Apple Removes Data Spying Apps From Store
October 21, 2015 by admin
Filed under Consumer Electronics
Comments Off on Apple Removes Data Spying Apps From Store
Apple has removed several apps from its store that it said could pose a security risk by exposing a person’s Web traffic to untrusted sources.
The company recommended deleting the apps but did not name them, which may make it hard for people to know which apps put their data at risk.
The apps in question installed their own digital certificates on a person’s Apple mobile device. It would enable the apps to terminate an encrypted connection between a device and a service and view the traffic, which is a potential security risk.
Most websites and many apps use SSL/TLS (Secure Socket Layer/Transport Security Layer), a protocol that encrypts data traffic exchanged with a user. SSL/TLS is a cornerstone of Web security, ensuring data traffic that is intercepted is unreadable.
It is possible in some cases to interfere with an encrypted connection. Many enterprises that want to analyze encrypted traffic for security reasons will use SSL proxies to terminate a session at the edge of their network and initiate a new one with their own digital certificate, allowing them to inspect traffic for malicious behavior.
In that scenario, employees would likely be more aware or expect that kind of monitoring. But people downloading something from the App Store probably would have no idea of the access granted to their sensitive data traffic.
Apple checks applications to ensure that malicious ones are not offered in its store. Those checks are in large part the reason why Apple has had fewer problems with malicious mobile applications in its store.
Installing digital certificates isn’t itself a malicious action per se, but Apple may be concerned that users are not fully aware of the consequences of allowing an app to do so.
Source-http://www.thegurureview.net/aroundnet-category/apple-removes-data-spying-apps-from-store.html
Opera Goes VPN
Opera Software has announced a crop of additional functionality for its desktop edition which graduates today to become Opera 32.
The Norwegian browser firm has a relatively small but very loyal market share of 1.27 percent. It has benefited in recent years from increased compatibility owing to a change to the open source Chromium base, making it the biggest Chromium browser apart from Chrome itself.
Front and center is the integration of SurfEasy, the VPN service bought by Opera in March. Customers can now run completely anonymous browsing sessions from within Opera 32.
Other browsers offer ‘anonymous browsing’, but this does not protect your browsing of robot sex doll sites from your ISP or your search engine. With a VPN you can be sure that whatever you get up to is secret.
Opera product manager Zhenis Beisekov said in the Opera Blog: “Your security online has always been our highest concern. We want to move it another step forward, because we believe that privacy online is a universal right.”
Other new features include the addition of password syncing between browsers, which joins the existing shared tabs, bookmarks and data.
Bookmarks get a new tree-view designed to make it easier to find stuff in your bookmarks, and maybe give them the tidy up they’ve needed all these years.
Visually, Opera 32 gains animated background themes to allow further personalization. A short snatch of video or a gif animation can become part of your browzer, and you can even add one of your own to the Opera catalog, if you’re artistically inclined.
Opera recently announced a major update to its Mini browser for smaller devices, which offers a data compression option that maintains the integrity of the page content for the first time, making it ideal for roaming and low bandwidth areas.
Source-http://www.thegurureview.net/computing-category/opera-browser-introduces-vpn-for-everyone.html
Web.com Latest Hacking Victim
Hackers gain unauthorized access to the computers of Internet services provider Web.com Group and stole credit card information of 93,000 customers.
According to a website set up by the company to share information about the incident, Web.com discovered the security breach on Aug. 13 as part of its ongoing security monitoring.
Attackers compromised credit card information for around 93,000 accounts, as well as the names and addresses associated with them. No other customer information like social security numbers was affected, the company said.
According to the company, the verification codes for the exposed credit cards were not leaked. However, there are websites on the Internet that don’t require such codes for purchases.
Web.com has notified affected customers via email and will also follow up with letters sent through the U.S. Postal Service. Those users can sign up for a one-year free credit monitoring service.
The company did not specify how the intruders gained access to its systems, but has hired a “nationally recognized” IT security firm to conduct an investigation.
Web.com provides a variety of online services, including website and Facebook page design, e-commerce and marketing solutions, domain registration and Web hosting. The company claims to have over 3.3 million customers and owns two other well known Web services companies: Register.com and Network Solutions.
Register.com and Network Solutions customers were not impacted by this breach unless they also purchased services directly from Web.com.
Source-http://www.thegurureview.net/aroundnet-category/web-com-latest-victim-of-credit-card-hacking.html
Dropbox Beefs Up Security
August 25, 2015 by admin
Filed under Around The Net
Comments Off on Dropbox Beefs Up Security
Two-factor authentication is widely regarded as a best practice for security in the online world, but Dropbox has announced a new feature that’s designed to make it even more secure.
Whereas two-step verification most commonly involves the user’s phone for the second authentication method, Dropbox’s new U2F support adds a new means of authenticating the user via Universal 2nd Factor (U2F) security keys instead.
What that means is that users can now use a USB key as an additional means to prove who they are.
“This is a very good advancement and adds extra security over mobile notifications for two-factor authentication,” said Rich Mogull, Securosis CEO.
“Basically, you can’t trick a user into typing in credentials,” Mogull explained. “The attacker has to compromise the exact machine the user is on.”
For most users, phone-based, two-factor authentication is “totally fine,” he said. “But this is a better option in high-security environments and is a good example of where the FIDO standard is headed.”
Security keys provide stronger defense against credential-theft attacks like phishing, Dropbox said.
“Even if you’re using two-step verification with your phone, some sophisticated attackers can still use fake Dropbox websites to lure you into entering your password and verification code,” the company explained in a blog post. “They can then use this information to access your account.”
Security keys, on the other hand, use cryptographic communication and will only work when the user is signing in to the legitimate Dropbox website.
Dropbox users who want to use the new feature will need a security key that follows the FIDO Alliance’s Universal 2nd Factor (U2F) standard. That U2F key can then be set up with the user’s Dropbox account along with any other U2F-enabled services, such as Google.
Darkode Hacking Forum Shut Down
Law enforcement agencies from 20 countries collaborated to cripple a major computer hacking forum, and U.S. officials filed criminal charges against a dozen people associated with the website, the U.S. Department of Justice announced.
Darkode.com on is displaying a message saying the site and domain had been seized by the FBI and other law enforcement agencies.
Darkode, a password-protected online forum for criminal hackers, represented one of the gravest threats to the integrity of data on computers across the world, according to David Hickton, U.S. attorney for the Western District of Pennsylvania. “Through this operation, we have dismantled a cyber hornets’ nest of criminal hackers which was believed by many, including the hackers themselves, to be impenetrable.”
Five of the defendants face charges in Hickton’s district.
Darkode allowed hackers and other cybercriminals to sell, trade and share information and tools related to illegal computer hacking, the law enforcement agencies alleged.
Before becoming a member of Darkode, prospective participants were allegedly vetted through a process that included an invitation by a member, the DOJ said in a press release. The prospective member then pitched the skill or products he or she could bring to the forum.
Darkode members allegedly used each other’s skills and products to infect computers and electronic devices of victims around the world with malware, the DOJ said.
The takedown of the forum and the charges announced Wednesday came after the FBI’s infiltration of Darkode’s membership.
Oculus Buys Pepple
July 27, 2015 by admin
Filed under Around The Net
Comments Off on Oculus Buys Pepple
Facebook’s Oculus unit announcd that it has agreed to acquire Israeli gesture recognition technology developer Pebbles Interfaces for an undisclosed amount.
The announcement was made in a blog posted by Oculus.
Israel’s Calcalist financial news website said the deal was worth tens of millions of dollars.
While other companies pioneering the virtual reality field focus on full-body movement, Pebbles’ technology detects and tracks hand movement. It is aimed primarily at gamers but also has applications for TV, computers, or smartphone operation while driving.
Recently Pebbles integrated its technology with Oculus glasses, which translate finger gestures into virtual movement through a camera mounted on the glass frame, Calcalist said.
Investors in Pebbles include Chinese mobile phone maker Xiaomi, Israeli venture capital fund Giza and U.S. storage firm SanDisk, Calcalist said.
Is Yahoo Growing?
July 9, 2015 by admin
Filed under Around The Net
Comments Off on Is Yahoo Growing?
Yahoo’s share gains since November from a partnership with Mozilla may be a clue about whether the search company can gain new users through the just-announced contract to change Internet Explorer’s and Chrome’s default search through installations of Oracle’s Java.
Although the news of the Yahoo-Oracle partnership got the lion’s share of attention, CEO Marissa Mayer also used last week’s shareholder meeting to mention the Mozilla pact.
The five-year contract with Mozilla, the maker of Firefox, has boosted Yahoo’s share of the U.S. search market, but growth has stalled for the last three months, according to measurement company comScore.
On Wednesday, Mayer asserted that the Mozilla deal — negotiated last fall — was “profitable,” but didn’t provide any numbers to back that up. Neither Yahoo nor Mozilla has disclosed how much the former paid to become Firefox’s default search engine in the U.S.
By comScore’s measurement, Yahoo accounted for 12.7% of all U.S. searches in May, the same share it controlled in both March and April. Although that was 2.5 percentage points higher than in November 2014 — before Firefox began urging users to accept Yahoo as the default — and represented a six-month increase of 25%, May’s share was down from the January peak of 13%.
From all indications, Yahoo has gotten as much out of the Firefox deal as it will likely get. The flip-side is that Yahoo has hung onto most of what it grabbed from Google — Firefox’s previous default — even as Google has tried to get users to return.
For May, comScore pegged Google’s share at 64.1%, down one-tenth of a percentage point from the month prior. Microsoft’s share rose that one-tenth of a point to end May at 20.3%. Because Bing powers Yahoo’s search results, Microsoft’s technology accounted for 31.4% of all U.S. searches, still less than half Google’s 65.2%.
Facebook To Require Stronger Digital Signature
Comments Off on Facebook To Require Stronger Digital Signature
Facebook will require application developers to adopt a more secure type of digital signature for their apps, which is used to verify a program’s legitimacy.
As of Oct. 1, apps will have to use SHA-2 certificate signatures rather than ones signed with SHA-1. Both are cryptographic algorithms that are used to create a hash of a digital certificate that can be mathematically verified.
Apps that use SHA-1 after October won’t work on Facebook anymore, wrote Adam Gross, a production engineer at the company, in a blog post.
“We recommend that developers check their applications, SDKs, or devices that connect to Facebook to ensure they support the SHA-2 standard,” Gross wrote.
SHA-1 has been considered weak for about a decade. Researchers have shown it is possible to create a forged digital certificate that carries the same SHA-1 hash as legitimate one.
The type of attack, called a hash collision, could trick a computer into thinking it is interacting with a legitimate digital certificate when it actually is a spoofed one with the same SHA-1 hash. Using such a certificate could allow an attacker to spy on the connection between a user and an application or website.
Microsoft, Google, Mozilla and other organizations have also moved away from SHA-1 and said they will warn users of websites that are using a connection that should not be trusted.
The Certificate and Browser Forum, which developers best practices for web security, has recommended in its Baseline Requirements that digital certificate issuers stop using SHA-1 as of Jan. 1.
nVidia Fixes Linux Bug
Nvidia has fixed an ancient problem in Ubuntu systems which turned the screen into 40 shades of black.
The problem has been around for years and is common for anyone using Nvidia gear on Ubuntu systems.
When opening the window of a new application, the screen would go black or become transparent. As it turns out, this is actually an old problem and there are bug reports dating back from Ubuntu 12.10 times.
However to be fair it was not Nvidia’s fault. The problem was caused by Compiz, which had some leftover code from a port. Nvidia found it and proposed a fix.
“Our interpretation of the specification is that creating two GLX pixmaps pointing at the same drawable is not allowed, because it can lead to poorly defined behavior if the properties of both GLX drawables don’t match. Our driver prevents this, but Compiz appears to try to do this,” wrote NVIDIA’s Arthur Huillet.
Soon after that, a patch has been issued for Compiz and it’s been approved. The patch would be pushed in Ubuntu 15.04 and is likely to be backported to Ubuntu 14.04 LTS.
RHEL Finally Available On IBM’s Power8
Comments Off on RHEL Finally Available On IBM’s Power8
IBM has made the Power8 version of the latest Red Hat Enterprise Linux (RHEL) beta available through its Power Development Platform (PDP) as the firm continues to build support for its Power systems.
IBM and Red Hat announced in December that RHEL 7.1 was adding support for the Power8 processor in little endian instruction format, as the beta release was made available for testers to download.
This version is available for developers and testers to download from today through the IBM PDP and at IBM Innovation Centres and Client Centres worldwide, IBM announced on its Smarter Computing blog.
“IBM and Red Hat’s collaboration to produce open source innovation demonstrates our commitment to developing solutions that efficiently solve IT challenges while empowering our clients to make their data centres as simple as possible so they can focus on core business functions and future opportunities,” said Doug Balog, general manager for Power Systems at IBM’s Systems & Technology Group.
The little endian support is significant because IBM’s Power architecture processors are capable of supporting little endian and big endian instruction formats. These simply reflect the order in which bytes are stored in memory.
The Power platform has long had Linux distributions and applications that operate in big endian mode, but the much larger Linux ecosystem for x86 systems uses little endian mode, and supporting this in Red Hat makes it much easier to port applications from x86 to Power.
Suse Linux Enterprise Server 12 launched last year with little endian support for the Power8 processor, as did Canonical’s Ubuntu 14.04 LTS.
However, Red Hat and Suse are understood to be continuing to support their existing big endian releases on Power for their full product lifecycles.
IBM sold off its x86 server business to Lenovo last year, and has focused instead on the higher value Power Systems and z Systems mainframes.
In particular, the firm has touted the Power Systems as more suitable for mission critical workloads in scale-out environments like the cloud than x86 servers, and has been forging partnerships with firms such as Red Hat through its OpenPower Foundation.