Monthly Archives: August 2018

Apps Vulnerable to WiFi Snooping

Strafach categorized another 24 iOS apps as “medium risk.” Potentially intercepted information included service login credentials and session authentication tokens for users logged onto the network.

Strafach labeled the remaining apps “high risk” because potentially intercepted information included the snatching of financial or medical services login credentials.

He did not identify the medium and high risk apps by name, in order to give their makers time to patch the vulnerability in their apps.

How concerned should users be about their security when using these apps?

“I tried to leave out anything regarding concern level, as I do not want to freak people out too much,” Strafach told TechNewsWorld.

“While this is indeed a big concern in my opinion, it can be mostly mitigated by turning off WiFi and using a cellular connection to perform sensitive actions — such as checking bank balances — while in public,” he said.

 

Man in the Middle Attack

If anything, Strafach is understating the problem, maintained Dave Jevans, vice president for mobile security products at Proofpoint.

“We’ve analyzed millions of apps and found this is a widespread problem,” he told TechNewsWorld, “and it’s not just iOS. It’s Android, too.”

Still, it likely is not yet a cause for great alarm, according to Seth Hardy, director of security research at Appthority.

“It’s something to be concerned about, but we’ve never seen it actively exploited in the wild,” he told TechNewsWorld.

What the vulnerability does is enable a classic man-in-the-middle attack. Data from the target phone is intercepted before it reaches its destination. It is then decrypted, stored, re-encrypted and then sent to its destination — all without the user’s knowledge.

To do that, an app needs to be fooled into thinking it’s communicating with a destination and not an evesdropper.

“In order for a man-in-the-middle attack to be successful, the attacker needs a digital certificate that’s either trusted by the application, or the application is not properly vetting the trust relationship,” explained Slawek Ligier, vice president of engineering for security at Barracuda Networks.

“In this case, it appears that developers are developing applications in a way that allows any certificate to be accepted,” he told TechNewsWorld. “If the certificate is issued and not expired, they’re accepting it. They’re not checking if it’s been revoked or even if it’s properly signed.”

Display Top Latest iPhone Rumor List

Apple poked a hornet’s nest when it removed the standard headphone jack from the iPhone 7. It may do it again by replacing the Lightning port with USB-C in the next iPhone.

The Lightning port, introduced in 2012, is used to charge and connect accessories to the iPhone, but Apple plans to swap it for USB-C, which the company has been introducing into its computer lines, The Wall Street Journal reported Tuesday.

“It would be a bold step for Apple, because it would mean Apple would be dependent on the advance of the USB-C standard for any innovations they may want to make around physical connectors,” said IHS Markit Senior Director Ian Fogg.

In the past, Apple chose to use its own home-brewed connectors for the iPhone — first its dock connector, then Lightning.

“Both of them allowed Apple to innovate more quickly than the industry because they weren’t dependent on standards,” Fogg told TechNewsWorld, “and it enabled them to have a business model around accessories through third-party companies, where Apple could ensure quality and collect a license fee.”

USB-C: Good and Bad

It’s not likely that Apple will scrap the Lightning connector, said David McQueen, a research director at ABI Research.

“They’d only put USB-C in if it allows them to make the phone thinner,” he told TechNewsWorld.

“A standard connector would be better, because you could share the cables for it with the new MacBook and with other devices,” noted Kevin Krewell, a principal analyst at Tirias Research.

“That’s a good thing,” he said.

“The bad thing is you have to buy another cable,” Krewell told TechNewsWorld.

Apple will unveil three new iPhones in September, based on reports corroborated by the WSJ. The expected models are an iPhone 7s, a 7s Plus, and a 10th anniversary edition called “iPhone 8” or “X,” which could have a curved 5.8-inch OLED display.

“Switching from a Lightning connector to USB-C is a minor thing. It’s not going to make large numbers of people buy an iPhone,” said IHS Markit’s Fogg.

“On the other hand, innovating with the display, having a wide-aspect ratio display that fills the face of the phone without increasing the volume of the phone, is good for consumers and good for the experience of using the phone,” he observed.

 

OLED Offers VR Opportunity

Having an OLED in the next iPhone is a definite possibility, Tirias’ Krewell said.

“It’s just a matter of getting the right supply chain in place,” he pointed out.

“Apple’s wanted to switch to OLED, but getting the supply chain behind it to support their quality and standards and display resolution has been a challenge,” added Krewell.

OLED screens not only offer a more vibrant display with richer colors and deeper blacks, but also have lower persistence than other types of displays, which reduces motion blur.

“That makes OLEDs much more suited for things like virtual reality, ” IHS Markit’s Fogg said.

“Apple has resisted the temptation so far to make any play in that area,” he continued, “but a shift to an OLED, which we are expecting, would be an enabler for them to make a move to a VR experience if they want to.”

A large, end-to-end display also could make the iPhone more competitive in the market, maintained Patrick Moorhead, principal analyst at Moor Insights and Strategy.

“It would be exceptional and could bring them at parity with Samsung,” he told TechNewsWorld.

Open Source Devs to Give E2EMail Encryption

Google last week released its E2EMail encryption code to open source as a way of pushing development of the technology.

“Google has been criticized over the amount of time and seeming lack of progress it has made in E2EMail encryption, so open sourcing the code could help the project proceed more quickly,” said Charles King, principal analyst at Pund-IT.

That will not stop critics, as reactions to the decision have shown, he told LinuxInsider.

However, it should enable the company to focus its attention and resources on issues it believes are more pressing, King added.

Google started the E2EMail project more than a year ago, as a way to give users a Chrome app that would allow the simple exchange of private emails.

The project integrates OpenPGP into Gmail via a Chrome extension. It brings improved usability and keeps all cleartext of the message body exclusively on the client.

E2EMail is built on a proven, open source Javascript crypto library developed at Google, noted KB Sriram, Eduardo Vela Nava and Stephan Somogyi, members of Google’s Security and Privacy Engineering team, in an online post.

The early versions of E2EMail are text-only and support only PGP/MIME messages. It now uses its own keyserver.

The encryption application eventually will rely on Google’s recent Key Transparency initiative for cryptographic key lookups. Google earlier this year released the project to open source with the aim of simplifying public key lookups at Internet scale.

The Key Transparency effort addresses a usability challenge hampering mainstream adoption of OpenPGP.

During installation, E2EMail generates an OpenPGP key and uploads the public key to the keyserver. The private key is always stored on the local machine.

E2EMail uses a bare-bones central keyserver for testing. Google’s Key Transparency announcement is crucial to its further evolution.

 

Google Partially Benefits

Secure messaging systems could benefit from open sourcing the system. Developers could use a directory when building apps to find public keys associated with an account along with a public audit log of any key changes.

Encryption key discovery and distribution lie at the heart of the usability challenges that OpenPGP implementations have faced, suggested Sriram, Nava and Somogyi in their joint post.

Key Transparency delivers a solid, scalable and practical solution. It replaces the problematic web-of-trust model traditionally used with PGP, they pointed out.

Lab Linux Is a Rare Treat

The latest release of Black Lab Linux, an Ubuntu 16.04-based distribution, adds a Unity desktop option. You will not find Unity offered by any other major — or nearly any minor — Linux distributor outside of Ubuntu.

Black Lab Linux 8.0, the consumer version of PC/OpenSystems’ flagship distro, also updates several other prominent desktop options.

Black Lab Linux is a general purpose community distribution for home users and small-to-mid-sized businesses. PC/OpenSystems also offers Black Lab Enterprise Linux, a commercial counterpart for businesses that want support services.

Black Lab Linux is an outgrowth of OS4 OpenLinux, a distro the same developers released in 2008. Both the community and the commercial releases could be a great alternative for personal and business users who want to avoid the UEFI (Unified Extensible Firmware Interface) horrors of installing Linux in a computer bought off the shelf with Microsoft Windows preinstalled.

Black Lab offers its flagship releases with a choice of self or full support, and both come at a price upon launch. However, you can wait 45 days and get the same release with the self-support option for free. Black Lab Linux 8.0 became available for free late last year.

Black Lab 8.0 with Unity gave me a few problems depending on the hardware I tested. It sometimes was slow to load various applications. It more than occasionally locked up. However, its performance usually was trouble-free on more resource-rich computers.

Its core set of specs are nice but nothing that outclasses other fully free Linux OS options. Here is a quick rundown on the updated packages. Remember that version 8.0 is based on Ubuntu 16.04, which is a solid starting point.

The Birth of Magic

As in crazy short, in a very short period of time we have two very different companies looking at two very different ways to eliminate traffic. Tesla wantsto tunnel under the ground to avoid traffic, while Uber wants to fly overhead.

Transportation has been a tad static for the last 40 years or so, and that apparently is about to change big time, as some folks even are reconsidering lighter-than-air transport.

This is just the start. There are amazing efforts cropping up all over the U.S., suggesting that we may be building a lot of things that truly are magical. I’ll share my thoughts on this coming industrial revolution and close with my product of the week: a very advanced, almost pocketable drone that is small enough for inside and powerful enough to fly outside.

The Death of Innovation

Both transportation and advancement have a mixed history. At the beginning of the 20th century, we moved from horses to cars. Ford even created one of the most reliable airliners in the world and was well down the path toward creating a flying car.

During the Great Depression, perhaps in response to an increase in regulations, advancements in personal transportation seemed to slow and become far more linear. Yes, cars in the 1960s were better than those in the 1930s — but given that we’d come from horses, the speed of advancement was far slower.

Air travel seemed to peak with the brief creation of supersonic transports, which proved uneconomical and unsafe. The current U.S. president, Donald Trump, is looking into why the next Airforce One is basically a plane that was designed back when Ronald Reagan was president and was considered obsolete in many ways even then.

Largely because of fuel shortages and regulations (sound, environmental, safety) we hit a wall in the 1970s in all forms of transportation. Trains in the U.S. are kind of an international embarrassment, given that we once were the leader in rail technology.

I still remember the $9M that California put into studies to determine that the monorail Walt Disney wanted to build to the airport, which was budgeted to cost just $3M, would be unprofitable. It was that kind of regulatory insanity that likely killed what once was the most innovative industry in the U.S.

It seemed that after we made it to the moon, we just stopped pushing the envelope — but that now seems to be changing, a lot.

Innovation Is Coming Back?!

I think what is going on, in part, is that a new breed is transforming the workforce — people who haven’t had it drummed into them that they couldn’t do something different. They’re not just filling entry positions, either. A large number of successful startups have come from trailblazers like Elon Musk and Jeff Bezos who, rather than asking “why?” effectively are asking “why not?”

It is fascinating that their ideas are all over the map. We suddenly are making advancements both above and below the ground. We are applying ever more intelligence to everything from toys to cars. The result is the emergence of what some are calling the “new industrial revolution.”

It is very difficult to see just how unprecedented this level of change is while we’re in the middle of it.

Consider this: In the 1990s Amazon started out as a bookseller in a garage in Seattle. Now it scares the crap out of Walmart. Google didn’t even exist until 1998, but it now is arguably the most powerful company in the world. And then there is Facebook.

Still, traditional industries like transportation were left alone until recently — that is, until Tesla popped in, made GM’s electric car efforts look foolish, and spun the auto market on its head.

Now, giant car companies all over the world are working to catch up, and Musk isn’t just running a car company. He has a solar energy company and arocket ship company as well. Seriously, he has a rocket ship company, and he isn’t alone — Jeff Bezos has one too.