Sign up for our Technology Newsletter 
Tech Firms Form OTrP To Support IoT Security
Comments Off on Tech Firms Form OTrP To Support IoT Security
A bunch of tech firms including ARM and Symantec have joined forces to create a security protocol designed to protect Internet of Things (IoT) devices.
The group, which also includes Intercede and Solacia, has created The Open Trust Protocol (OTrP) that is now available for download for prototyping and testing from the IETF website.
The OTrP is designed to bring system-level root trust to devices, using secure architecture and trusted code management, akin to how apps on smartphones and tablets that contain sensitive information are kept separate from the main OS.
This will allow IoT manufacturers to incorporate the technology into devices, ensuring that they are protected without having to give full access to a device OS.
Marc Canel, vice president of security systems at ARM, explained that the OTrP will put security and trust at the core of the IoT.
“In an internet-connected world it is imperative to establish trust between all devices and service providers,” he said.
“Operators need to trust devices their systems interact with and OTrP achieves this in a simple way. It brings e-commerce trust architectures together with a high-level protocol that can be easily integrated with any existing platform.”
Brian Witten, senior director of IoT security at Symantec, echoed this sentiment. “The IoT and smart mobile technologies are moving into a range of diverse applications and it is important to create an open protocol to ease and accelerate adoption of hardware-backed security that is designed to protect onboard encryption keys,” he said.
The next stage is for the OTrP to be further developed by a standards-defining organisation after feedback from the wider technology community, so that it can become a fully interoperable standard suitable for mass adoption.
Courtesy-TheInq
Does AVG Respect Your Privacy?
AVG has been answering questions about its new privacy policy after accusations that the firm is about to sell its users down the river.
A Reddit discussion has heard from furious users who spotted that the simplified policy effectively gives the company permission to sell its mailing lists to third parties for fun and profit.
AVG stated under ‘Do You Share My Data?’ in the Q&A about the new policy, which is automatically enforced on 15 October: “Yes, though when and how we share it depends on whether it is personal data or non-personal data. AVG may share non-personal data with third parties and may publicly display aggregate or anonymous information.”
AVG has hit back at the criticism in a blog post today, by which we mean confirmed that its stance is correct, explaining: “Usage data allows [AVG] to customize the experience for customers and share data with third parties that allow them to improve or develop new products.
“Knowing that 10 million users like a certain TV program gives broadcasters the data to get producers to make more of that type of program.
“This is also how taxi firms know how to distribute their fleets, and how advertisers know where to place banners and billboards, for example. Even at AVG, we have published non-personal information that we have collected regarding app performance.”
But AVG added in big, bold type: “We do not, and will not, sell personally identifiable data to anyone, including advertisers.”
This will placate some, but others fear that the lack of choice over this matter, which requires an active decision to opt out, is too clandestine. As ever, there are threats to move to everything from Linux Mint to the Commodore 64, some more serious than others.
Several Redditors have likened it to similar warnings in Windows 10′s Insider Programme which essentially say: ‘we can track you … but we won’t, unless we do.’
Courtesy-TheInq
Is Yahoo Growing?
July 9, 2015 by admin
Filed under Around The Net
Comments Off on Is Yahoo Growing?
Yahoo’s share gains since November from a partnership with Mozilla may be a clue about whether the search company can gain new users through the just-announced contract to change Internet Explorer’s and Chrome’s default search through installations of Oracle’s Java.
Although the news of the Yahoo-Oracle partnership got the lion’s share of attention, CEO Marissa Mayer also used last week’s shareholder meeting to mention the Mozilla pact.
The five-year contract with Mozilla, the maker of Firefox, has boosted Yahoo’s share of the U.S. search market, but growth has stalled for the last three months, according to measurement company comScore.
On Wednesday, Mayer asserted that the Mozilla deal — negotiated last fall — was “profitable,” but didn’t provide any numbers to back that up. Neither Yahoo nor Mozilla has disclosed how much the former paid to become Firefox’s default search engine in the U.S.
By comScore’s measurement, Yahoo accounted for 12.7% of all U.S. searches in May, the same share it controlled in both March and April. Although that was 2.5 percentage points higher than in November 2014 — before Firefox began urging users to accept Yahoo as the default — and represented a six-month increase of 25%, May’s share was down from the January peak of 13%.
From all indications, Yahoo has gotten as much out of the Firefox deal as it will likely get. The flip-side is that Yahoo has hung onto most of what it grabbed from Google — Firefox’s previous default — even as Google has tried to get users to return.
For May, comScore pegged Google’s share at 64.1%, down one-tenth of a percentage point from the month prior. Microsoft’s share rose that one-tenth of a point to end May at 20.3%. Because Bing powers Yahoo’s search results, Microsoft’s technology accounted for 31.4% of all U.S. searches, still less than half Google’s 65.2%.
Criminals Remotely Erasing Smartphone Data
Comments Off on Criminals Remotely Erasing Smartphone Data
Smartphones taken as evidence by police in the UK are being wiped remotely by crooks in order to remove potentially incriminating data, an investigation has uncovered.
Dorset police told the BBC that six devices were wiped within the space of a year while they were being kept in police custody, and Cambridgeshire, Derbyshire, Nottingham and Durham police also confirmed similar incidents.
The technology being used was originally designed to allow device owners to remove sensitive data from phones or tablets if they are lost or stolen.
“We have cases where phones get seized, and they are not necessarily taken from an arrested person, but we don’t know the details of these cases as there is not a reason to keep records of this,” a spokeswoman for Dorset police told the BBC.
A spokeswoman for Derbyshire police also confirmed one incident of a device being remotely wiped while in police custody.
“We can’t share many details about it, but the case concerned romance fraud, and a phone involved with the investigation was remotely wiped,” she said. “It did not impact upon the investigation, and we went on to secure a conviction.”
Software that enables this remote wiping has been available from a variety of security firms for some time now.
For example, BitDefender announced a product a while back intended to track lost or stolen Android devices. Not only did it allow users to connect remotely and ‘wipe’ data from a web profile via the internet, but to activate commands with text messages.
Pen Test Partners’ digital forensics expert, Ken Munro, said it is common practice to immediately put devices that are seized as evidence into a radio-frequency shielded bag to prevent any signals getting through and stop remote wipes.
“If we can’t get to the scene within an hour, we tell the client to pop it in a microwave oven,” he said. “The microwave is reasonably effective as a shield against mobile or tablet signals – just don’t turn it on.”
Chrome Climbs To Second
Google’s Chrome browser in July broke the 20% user share bar for the first time, according to recently published statistics by Web measurement vendor Net Applications.
But because the browser war is a zero-sum game, when Chrome won others had to lose. The biggest loser, as has been the case for the last year: Mozilla’s Firefox, which came dangerously close to another milestone, but on the way down.
Firefox accounted for 15.1% of the desktop and laptop personal computer browsers used in July, a low point not seen by the open-source application since October 2007, a year before Chrome debuted and when Microsoft’s Internet Explorer (IE) was only on version 7.
Chrome had flirted with the 20% mark before. More than two years ago, Chrome’s user share — a Net Applications’ measurement of the unique visitors running each browser — had come close: 19.6%. But Chrome then took a prolonged dip that only began reversing last fall.
Chrome’s July user share of 20.4% put the browser solidly in second place, but still far behind IE in Net Applications’ tallies. IE’s share last month was 58%, down slightly from the month before.
Firefox also lost user share in July, dropping half a percentage point to 15.1%. It was the ninth straight month that the desktop browser lost share. In the past three months alone, Firefox has fallen nearly two points.
The timing of the decline has been terrible, as Mozilla’s current contract with Google ends in November. That deal, which assigned Google’s search engine as the default for most Firefox customers, has generated the bulk of Mozilla’s revenue. In 2012, for example, the last year for which financial data was available, Google paid Mozilla an estimated $272 million, or 88% of all Mozilla income.
Going into this year’s contract renewal talks, Mozilla will be bargaining from a much weaker position, down 34% in total user share since July 2011.
Apple’s Safari remained in a distant fourth place behind Firefox, with a user share of 5.2%, down four-tenths of a percentage point in the last month. Meanwhile, Opera Software’s Opera browser brought up the rear with a small 1% user share.
Can Android Fight Cyber Threats With A.I.?
February 5, 2014 by admin
Filed under Smartphones
Comments Off on Can Android Fight Cyber Threats With A.I.?
A security firm called Zimperium has launched mobile software that learns from smartphones to fend off malicious cyber attacks.
Claiming to be the first security software to be powered by artificial intelligence (AI), the app is called zIPS, with the “IPS” standing for “intrusion prevention system”. The aim of the AI is to better spot malware before it causes harm or spreads to other devices.
The zIPS software works whether the smartphone is offline or online and can protect against malicious apps, such as those that can self-modify, and network attacks like a “man in the middle” attack where a hacker intercepts data being sent between one user and another.
“With zIPS, corporations will now have the opportunity to use [bring your own device] as an advantage to their security. zIPS is the first security solution that can combat modern cyber-attacks on mobile,” said Zimperium’s founder and CEO Zuk Avraham. “There is already evidence of attacks that are happening to infiltrate organisations, which only zIPS can prevent.”
Prior to working on the Android app, Avraham worked as a security researcher for the Israeli Defense Forces and Samsung electronics before setting up Zimperium in response to what he thinks is a poor selection of good mobile security software.
According to MIT Technology Review, Zimperium said that there have as yet been no programs that can detect, notify and protect against cyber attacks deployed through mobile devices.
The zIPS Android app has arrived in the Google Play store for all Android devices at a time when malware on Android is at an all time high.
Last year, Trend Micro warned that Google’s Android mobile operating system is so beset by cyber criminals creating malicious apps that the malware was on track to hit the million mark before the end of 2013.
The firm said that this was attributable to hackers seeking to exploit Android’s growing global user base.
Mozilla Delays Touch Browser
January 14, 2014 by admin
Filed under Around The Net
Comments Off on Mozilla Delays Touch Browser
Mozilla has again delayed the release date for a touch-enabled version of Firefox that will run in Windows 8′s “Modern” user interface (UI), with the new target in mid-March.
Ship estimates for the browser have been fluid, to put it mildly. In August, the open-source developer pegged December 2013 as the target for the “Metro-ized” version of Firefox. In September, Mozilla said it was hoping to bundle Firefox Metro with the Windows edition of Firefox 27, slated for release on Feb. 4.
Metro was the name Microsoft once applied to the radical UI of Windows 8, but the company ditched the moniker in 2012 over a trademark dispute with a German retailer.
The newest information from Mozilla, however, has tapped March 18, when Firefox 28 is to ship, as the projected release of the browser.
Although a preview of Firefox Metro was bundled with the Aurora build of Firefox more than three months ago — and is currently in Aurora for Firefox 28 — it has not yet been promoted to the next channel, Beta, which is the precursor to Release. Mozilla has set a Jan. 31 deadline for deciding whether the touch browser is ready to add to Firefox 28 Beta.
Mozilla started work on a Metro edition of Firefox in March 2012. It shipped a rough preview in October 2012, several weeks before Microsoft launched Windows 8. At that time, Mozilla’s schedule said the Firefox app might appear as early as January 2013. In May 2013, however, the company said its developers would complete Firefox for Modern between Oct. 2, 2013, and March 20, 2014, with mid-November the likeliest date.
If Mozilla makes the targeted March 18 release, it will have spent two years crafting the browser, which will have shipped 17 months after the retail debut of Windows 8.
Although Mozilla has said it’s important that it have a Metro-ready browser to remain competitive — and Windows 8′s and Windows 8.1′s user share has climbed above the 10% mark– it’s unclear what percentage of those PC and tablet owners spend serious time in the UI, as opposed to the traditional Windows desktop.
Mozilla is also discussing a name for the browser, which was code named “Firefox Metro” during development and later was saddled with the label “Windows 8-style Firefox.”
One suggestion, forwarded by a Mozilla user experience designer, has been “Firefox Touch,” which got nods of approval from others in a Mozilla planning message forum.
“‘Windows 8-style Firefox’ is too long and already doesn’t make perfect sense with Windows 8.1 released, but will make less sense when Windows 9 comes out,” noted Brian Bondy, a Firefox platform engineer who has led the work on the Metro version. “I like Firefox Touch and I think we should go with that. It’s a product designed above all else for touch.”
Some, however, objected to labeling the browser as “Firefox Touch,” pointing out that that would downplay the Android browser Mozilla maintains, which is also touch-enabled.
“I agree with Jim that it should be simply Firefox, and that differentiation happens at the point of download,” countered Peter Scanlon, Mozilla’s acting chief marketing officer, in another message to the same discussion forum.
Google Expands Malware Blocker
Google has expanded malware blocking in an early development build of Chrome to sniff out a wider range of threats than the browser already recognizes.
Chrome’s current “Canary” build — the label for very-early versions of the browser, earlier than even Chrome’s Dev channel — will post a warning at the bottom of the window when it detects an attempted download of malicious code.
Features added to the Canary build usually, although not always, eventually make it into the Dev channel — the roughest-edged of the three distributed to users — and from there into the Beta and Stable channels. Google did not spell out a timetable for the expanded malware blocking.
Chrome has included malware blocking for more than two years, since version 12 launched in June 2011, and the functionality was extended in February 2012with Chrome 17.
Chrome is now at version 30.
Canary’s blocking, however, is more aggressive on two fronts: It is more assertive in its alerts and detects more malware forms, including threats that pose as legitimate software and monkey with the browser’s settings.
“Content.exe is malicious, and Chrome has blocked it,” the message in Canary reads. The sole visible option is to click the “Dismiss” button, which makes the warning vanish. The only additional option, and that only after another click, is to “Learn more,” which leads to yet another warning.
In Canary, there is no way for the user to contradict the malware blocking.
That’s different than in the current Stable build of Chrome, which relies on a message that says, “This file is malicious. Are you sure you want to continue?” and gives the user a choice between tossing the downloaded file or saving it anyway.
As it has for some time, Chrome will show such warnings on select file extensions, primarily “.exe,” which in Windows denotes an executable file, and “.msi,” an installation package for Windows applications. Canary’s expansion, said Google, also warns when the user tries to download some less obvious threats, including payloads masquerading as legitimate software — it cited screen savers and video plug-ins in a blog posting — that hijack browser settings to silently change the home page or insert ads into websites to monetize the malware.
Google’s malware blocking is part of its Safe Browsing API (application programming interface) and service, which Chrome, Apple’s Safari and Mozilla’s Firefox all access to warn customers of potentially dangerous websites before they reach them.
In Chrome’s case, the malware warning stems not only from the Safe Browsing “blacklist” of dodgy websites, but according to NSS Labs, a security software testing company, also from the Content Agnostic Malware Protection (CAMP) technology that Google has baked into its implementation of Safe Browsing.
Will Skype 3RD Party API’s End?
Angry Developers, a breed not unlike Angry Birds but without the desire to fling themselves at naughty pigs, have started a petition asking Microsoft to withdraw its plan to switch off the desktop API for Skype.
The news follows Microsoft’s announcement that support for third party applications will end in December. The change.org petition explains, “The decision to discontinue Skype’s Desktop API impacts our ability to use Skype within my normal Skype calling activities.” It goes on to request that, “Skype/Microsoft provide continued support for third party Skype utilities that have become mission critical to Skype’s users.”
The API runs a range of services, including call recording clients, and in some cases third party hardware including certain headsets. Its discontinuation will most likely see problems for third party instant messaging (IM) services that rely on the API to aggregate IM services, as Skype does not use the Jabber protocol.
Microsoft’s explanation of this was fairly straightforward. It said, “The Desktop API was created in 2004 and it doesn’t support mobile application development. We have, therefore, decided to retire the Desktop API in December 2013.”
However, many developers who receive income from their products using the Skype API are unsatisfied with this.
Although Skype has had a mobile client dating back as far as Windows Mobile 5, it has never had parity with the desktop version and there remains some bewilderment as to why Microsoft has made this decision.
At the time of writing shortly after launch on Friday, the petition had 540 signatures and rising, showing that there is a groundswell of support for the initiative.
Google Updates It’s SSL Certificate
Google has announced plans to upgrade its Secure Sockets Layer (SSL) certificates to 2048-bit keys by the end of 2013 to strengthen its SSL implementation.
Announcing the news on a blog post today, Google’s director of information security engineering Stephen McHenry said it will begin switching to the new 2048-bit certificates on 1 August to ensure adequate time for a careful rollout before the end of the year.
“We’re also going to change the root certificate that signs all of our SSL certificates because it has a 1024-bit key,” McHenry said.
“Most client software won’t have any problems with either of these changes, but we know that some configurations will require some extra steps to avoid complications. This is more often true of client software embedded in devices such as certain types of phones, printers, set-top boxes, gaming consoles, and cameras.”
McHenry advised that for a smooth upgrade, client software that makes SSL connections to Google, for example, HTTPS must: “perform normal validation of the certificate chain; include a properly extensive set of root certificates contained […]; and support Subject Alternative Names (SANs)”.
He also recommended that clients support the Server Name Indication (SNI) extension because they might need to make an extra API call to set the hostname on an SSL connection.
He pointed out some of the problems that the change might trigger, and pointed to a FAQ addressing certificate changes, as well as instructions for developers on how to adapt to certificate changes.
F-secure’s security researcher Sean Sullivan advised, “By updating its SSL standards, Google will make it easier to spot forged certificates.
“Certificate authorities have been abused and/or hacked in the past. I imagine it will be more difficult to forge one of these upgraded certs. Therefore, users can have more confidence.”