Sign up for our Technology Newsletter 
Banks Join Instant Chat
October 16, 2013 by admin
Filed under Around The Net
Comments Off on Banks Join Instant Chat
Goldman Sachs Group Inc, JPMorgan Chase & Co and six other financial institutions have agreed to join a new instant messaging network from Markit and Thomson Reuters Corp to connect disparate messaging systems.
The network, called Markit Collaboration Services, launched on Monday and allows members to chat with one another regardless of the proprietary messaging technology that each firm uses.
This open platform differs Bloomberg LP’s messaging system, which is a closed network only for users of Bloomberg terminals.
Bloomberg messaging is the most popular form of chat on Wall Street, and often cited as one of the reasons banks are willing to pay around $20,000 a year for a subscription to a Bloomberg terminal.
Markit and Thomson Reuters said they hoped their open messaging network will attract banks that want to chat with their clients or other financial institutions but cannot currently do so because they are on different messaging systems.
The other banks that have joined the new network are Deutsche Bank, Bank of America Merrill Lynch, Barclays, Citigroup, Credit Suisse and Morgan Stanley, according to a statement from Markit.
The banks collectively employ more than 1 million people worldwide, though it was not immediately clear how many individuals will use the new Markit service.
David Craig, president of Thomson Reuters’ Financial & Risk division, said one of the challenges facing banks is that their messaging systems do not always talk to one another. “That creates costs and complexity,” he said.
Markit and Thomson Reuters said the messages on the new network are encrypted, and the system does not store them.
Representatives from Bank of America, Deutsche Bank, Goldman Sachs and Morgan Stanley were not immediately available to comment on the new messaging system. Representatives from Barclays, Citi, Credit Suisse and JPMorgan also declined to comment.
Some Hackers Going To Jail
Thirteen people have been indicted, accused of being members of the Anonymous hacktivist group and allegedly involved in Operation Payback.
Operation Payback was the retaliation against payment firms that Anonymous put in motion following their blocking of Wikileaks donations.
The 13 are accused of taking part in a series of distributed denial of service (DDoS) attacks, and the US Department of Justice filed a federal grand jury indictment in US District Court in Alexandria, Virginia. The indictment charges them with conspiracy to intentionally cause damage to protected computers.
Anonymous is a loosely linked digital rights collective. In its early days it pulled together volunteers from all walks of life.
Operation Payback struck a number of organisations including Mastercard, Visa, Paypal and the Motion Picture Association of America. The attacks lasted between September 2010 and January 2011. As well as retaliating against payment providers, part of Operation Payback was aimed at parties thought to be involved in a campaign against The Pirate Bay.
Agence France Presse (AFP) has seen the indictment and named those indicted in it. They are Dennis Owen Collins, Jeremy Leroy Heller, Chen Zhiwei, Joshua Phy, Ryan Russel Gubele, Robert Audubon Whitfield, Anthony Tadros, Geoffrey Kenneth Commander, Austen Stamm, Timothy Robert McLain, Wade Carl Williams and Thomas Bell.
According to AFP the 13 alleged Anonymous members “planned and executed a coordinated series of cyber-attacks against victim websites by flooding those websites with a huge volume of irrelevant internet traffic with the intent to make the resources on the websites unavailable to customers and users of those websites.”
In short, they are accused of having conducted a digital sit-in protest.
Apple Hacked
October 2, 2013 by admin
Filed under Smartphones
Comments Off on Apple Hacked
A group of German hackers claimed to have successfully breached the iPhone fingerprint scanner on Sunday, just two days after Apple Inc debuted the technology that it promises will better protect devices from criminals and snoopers seeking access.
If the claim is verified, it will be embarrassing for Apple which is betting on the scanner to set its smartphone apart from new models of Samsung Electronics Co Ltd and others running the Android operating system of Google Inc.
Two prominent iPhone security experts told Reuters that they believed the German group, known as the Chaos Computing Club, or CCC, had succeeded in defeating Apple’s Touch ID, though they had not personally replicated the work.
One of them, Charlie Miller, co-author of the iOS Hacker’s Handbook, described the work as “a complete break” of Touch ID security. “It certainly opens up a new possibility for attackers.”
Apple representatives did not respond to requests for comment.
CCC, one the world’s largest and most respected hacking groups, posted a video on its website that appeared to show somebody accessing an iPhone 5S with a fabricated print. The site described how members of its biometrics team had cracked the new fingerprint reader, one of the few major high-tech features added to the latest version of the iPhone.
The group said they targeted Touch ID to knock down reports about its “marvels,” which suggested it would be difficult to crack.
“Fingerprints should not be used to secure anything. You leave them everywhere, and it is far too easy to make fake fingers out of lifted prints,” a hacker named Starbug was quoted as saying on the CCC’s site.
The group said it defeated Touch ID by photographing the fingerprint of an iPhone’s user, then printing it on to a transparent sheet, which it used to create a mold for a “fake finger.”
CCC said similar processes have been used to crack “the vast majority” of fingerprint sensors on the market.
“I think it’s legit,” said Dino Dai Zovi,” another co-author of the iOS Hacker’s Handbook. “The CCC doesn’t fool around or over-hype, especially when they are trying to make a political point.”
Touch ID, which was only introduced on the top-of-the-line iPhone 5S, lets users unlock their devices or make purchases on iTunes by simply pressing their finger on the home button. It uses a sapphire crystal sensor embedded in the button.
Data used for verification is encrypted and stored in a secure enclave of the phone’s A7 processor chip.
Two security experts who sponsored an impromptu competition offering cash and other prizes to the first hackers who cracked the iPhone said they had reviewed the information posted on the CCC website, but wanted more documentation.
“We are simply awaiting a full video documentation and walk through of the process that they have claimed,” said mobile security researcher Nick DePetrillo, who started the contest with another security expert, Robert Graham. “When they deliver that video we will review it.”
The two of them each put up $100 toward a prize for the contest winner, then set up a website inviting others to contribute. While the booty now includes more than $13,000 in cash, it was not clear that the CCC would receive the full payout, even if DePetrillo and Graham declared them winners.
HP To Support The iPad
September 30, 2013 by admin
Filed under Consumer Electronics
Comments Off on HP To Support The iPad
Is your iPad out of warranty? Hewlett-Packard to the rescue.
HP updated its SmartFriend support service and will now troubleshoot problems with Windows, Android, Chrome OS, OS X and iOS products, according to a fact sheet describing the service.
“HP is expanding its HP SmartFriend service to provide 1:1 expert support for any brand of PC or tablet,” the company said. The plan previously supported PCs from HP and other vendors, as well as Macs.
Users can avail of the service to address general hardware, software and malware issues. HP says its agents can “remove viruses, improve PC performance, solve software errors, and connect devices to a wireless network with enhanced security.” The support is provided by phone or over the Internet, so don’t expect a technician to trot in and fix your iPad in person. But HP notes it can save you from driving to a store.
Unlike Best Buy’s Geek Squad service, HP’s service does not include hardware repairs. It can be tricky to change the battery or storage in tablets, so for iPads, the Genius Bars at Apple Stores may still be the best option for some repairs.
HP didn’t immediately comment on exactly what support it will provide for the iPad. HP printers offer wireless printing from iPads and iPhones. HP sells primarily Windows PCs and Android tablets, though on last Thursday it announced the Pavilion 14 laptop with Google’s Chrome OS.
While SmartFriend includes support for iOS devices, the service seems focused mainly on Windows products. Its technicians include “Microsoft Application Trainers, Microsoft Product Specialists, A+/MCP/MCSE Certified Professionals, Network Administrators and HTML Developers,” according to the fact sheet.
The service starts at US$9.99 per month and users can sign up for a pre-paid, monthly or yearly support plan. A “Complete Plan” supports two devices, while a “Family Plan” supports up to four devices.
Does The Cloud Need To Standardize?
Comments Off on Does The Cloud Need To Standardize?
Frank Baitman, the CIO of the U.S. Department of Health and Human Services (HHS), was at the Amazon Web Services conference praising the company’s services. Baitman’s lecture was on the verge of becoming a long infomercial, when he stepped back and changed direction.
Baitman has reason to speak well of Amazon. As the big government system integrators slept, Amazon rushed in with its cloud model and began selling its services to federal agencies. HHS and Amazon worked together in a real sense.
The agency helped Amazon get an all-important security certification best known by its acronym, FedRAMP, while Amazon moved its health data to the cloud. It was the first large cloud vendor to get this security certification.
“[Amazon] gives us the scalability that we need for health data,” said Baitman.
But then he said that while it would “make things simpler and nicer” to work with Amazon, since they did the groundwork to get Amazon federal authorizations, “we also believe that there are different reasons to go with different vendors.”
Baitman said that HHS will be working with other vendors as it has with Amazon.
“We recognize different solutions are needed for different problems,” said Baitman. “Ultimately we would love to have a competitive environment that brings best value to the taxpayer and keeps vendors innovating.”
To accomplish this, HHS plans to implement a cloud broker model, an intermediary process that can help government entities identify the best cloud approach for a particular workload. That means being able to compare different price points, terms of service and service-level agreements.
To make comparisons possible, Baitman said the vendors will have to “standardize in those areas that we evaluate cloud on.”
The Amazon conference had about 2,500 registered to attend, and judging from the size of the crowd it certainly appeared to have that many at the Washington Convention Center. It was a leap in attendance. In 2012, attendance at Amazon’s government conference was about 900; in 2011, 300 attended; and in 2010, just 50, Teresa Carlson, vice president of worldwide public sector at Amazon, said in an interview.
Cyber Attacks Increasing In Middle East
Comments Off on Cyber Attacks Increasing In Middle East
Syria’s civil war and political strife in Egypt have given birth to new battlegrounds on the Web and driven a surge in cyber attacks in the Middle East, according to a leading Internet security company.
More than half of incidents in the Gulf this year were so-called “hacktivist” attacks – which account for only a quarter of cybercrime globally – as politically motivated programmers sabotaged opposing groups or institutions, executives from Intel Corp’s software security division McAfee said on Tuesday.
“It’s mostly bringing down websites and defacing them with political messages – there has been a huge increase in cyber attacks in the Middle East,” Christiaan Beek, McAfee director for incident response forensics in Europe, Middle East and Africa (EMEA), told Reuters.
He attributed the attacks to the conflict in Syria, political turmoil in Egypt and the activities of hacking collective Anonymous.
“It’s difficult for people to protest in the street in the Middle East and so defacing websites and denial of service (DOS) attacks are a way to protest instead,” said Beek.
DOS attacks flood an organization’s website causing it to crash, but usually do little lasting damage.
The Syrian Electronic Army (SEA), a hacking group loyal to the government of President Bashar al-Assad, defaced an Internet recruiting site for the U.S. Marine Corps on Monday and recently targeted the New York Times website and Twitter, as well other websites within the Middle East.
Beek described SEA as similar to Anonymous.
“There’s a group leading operations, with a support group of other people that can help,” said Beek.
McAfee opened a centre in Dubai on Monday to deal with the rising threat of Internet sabotage in the region, the most serious of which are attacks to extract proprietary information from companies or governments or those that cause lasting damage to critical infrastructure.
Cyber attacks are mostly focused on Saudi Arabia, the world’s largest oil exporter, Qatar, the top liquefied natural gas supplier, and Dubai, which is the region’s financial, commercial and aviation hub, said Gert-Jan Schenk, McAfee president for EMEA.
“It’s where the wealth and critical infrastructure is concentrated,” he said.
The “Shamoon” virus last year targeted Saudi Aramco, the world’s largest oil company, damaging about 30,000 computers in what may have been the most destructive attack against the private sector.
“Ten years ago, it was all about trying to infect as many people as possible,” added Schenk. “Today we see more and more attacks being focused on very small groups of people. Sometimes malware is developed for a specific department in a specific company.”
HTC Exec Leaks Trade Secrets
September 12, 2013 by admin
Filed under Around The Net
Comments Off on HTC Exec Leaks Trade Secrets
Three HTC Corp design executives were arrested on suspicion of illegally sharing trade secrets, sending the Taiwanese smartphone maker’s shares tumbling as its troubles deepened amid a wave of senior staff departures and disappointing sales.
Taipei prosecutors confirmed that HTC vice president of product design Thomas Chien, research and development director Wu Chien-Hung and senior manager of design and innovation Justin Huang were arrested on Friday.
Chien and Chien-Hung remain in custody, while Huang was released on bail, prosecutors office spokesman Mou Hsin Huang said.
The executives were also accused of making false commission fee claims totaling around T$10 million ($334,200). No further details about the allegations were immediately available.
The arrests came in response to a complaint filed by HTC last month accusing the executives of leaking trade secrets.
HTC declined to comment except to say the investigation had no impact on its operations. Chien and Chien-Hung could not be reached and Huang was not immediately available to comment.
Media reports citing the police said the executives were planning to use stolen new interface technology to set up a new mobile design company aiming at Chinese vendors.
Rocked by internal feuding and executive exits, and positioned at the high end of a smartphone market that is close to saturation, HTC has seen its market share slump to below 5 percent from around a quarter five years ago.
Developers Hack Dropbox
Two developers have penetrated Dropbox’s security, even intercepting SSL data from its servers and bypassing the cloud storage provider’s two-factor authentication, according to a paper they published at USENIX 2013.
“These techniques are generic enough and we believe would aid in future software development, testing and security research,” the paper says in its abstract.
Dropbox, which claims more than 100 million users upload more than a billion files daily, said the research didn’t actually represent a vulnerability in its servers.
“We appreciate the contributions of these researchers and everyone who helps keep Dropbox safe,” a spokesperson said in an email to Computerworld. “In the case outlined here, the user’s computer would first need to have been compromised in such a way that it would leave the entire computer, not just the user’s Dropbox, open to attacks across the board.”
The two developers, Dhiru Kholia, with the Openwall open source project , and Przemyslaw Wegrzyn, with CodePainters, said they reverse-engineered Dropbox, an application written in Python.
“Our work reveals the internal API used by Dropbox client and makes it straightforward to write a portable open-source Dropbox client,” the paper states. “Additionally, we show how to bypass Dropbox’s two-factor authentication and gain access to users’ data.”
The paper presents “new and generic techniques to reverse engineer frozen Python applications, which are not limited to just the Dropbox world,” the developers wrote.
The researchers described in detail how they were able to unpack, decrypt and decompile Dropbox from scratch. And, once someone has de-compiled its source code, how “it is possible to study how Dropbox works in detail.
“We describe a method to bypass Dropbox’s two-factor authentication and hijack Dropbox accounts. Additionally, generic techniques to intercept SSL data using code injection techniques and monkey patching are presented,” the developers wrote in the paper.
The process they used included various code injection techniques and monkey-patching to intercept SSL data in a Dropbox client. They also used the techniques successfully to snoop on SSL data in other commercial products as well, they said.
The developers are hoping their white hat hacking prompts Dropbox to open source its platform so that it is no longer a “black box.”
Is The Tesla Hackable?
It’s the curse of the connected car once it’s linked to the Internet, it’s, well, on the Internet. In the case of the Tesla Model S, this means that mischievous hackers could, in theory, control some functions of the vehicle and even snoop without the owner’s knowledge.
Tesla offers Android and iPhone apps for Model S owners, which can be used to check the vehicle’s battery, track its location and status, and tweak several other settings, like climate control and the sunroof. It can also be used to unlock the doors on the Model S.
Dell senior engineer George Reese says the REST API used by Tesla to provide access for Android and iPhone apps has several fairly serious security flaws, which could offer a way in for unscrupulous hackers.
According to an article written by Reese for O’Reilly, Tesla appears to have broken from accepted best practice when designing the API for the Model S.
“It’s flawed in a way that makes no sense. Tesla ignored most conventions around API authentication and wrote their own. As much as I talk about the downsides to OAuth (a standard for authenticating consumers of REST APIs–Twitter uses it), this scenario is one that screams for its use,” he wrote.
However, Reese notes, this is merely a potential attack vector, not one that could be immediately exploited. That said, a compromised website particularly one designed to provide “value-added services” via the API to Tesla drivers could prove highly damaging.
“I can … honk their horns, flash their lights, and open and close the sunroof. While none of this is catastrophic, it can certainly be surprising and distracting while someone is driving,” Reese wrote.
Automotive hacking has been posited by experts for some time, and several presentations at this year’s Defcon detailed fairly comprehensive methods of compromising some models.
Java 6 Security Hole Found
Security firms are urging users of Oracle’s Java 6 software to upgrade to Java 7 as soon as possible to avoid becoming the victims of active cyber attacks.
F-secure senior analyst Timo Hirvonen warned about the exploit this weekend over Twitter, advising that he had found an exploit in the wild actively targeting an unpatched vulnerability in Java 6, named CVE-2013-2463.
PoC for CVE-2013-2463 was released last week, now it’s exploited in the wild. No patch for JRE6… Uninstall or upgrade to JRE7 update 25.
— Timo Hirvonen (@TimoHirvonen) August 26, 2013
CVE-2013-2463 was addressed by Oracle in the June 2013 Critical Patch Update for Java 7. Java 6 has the same vulnerability, as Oracle acknowledged in the update, but since Java 6 became unsupported in April 2013, there is no patch for the Java 6 vulnerability.
Cloud security provider Qualys described the bug as an “implicit zero-day vulnerability”. The firm’s CTO Wolfgang Kandek said he had seen it included in the spreading Neutrino exploit kit threat, which “guarantees that it will find widespread adoption”.
“We know about its existence, but do not have a patch at hand,” Kandek said in a blog post. “This happens each time a software package loses support and we track these instances in Qualysguard with our ‘EOL/Obsolete’ detections, in this case.
“In addition, we still see very high rates of Java 6 installed, a bit over 50 percent, which means many organisations are vulnerable.”
Like F-secure, Kandek recommended that any users with Java 6 upgrade to Java 7 as soon as they can.
“Without doubt, organisations should update to Java 7 where possible, meaning that IT administrators need to verify with their vendors if an upgrade path exists,” he added.