Dropbox Beefs Up Security

Two-factor authentication is widely regarded as a best practice for security in the online world, but Dropbox has announced a new feature that’s designed to make it even more secure.

Whereas two-step verification most commonly involves the user’s phone for the second authentication method, Dropbox’s new U2F support adds a new means of authenticating the user via Universal 2nd Factor (U2F) security keys instead.

What that means is that users can now use a USB key as an additional means to prove who they are.

“This is a very good advancement and adds extra security over mobile notifications for two-factor authentication,” said Rich Mogull, Securosis CEO.

“Basically, you can’t trick a user into typing in credentials,” Mogull explained. “The attacker has to compromise the exact machine the user is on.”

For most users, phone-based, two-factor authentication is “totally fine,” he said. “But this is a better option in high-security environments and is a good example of where the FIDO standard is headed.”

Security keys provide stronger defense against credential-theft attacks like phishing, Dropbox said.

“Even if you’re using two-step verification with your phone, some sophisticated attackers can still use fake Dropbox websites to lure you into entering your password and verification code,” the company explained in a blog post. “They can then use this information to access your account.”

Security keys, on the other hand, use cryptographic communication and will only work when the user is signing in to the legitimate Dropbox website.

Dropbox users who want to use the new feature will need a security key that follows the FIDO Alliance’s Universal 2nd Factor (U2F) standard. That U2F key can then be set up with the user’s Dropbox account along with any other U2F-enabled services, such as Google.

Source

Malware Turns Computers Into Cellular Antenna

A team of Israeli researchers have improved on a way to steal data from air-gapped computers, thought to be safer from attack due to their isolation from the Internet.

They’ve figured out how to turn the computer into a cellular transmitter, leaking bits of data that can be picked up by a nearby low-end mobile phone.

While other research has shown it possible to steal data this way, some of those methods required some hardware modifications to the computer. This attack uses ordinary computer hardware to send out the cellular signals.

Their research, which will be featured next week at the 24th USENIX Security Symposium in Washington, D.C., is the first to show it’s possible to steal data using just specialized malware on the computer and the mobile phone.

“If somebody wanted to get access to somebody’s computer at home — let’s say the computer at home wasn’t per se connected to the Internet — you could possibly receive the signal from outside the person’s house,” said Yisroel Mirsky, a doctoral student at Ben-Gurion University and study co-author.

The air-gapped computer that is targeted does need to have a malware program developed by the researchers installed. That could be accomplished by creating a type of worm that infects a machine when a removable drive is connected. It’s believed this method was used to deliver Stuxnet, the malware that sabotaged Iran’s uranium centrifuges.

The malware, called GSMem, acts as a transmitter on an infected computer. It creates specific, memory-related instructions that are transmitted between a computer’s CPU and memory, generating radio waves at GSM, UMTS and LTE frequencies that can be picked up by a nearby mobile device.

The GSMem component that runs on a computer is tiny. “Because our malware has such a small footprint in the memory, it would be very difficult and can easily evade detection,” said Mordechai Guri, also a doctoral student at Ben-Gurion.

Source

HTC To Go High-End

Taiwanese smartphone maker HTC Corp said it will eliminate some jobs and discontinue models as part of its strategy to focus on high-end devices to better compete with the likes of AppleInc and Samsung Electronics.

“The cuts will be across the board,” Chief Financial Officer Chialin Chang told reporters after HTC reported a second-quarter loss and forecast another for the third-quarter. “They will be significant.”

Chang said the cost reductions would extend to the first quarter of next year, but declined to give further details.

A pioneer in early smartphones, HTC has been dismissed by industry watchers as confused, unoriginal and uncompetitive.

The company has been losing market share over the past few years, hit by intense competition at the high-end of the market from the likes of Apple and Samsung Electronics while budget Chinese rivals have also eclipsed its low-cost offerings.

HTC shares have fallen 51 percent so far this year. The stock closed 1.69 percent lower before the results were announced.

Chang said HTC was banking on selling high-end models in emerging smartphone markets such as India, where he said the company has a 20 percent market share of phones priced between $250-$400.

Analysts, however, are less optimistic, saying HTC is likely to continue to struggle for the next four quarters at least.

“We believe HTC will keep losing share in the smartphone market and will keep losing money,” analyst Calvin Huang with Taiwan’s SinoPac Securities wrote in a recent research note.

Source

Did Microsoft Intentionally Delay The Surface Pro 4?

The latest rumors suggest that Microsoft was waiting to jack the latest Intel Skylake processor under its bonnet.

Redmond seemingly wants the new Surface Pro to be state of the art and be a tablet which is useful. Skylake will give it better battery life and performance with current industry standards like Bluetooth 4.1, Cat6 LTE, WiDi 6.0, and A4WP wireless charging weaved into it.

Intel will support the tablets through compatibility with 3D cameras and audio processing software plus better stylus interaction.

There is no sign of confirmation of the rumors. Microsoft has been quiet so far about the Surface Pro 4. We had been expecting it to highlight some of the better features of Windows 10.

However if the rumors are true it will be a hell of a lot better than the MacBook Air 2015 because it will feature innovation, rather than just being thin.

Latest news about its release date suggests a 2016 launch.

Source

Microsoft To Release Advanced Threat Analytics

Microsoft is very close to releasing Advanced Threat Analytics (ATA) the security sure-up that it first announced three months ago.

ATA, or MATA as we called it for our own small amusement, is the result of three months’ real world testing, and the culmination of enough user feedback to inform a final release.

That final release will happen in August, which should give you plenty of time to get your head around it.

Hmmm. Microsoft’s Advanced Threat Analytics seems like a very good idea focused on the enterprise.

— Kevin Jones (@vcsjones) May 4, 2015

Idan Plotnik, who leads the ATA team at Microsoft, explained in an Active Directory Team Blog post that the firm is working towards removing blind spots from security analytics, and that this release should provide a strong and hardy tool for the whacking away of hacking.

“Many security monitoring and management solutions fail to show you the real picture and provide false alarms. We’ve taken a different approach with Microsoft ATA,” he said.

“Our secret sauce is our combination of network Deep Packet Inspection, information about the entities from Active Directory, and analysis of specific events.

“With this unique approach, we give you the ability to detect advanced attacks and stolen credentials, and view all suspicious activities on an easy to consume, simple to explore, social media feed like attack timeline.”

The Microsoft approach is an on-premise device that detects and analyses threats as they happen and on a retrospective basis. Plotnik said that it combines machine learning and knowledge about existing techniques and tactics to proactively protect systems.

“ATA detects many kinds of abnormal user behaviour many of which are strong indicators of attacks. We do this by using behavioural analytics powered by advanced machine learning to uncover questionable activities and abnormal behaviour,” he added.

“This gives the ability for ATA to show you attack indicators like anomalous log-ins, abnormal working hours, password sharing, lateral movement and unknown threats.”

A number of features will be added to the preview release, including performance improvements and the ability to deal with more traffic, before general availability next month.

Source

Microsoft To Open Source Radio Code

Microsoft has begun to open source some more of its code, this time for the Microsoft Research Software Radio (Sora).

“We believe that a fully open source Sora will better support the research community for more scientific innovation,” said Kun Tan, a senior researcher on the Sora project team.

Sora was created to combat the problem of creating software radio that could keep up with the hardware developments going on around it.

The idea behind it is to run the radio off software on a multi-core PC running a basic operating system. In the example, it uses Windows. But then it would.

A PCIe radio control board is added to the machine with signals processed by the software for transmission and reception, while the RF front-end, with its own memory, interfaces with other devices.

The architecture also supports parallel processing by distributing processing pipelines to multiple cores exclusively for real-time SDR tasks.

Sora has already won a number of awards, and the Sora SDK and API were released in 2011 for academic users. More than 50 institutions now use it for research or courses.

As such, and in line with the groovy open Microsoft ethos, the software has now been completely open sourced, with customizable RF front-ends, customizable RCB with timing control and synchronization, processing accelerators and support for new communication models such as duplex radios.

The Sora source code is now up on GitHub. Use cases already in place include TV whitespace, large scale MIMO and distributed MIMO systems.

Microsoft has made a number of moves towards open sourcing itself over the past year. Most notably, The .NET Framework at the heart of most Windows programs was offered up to the newly created .NET Foundation.

It was announced yesterday that Google is releasing its Kubernetes code to the Linux Foundation to set up a standardized format for containerization.

Source

Oculus Buys Pepple

Facebook’s Oculus unit announcd that it has agreed to acquire Israeli gesture recognition technology developer Pebbles Interfaces for an undisclosed amount.

The announcement was made in a blog posted by Oculus.

Israel’s Calcalist financial news website said the deal was worth tens of millions of dollars.

While other companies pioneering the virtual reality field focus on full-body movement, Pebbles’ technology detects and tracks hand movement. It is aimed primarily at gamers but also has applications for TV, computers, or smartphone operation while driving.

Recently Pebbles integrated its technology with Oculus glasses, which translate finger gestures into virtual movement through a camera mounted on the glass frame, Calcalist said.

Investors in Pebbles include Chinese mobile phone maker Xiaomi, Israeli venture capital fund Giza and U.S. storage firm SanDisk, Calcalist said.

Source

Will Cortana Impact Windows 10 Battery Life?

It is just over a month until Microsoft introduces Windows 10, and as you should know by now, Cortana is one of the key elements of the new OS.

Cortana always listens in order to hear its name and be a smart digital assistant. This is Microsoft answer to Siri and Google Now that is making its way to Windows 10.

Unfortunately, this will affect your notebook battery life. We have spoken with a few industry sources and we can definitely confirm that Windows 10 with enabled Cortana will have an impact on the battery life. We are testing this as we speak to check how big the impact is.

We don’t know how significant the battery life decrease will be, but the good thing is that you will be able to switch Cortana off in case you don’t need it. We heard that many new Toshiba notebooks will come with a dedicated Cortana button, as this is the easiest way to save battery life. Cortana on Toshiba won’t listen until you press the button.

It would be smart if Microsoft would come up with Cortana enable / disable keyboard shortcut. Win + Q will enable Cortana news while Win + S will bring you directly to the Cortana search engine.

Windows 10 seems to be a logical upgrade for anyone who has Windows 8.1 on their notebooks and misses the options from Windows 7, and some familiar UI elements. We use Windows 8.1 on some devices, while most of our computers still have Windows 7 and nothing more. Microsoft DirectX 12 will force us to Windows 10 but from what awe can tell from Preview release, the upgrade to Windows 10 from with 7 seems like quite seamless and logical step.

Just make sure to be aware that your notebook battery life might suffer because of Cortana. Have in mind that this “talk to your PC and expect a smart answer” option can be disabled.

Source

Is Yahoo Growing?

Yahoo’s share gains since November from a partnership with Mozilla may be a clue about whether the search company can gain new users through the just-announced contract to change Internet Explorer’s and Chrome’s default search through installations of Oracle’s Java.

Although the news of the Yahoo-Oracle partnership got the lion’s share of attention, CEO Marissa Mayer also used last week’s shareholder meeting to mention the Mozilla pact.

The five-year contract with Mozilla, the maker of Firefox, has boosted Yahoo’s share of the U.S. search market, but growth has stalled for the last three months, according to measurement company comScore.

On Wednesday, Mayer asserted that the Mozilla deal — negotiated last fall — was “profitable,” but didn’t provide any numbers to back that up. Neither Yahoo nor Mozilla has disclosed how much the former paid to become Firefox’s default search engine in the U.S.

By comScore’s measurement, Yahoo accounted for 12.7% of all U.S. searches in May, the same share it controlled in both March and April. Although that was 2.5 percentage points higher than in November 2014 — before Firefox began urging users to accept Yahoo as the default — and represented a six-month increase of 25%, May’s share was down from the January peak of 13%.

From all indications, Yahoo has gotten as much out of the Firefox deal as it will likely get. The flip-side is that Yahoo has hung onto most of what it grabbed from Google — Firefox’s previous default — even as Google has tried to get users to return.

For May, comScore pegged Google’s share at 64.1%, down one-tenth of a percentage point from the month prior. Microsoft’s share rose that one-tenth of a point to end May at 20.3%. Because Bing powers Yahoo’s search results, Microsoft’s technology accounted for 31.4% of all U.S. searches, still less than half Google’s 65.2%.

Source

Facebook To Require Stronger Digital Signature

Facebook will require application developers to adopt a more secure type of digital signature for their apps, which is used to verify a program’s legitimacy.

As of Oct. 1, apps will have to use SHA-2 certificate signatures rather than ones signed with SHA-1. Both are cryptographic algorithms that are used to create a hash of a digital certificate that can be mathematically verified.

Apps that use SHA-1 after October won’t work on Facebook anymore, wrote Adam Gross, a production engineer at the company, in a blog post.

“We recommend that developers check their applications, SDKs, or devices that connect to Facebook to ensure they support the SHA-2 standard,” Gross wrote.

SHA-1 has been considered weak for about a decade. Researchers have shown it is possible to create a forged digital certificate that carries the same SHA-1 hash as legitimate one.

The type of attack, called a hash collision, could trick a computer into thinking it is interacting with a legitimate digital certificate when it actually is a spoofed one with the same SHA-1 hash. Using such a certificate could allow an attacker to spy on the connection between a user and an application or website.

Microsoft, Google, Mozilla and other organizations have also moved away from SHA-1 and said they will warn users of websites that are using a connection that should not be trusted.

The Certificate and Browser Forum, which developers best practices for web security, has recommended in its Baseline Requirements that digital certificate issuers stop using SHA-1 as of Jan. 1.

Source

« Previous Page — Next Page »