces to create a security protocol designed to protect Internet of Things (IoT) devices.
The group, which also includes Intercede and Solacia, has created The Open Trust Protocol (OTrP) that is now available for download for prototyping and testing from the IETF website.
The OTrP is designed to bring system-level root trust to devices, using secure architecture and trusted code management, akin to how apps on smartphones and tablets that contain sensitive information are kept separate from the main OS.
This will allow IoT manufacturers to incorporate the technology into devices, ensuring that they are protected without having to give full access to a device OS.
Marc Canel, vice president of security systems at ARM, explained that the OTrP will put security and trust at the core of the IoT.
“In an internet-connected world it is imperative to establish trust between all devices and service providers,” he said.
“Operators need to trust devices their systems interact with and OTrP achieves this in a simple way. It brings e-commerce trust architectures together with a high-level protocol that can be easily integrated with any existing platform.”
Brian Witten, senior director of IoT security at Symantec, echoed this sentiment. “The IoT and smart mobile technologies are moving into a range of diverse applications and it is important to create an open protocol to ease and accelerate adoption of hardware-backed security that is designed to protect onboard encryption keys,” he said.
The next stage is for the OTrP to be further developed by a standards-defining organisation after feedback from the wider technology community, so that it can become a fully interoperable standard suitable for mass adoption.
Courtesy-TheInq
Microsoft To Block SHA-1 Hashing
Software Giant Microsoft has joined Mozilla and will consider blocking the SHA-1 hashing algorithm on Windows to keep the US spooks from using it to spy on users computers.
Redmond had earlier said that Windows would block SHA-1 signed TLS (Transport Layer Security) certificates from January 1, 2017, but is now mulling moving up the date to June.
There have been concerns about the algorithm’s security as researchers have proven that a forged digital certificate that has the same SHA-1 hash as a legitimate one can be created. Users can then be tricked into interacting with a spoofed site in what is called a hash collision.
In October, a team of cryptoanalysts warned that the SHA-1 standard should be withdrawn as the cost of breaking the encryption had dropped faster than expected to US$75,000 to $120,000 in 2015 using freely available cloud computing.
Programme manager for Microsoft Edge Kyle Pflug wrote in his blog that Redmond will coordinate with other browser vendors to evaluate the impact of this timeline based on telemetry and current projections for feasibility of SHA-1 collisions.
Mozilla said in October that in view of recent attacks it was considering a cut-off of July 1, 2016 to start rejecting all SHA-1 SSL certificates, regardless of when they were issued, ahead of an earlier scheduled date of January 1, 2017.
Courtesy- http://www.thegurureview.net/computing-category/microsoft-to-block-sha-1-hashing.html
Microsoft, Google Cease Fire In Global Patent Deal
Comments Off on Microsoft, Google Cease Fire In Global Patent Deal
Microsoft has been pursuing a more collaborative approach under CEO Satya Nadella, engaging longtime rivals like Salesforce, VMware and Apple. There hasn’t been much love between Microsoft and Google, but an announcement on Wednesday points towards an easing of those tensions.
Google and Microsoft have reached a broad agreement on patent matters, with a legal settlement ending some 20 lawsuits between the companies in the U.S. and Germany. Financial terms weren’t disclosed, but the deal brings a laundry list of lawsuits to a close.
“Microsoft and Google are pleased to announce an agreement on patent issues,” they said in a joint statement. “As part of the agreement, the companies will dismiss all pending patent infringement litigation between them, including cases related to Motorola Mobility.”
They also agreed to collaborate on patent matters and work together “to benefit our customers.”
The suits that have been settled include those related to mobile phones, video encoding and Wi-Fi technologies. That doesn’t mean Microsoft has given up its campaign to collect royalties from Android device makers for the mobile operating system’s alleged infringement of Microsoft patents.
It’s not clear from the statement what patent matters the companies will be working on together in the future, but changes have already begun. The two companies agreed earlier this month to work together (alongside other firms like Netflix and Mozilla) on a royalty-free video codec.
It remains to be seen if the settlement will lead to more work between Microsoft and Google in other areas. A major sticking point for consumers has been the lack of a Google-made YouTube app for smartphones and tablets running Windows.
Source-http://www.thegurureview.net/aroundnet-category/microsoft-google-cease-fire-in-global-patent-deal.html
Is Yahoo Growing?
July 9, 2015 by admin
Filed under Around The Net
Comments Off on Is Yahoo Growing?
Yahoo’s share gains since November from a partnership with Mozilla may be a clue about whether the search company can gain new users through the just-announced contract to change Internet Explorer’s and Chrome’s default search through installations of Oracle’s Java.
Although the news of the Yahoo-Oracle partnership got the lion’s share of attention, CEO Marissa Mayer also used last week’s shareholder meeting to mention the Mozilla pact.
The five-year contract with Mozilla, the maker of Firefox, has boosted Yahoo’s share of the U.S. search market, but growth has stalled for the last three months, according to measurement company comScore.
On Wednesday, Mayer asserted that the Mozilla deal — negotiated last fall — was “profitable,” but didn’t provide any numbers to back that up. Neither Yahoo nor Mozilla has disclosed how much the former paid to become Firefox’s default search engine in the U.S.
By comScore’s measurement, Yahoo accounted for 12.7% of all U.S. searches in May, the same share it controlled in both March and April. Although that was 2.5 percentage points higher than in November 2014 — before Firefox began urging users to accept Yahoo as the default — and represented a six-month increase of 25%, May’s share was down from the January peak of 13%.
From all indications, Yahoo has gotten as much out of the Firefox deal as it will likely get. The flip-side is that Yahoo has hung onto most of what it grabbed from Google — Firefox’s previous default — even as Google has tried to get users to return.
For May, comScore pegged Google’s share at 64.1%, down one-tenth of a percentage point from the month prior. Microsoft’s share rose that one-tenth of a point to end May at 20.3%. Because Bing powers Yahoo’s search results, Microsoft’s technology accounted for 31.4% of all U.S. searches, still less than half Google’s 65.2%.
Facebook To Require Stronger Digital Signature
Comments Off on Facebook To Require Stronger Digital Signature
Facebook will require application developers to adopt a more secure type of digital signature for their apps, which is used to verify a program’s legitimacy.
As of Oct. 1, apps will have to use SHA-2 certificate signatures rather than ones signed with SHA-1. Both are cryptographic algorithms that are used to create a hash of a digital certificate that can be mathematically verified.
Apps that use SHA-1 after October won’t work on Facebook anymore, wrote Adam Gross, a production engineer at the company, in a blog post.
“We recommend that developers check their applications, SDKs, or devices that connect to Facebook to ensure they support the SHA-2 standard,” Gross wrote.
SHA-1 has been considered weak for about a decade. Researchers have shown it is possible to create a forged digital certificate that carries the same SHA-1 hash as legitimate one.
The type of attack, called a hash collision, could trick a computer into thinking it is interacting with a legitimate digital certificate when it actually is a spoofed one with the same SHA-1 hash. Using such a certificate could allow an attacker to spy on the connection between a user and an application or website.
Microsoft, Google, Mozilla and other organizations have also moved away from SHA-1 and said they will warn users of websites that are using a connection that should not be trusted.
The Certificate and Browser Forum, which developers best practices for web security, has recommended in its Baseline Requirements that digital certificate issuers stop using SHA-1 as of Jan. 1.
Criminals Remotely Erasing Smartphone Data
Comments Off on Criminals Remotely Erasing Smartphone Data
Smartphones taken as evidence by police in the UK are being wiped remotely by crooks in order to remove potentially incriminating data, an investigation has uncovered.
Dorset police told the BBC that six devices were wiped within the space of a year while they were being kept in police custody, and Cambridgeshire, Derbyshire, Nottingham and Durham police also confirmed similar incidents.
The technology being used was originally designed to allow device owners to remove sensitive data from phones or tablets if they are lost or stolen.
“We have cases where phones get seized, and they are not necessarily taken from an arrested person, but we don’t know the details of these cases as there is not a reason to keep records of this,” a spokeswoman for Dorset police told the BBC.
A spokeswoman for Derbyshire police also confirmed one incident of a device being remotely wiped while in police custody.
“We can’t share many details about it, but the case concerned romance fraud, and a phone involved with the investigation was remotely wiped,” she said. “It did not impact upon the investigation, and we went on to secure a conviction.”
Software that enables this remote wiping has been available from a variety of security firms for some time now.
For example, BitDefender announced a product a while back intended to track lost or stolen Android devices. Not only did it allow users to connect remotely and ‘wipe’ data from a web profile via the internet, but to activate commands with text messages.
Pen Test Partners’ digital forensics expert, Ken Munro, said it is common practice to immediately put devices that are seized as evidence into a radio-frequency shielded bag to prevent any signals getting through and stop remote wipes.
“If we can’t get to the scene within an hour, we tell the client to pop it in a microwave oven,” he said. “The microwave is reasonably effective as a shield against mobile or tablet signals – just don’t turn it on.”
Chrome Climbs To Second
Google’s Chrome browser in July broke the 20% user share bar for the first time, according to recently published statistics by Web measurement vendor Net Applications.
But because the browser war is a zero-sum game, when Chrome won others had to lose. The biggest loser, as has been the case for the last year: Mozilla’s Firefox, which came dangerously close to another milestone, but on the way down.
Firefox accounted for 15.1% of the desktop and laptop personal computer browsers used in July, a low point not seen by the open-source application since October 2007, a year before Chrome debuted and when Microsoft’s Internet Explorer (IE) was only on version 7.
Chrome had flirted with the 20% mark before. More than two years ago, Chrome’s user share — a Net Applications’ measurement of the unique visitors running each browser — had come close: 19.6%. But Chrome then took a prolonged dip that only began reversing last fall.
Chrome’s July user share of 20.4% put the browser solidly in second place, but still far behind IE in Net Applications’ tallies. IE’s share last month was 58%, down slightly from the month before.
Firefox also lost user share in July, dropping half a percentage point to 15.1%. It was the ninth straight month that the desktop browser lost share. In the past three months alone, Firefox has fallen nearly two points.
The timing of the decline has been terrible, as Mozilla’s current contract with Google ends in November. That deal, which assigned Google’s search engine as the default for most Firefox customers, has generated the bulk of Mozilla’s revenue. In 2012, for example, the last year for which financial data was available, Google paid Mozilla an estimated $272 million, or 88% of all Mozilla income.
Going into this year’s contract renewal talks, Mozilla will be bargaining from a much weaker position, down 34% in total user share since July 2011.
Apple’s Safari remained in a distant fourth place behind Firefox, with a user share of 5.2%, down four-tenths of a percentage point in the last month. Meanwhile, Opera Software’s Opera browser brought up the rear with a small 1% user share.
Javascript Security Flaws Discovered
Polish researchers have released technical details and attack code for 30 security issues affecting Oracle’s Java Cloud Service. Some of the flaws make it possible for attackers to read or modify users’ sensitive data or to execute malicious code.
Security Explorations said it would normally withhold public airings until after any vulnerability has been fixed. But apparently Oracle representatives failed to resolve some of the more crucial issues including bypasses of the Java security sandbox, bypasses of Java whitelisting rules, the use of shared WebLogic server administrator passwords, and the availability of plain-text use passwords stored in some systems.
Oracle apparently has admitted to the researchers that it cannot promise whether it will be communicating resolution of security vulnerabilities affecting their cloud data centres in the future.
Adam Gowdiak, CEO of Security Explorations said Oracle unveiled the Java Cloud Service in 2011 and held it up as a way to better compete against Salesforce.com.
Box Launches HTML 5 Tool
April 17, 2014 by admin
Filed under Around The Net
Comments Off on Box Launches HTML 5 Tool
Box has updated developer usage plans and opened access to a document viewing tool as it looks to build momentum ahead of its IPO.
Box has made its HTML5 document viewing tool called Box View available for developers to incorporate into their companies’ products and services.
It was unveiled in beta mode last September at the firm’s annual Boxworks conference and is designed to help firms ensure that documents in any format can be viewed online. The tool is based on technology Box acquired in its acquisition of Crocodoc.
Box product manager Sean Rose explained in a blog post, “Box View is an API that converts Office and PDF documents to easily embeddable HTML5, enabling developers to create beautiful experiences around content. Gone are the days of forcing users to deal with broken and inconsistent experiences across platforms.
“With just a few simple API calls, developers can create an elegant and consistent content experience across all platforms.”
Box cited some customers that are already using this service, such as UberConference, Xero and Shake to ensure that they can send information to partners, customers and contractors quickly and easily.
Furthermore, the firm has based the pricing model for the tool on a per-use basis, rather than a traditional per-user basis.
For users of the service as a Box-branded platform – so it displays the Box logo, rather than the customer’s own logo – it’s free for 1,000 document uploads per month. After that it’s priced at 2.5 cents per document.
Custom use of the tool so the customer’s own logo is displayed costs $250 per month for 2,500 uploads. Each document after that costs five cents per upload, but enterprise users can thrash out a deal with Box for any service they expect to handle over 10,000 document uploads a month.
“Most developers will never have to pay anything for Box View, and, for those that do, Box View pricing is built to scale alongside your app’s user base,” added Rose.
As part of this encouragement to developers to incorporate Box into its tools the firm has also unveiled new pricing models around its APIs, to again focus on usage levels rather than user numbers.
Integrating with Box in general is free for developers, and up to 25,000 interactions with the Box Content API is free too. For 25,000 or more API interactions the cost is $500 per month. Any more than this and custom deals are available.
Box VP of Platform Chris Yeh explained that this move was designed “specifically for businesses that want to leverage the APIs at scale” to help keep pace with the growth the firm is seeing.
“More than 35,000 developers are building on Box. Every month, our platform sees one billion third-party API calls, and the Box OneCloud ecosystem just reached 1,000 app integration partners,” Yeh said.
The updates come at a busy time for Box after it filed to go public earlier this week in a listing worth $250m, as it looks to build on its early success in the enterprise market.
Can Android Fight Cyber Threats With A.I.?
February 5, 2014 by admin
Filed under Smartphones
Comments Off on Can Android Fight Cyber Threats With A.I.?
A security firm called Zimperium has launched mobile software that learns from smartphones to fend off malicious cyber attacks.
Claiming to be the first security software to be powered by artificial intelligence (AI), the app is called zIPS, with the “IPS” standing for “intrusion prevention system”. The aim of the AI is to better spot malware before it causes harm or spreads to other devices.
The zIPS software works whether the smartphone is offline or online and can protect against malicious apps, such as those that can self-modify, and network attacks like a “man in the middle” attack where a hacker intercepts data being sent between one user and another.
“With zIPS, corporations will now have the opportunity to use [bring your own device] as an advantage to their security. zIPS is the first security solution that can combat modern cyber-attacks on mobile,” said Zimperium’s founder and CEO Zuk Avraham. “There is already evidence of attacks that are happening to infiltrate organisations, which only zIPS can prevent.”
Prior to working on the Android app, Avraham worked as a security researcher for the Israeli Defense Forces and Samsung electronics before setting up Zimperium in response to what he thinks is a poor selection of good mobile security software.
According to MIT Technology Review, Zimperium said that there have as yet been no programs that can detect, notify and protect against cyber attacks deployed through mobile devices.
The zIPS Android app has arrived in the Google Play store for all Android devices at a time when malware on Android is at an all time high.
Last year, Trend Micro warned that Google’s Android mobile operating system is so beset by cyber criminals creating malicious apps that the malware was on track to hit the million mark before the end of 2013.
The firm said that this was attributable to hackers seeking to exploit Android’s growing global user base.