Archive for November, 2014

Office 365’s spam filter gets smarter with bulk mailings

The Exchange Online Protection email security engine rates promotional messages on a scale of 1 to 9

In time for the holiday shopping season, Microsoft has refined how Office 365 handles bulk promotional emails from vendors like Amazon, eBay and Macy’s.

Those messages, which contain special offers, newsletters and other sales incentives, fall into a gray area between legitimate email and obvious spam. Depending on a variety of factors, recipients sometimes find them useful and other times annoying.

Now, Microsoft has added what it describes as a “simple, intuitive control” to the Exchange Online Protection (EOP) security engine in Exchange Online so that Office 365 admins can fine-tune the treatment of these messages for their domain.

EOP rates bulk messages on a scale of 1 to 9. The lower the rating, the less likely the message will be considered a nuisance by recipients. Criteria used to rate messages include whether recipients signed up for the mailings, whether the sender offers unsubscribe options and how many complaints the emails have generated.

Office 365 sets its default threshold at 7, meaning EOP will deliver bulk messages rated 6 and lower, and throw those rated 7 and above into the spam basket. However, admins can adjust the threshold to a different number.

“Bulk email can be a real nuisance for users. We hope that this feature will help you better manage the amount of bulk email your organization receives and look forward to continually improving our anti-spam service to meet your needs,” wrote Microsoft officials Shobhit Sahay and Chris Nguyen in a blog post Monday.

Microsoft is starting to roll out the improved email management capability now. Admins that want it activated right away on their domains can place a request with Microsoft via their account team.


MCTS Training, MCITP Trainnig

Best Microsoft MCTS Certification, Microsoft MCITP Training at certkingdom.com

 

 

 

The early, awkward days of “portable” computing

You kids today are spoiled by your modern-day razor-thin ultrabooks. Come take a look portable technology that required some muscle.

Sure, it’s a bit unwieldy
In the first iteration of any technology, it’s amazing that you can do it. When the first Motorola mobile phone hit the market, it seemed miraculous to make phone calls unconnceted to the grid; only later did it become clear how unwieldy that first phone was.

The same is true for PCs. Early “portable” computers would make you laugh, because of their size (large), price tag (high), capabilities (poor), or some combination of the three. But as you take this tour through the history of mobile computing, we urge you to remember the day when it was amazing that you could lug these things around at all.

DYSEAC, 1954
What makes a computer “portable”? Well, at minimum, you have to be able to move it from place to place. By that standard, just about any computer made today is more portable than the earliest computers of the 1940s and 1950s, built from hundreds of vacuum tubes installed into row after row of cabinets and taking up entire rooms. In this sense, DYSEAC, built by the National Bureau of Standards for the US Army Signal Corps, was a real breakthrough: it could be easily fit into a tractor trailer and driven from place to place.

IBM 5100, 1975
Decades later, IBM looked to make a similar leap down in size from the half-ton behemoths it sold. With the IBM 5100, Big Blue was able to compress a lot of power into a package that, at 55 pounds, was relatively tiny: amazingly, the computer was able to emulate a version of the APL programming language that would run on an S/360 mainframe. Reasoning that anyone who would be opting for the 5100 over a real mainframe would put portability at a premium, IBM emphasized the suitcase-sized unit’s luggability and built a keyboard and tiny monitor directly into the all-in-one machine. Fully tricked out, the 5100 cost $19,975 — the equivalent of more than $85,000 today.

Osborne 1, 1981
Six years later, Osborne Computer introduced the Osborne 1, with a similar look and footprint but a much less cutting edge level of technology. Company founder Adam Osborne himself said that “It is not the fastest microcomputer, it doesn’t have huge amounts of disk storage space, and it is not especially expandable.” But it used the mass-market CP/M operating system, and it was cheap ($1,795, the equivalent of $4,500 today), and, at 22 pounds, relatively easy to fit into a suitcase for lugging to wherever you might need a computer. Osborne published a magazine specifically for users, The Portable Companion, and the first issue featured an amazing picture of journalist David Kline with Afghan mujahideen admiring his Osborne 1.

GRiD Compass, 1982
The GRiD Compass was an Osborne contemporary; it was smaller — at a scant 11 pounds, it’s almost getting to the same order of magnitude of modern-day laptops. It also used a unique operating system and rugged but slow bubble memory, and cost $8,150 (more than $19,000 today). The combination of its tough construction and high price tag meant that its chief customer was the U.S. federal government: the Compass went into orbit on the Space Shuttle, and was rumored to be part of the presidential “nuclear football,” which stored launch codes.

Compaq Portable, 1982

The Compaq Portable was roughly the same size (28 pounds) and form factor as the Osborne: barely portable, in other words, despite the name, though it did come with a nifty suitcase. What made it really special wasn’t related to its portability: it was the first ever IBM clone of any sort, with reverse engineered BIOS and Microsoft’s MS-DOS, making it the ancestor of every Windows laptop ever made. Its luggable design was an added bonus; it was popular enough that IBM had to answer with its own portable version, the IBM 5155 model 68.

Epson HX-20, 1983
Having read about what passed for portable computing in the early 1980s, you can now understand how shocking and revolutionary the Epson HX-20 was. At three and half pounds, its lighter than a modern-day 15-inch MacBook Pro, and at $795 (the equivalent of $1,800 today), it’s cheaper, too.

What was the catch? While the other luggables we’ve seen had monochrome monitors on the order of 8 or 9 inches, the HX-20 sported a tiny LCD that could only show four lines of text, 20 characters wide. There was also very little software available for its proprietary OS, and the machine was distinctly underpowered.

Classic Mac form factor, 1984
Even as this spate of what we’d now recognize as the ancestors of modern notebook computers was being released, the idea of just what might make a computer count as “portable” was still in flux. For instance, nobody would’ve mistaken the original Macintosh for a laptop, with its near-cubical form factor — but at 16.5 pounds, it was lighter than many computers specifically billed as portable. The case came with a built-in handle on top so you could carry it around your house or office, and, as this page from the original owner’s manual demonstrates, custom-made carrying satchels were available.

Macintosh Portable, 1989/PowerBook 100, 1991
Five years later, Apple’s first portable Mac looked like the early ’80s dinosaurs we’ve already seen: huge, clunky, and awkwardly designed. The Portable was a bit lighter than its predecessors at 16 pounds, and of course ran a more modern OS, but at $6,500 ($12,000 in today’s money) it was difficult to justify.

The truly amazing thing was that just two years later, Apple released the PowerBook 100 series. These machines started at a third the weight and a third the price of the Portable; more importantly, their design, with wrist rests and a trackball below the keyboard, set the standard for all laptops, Mac and PC, that followed. The modern portable era had arrived.

Apple Newton, 1993
Of course, around the same time the world was launching into a whole new world of portable computing: the PDA, direct ancestor to the modern-day smartphone. We leave you with this picture that shows how far we’ve come in the “handheld computing devices much smaller than personal computers” department: the orignal Apple Newton, that prophetic flop, seemed miraculously small at the time, and yet dwarfs the original iPhone. (Though with the advent of the huge iPhone 6 Plus, perhaps this is going full circle.)


 

MCTS Training, MCITP Trainnig

Best Microsoft MCTS Certification, Microsoft MCITP Training at certkingdom.com

Peeping into 73,000 unsecured security cameras thanks to default passwords

A site linked to 73,011 unsecured security camera locations in 256 countries to illustrate the dangers of using default passwords.

Yesterday I stumbled onto a site indexing 73,011 locations with unsecured security cameras in 256 countries …unsecured as in “secured” with default usernames and passwords. The site, with an IP address from Russia, is further broken down into insecure security cameras by the manufacturers Foscam, Linksys, Panasonic, some listed only as “IP cameras,” as well as AvTech and Hikvision DVRs. 11,046 of the links were to U.S. locations, more than any other country; one link could have up to 8 or 16 channels, meaning that’s how many different security camera views were displayed on one page.

Truthfully, I was torn about linking to the site, which claims to be “designed in order to show the importance of security settings;” the purpose of the site is supposedly to show how not changing the default password means that the security surveillance system is “available for all Internet users” to view. Change the defaults to secure the camera to make it private and it disappears from the index. According to FAQs, people who choose not to secure their cameras can write the site administrator and ask for the URL to be removed. But that requires knowing the site exists.

There are 40,746 pages of unsecured cameras just in the first 10 country listings: 11,046 in the U.S.; 6,536 in South Korea; 4,770 in China; 3,359 in Mexico; 3,285 in France; 2,870 in Italy; 2,422 in the U.K.; 2,268 in the Netherlands; 2,220 in Columbia; and 1,970 in India. Like the site said, you can see into “bedrooms of all countries of the world.” There are 256 countries listed plus one directory not sorted into country categories.

Unsecured bed cams insecam
The last big peeping Tom paradise listing had about 400 links to vulnerable cameras on Pastebin and a Google map of vulnerable TRENDnet cameras; this newest collection of 73,011 total links makes that seem puny in comparison. A year ago, in the first action of its kind, the FTC brought down the hammer on TRENDnet for the company’s “lax security practices that exposed the private lives of hundreds of consumers to public viewing on the Internet.”

Security cameras are supposed to offer security, not provide surveillance footage for anyone to view. Businesses may be fine with that, but cameras that are not truly locked down in homes invite privacy invasions. In this case, it’s not just one manufacturer. Sure, a geek could Google Dork or use Shodan to end up with the same results, but that doesn’t mean the unsecured surveillance footage would be aggregated into one place that’s bound to be popular among voyeurs.
Unsecured panasonic security camera in Aruba insecam

There were lots of businesses, stores, malls, warehouses and parking lots, but I was horrified by the sheer number of baby cribs, bedrooms, living rooms and kitchens; all of those were within homes where people should be safest, but were awaiting some creeper to turn the “security surveillance footage” meant for protection into an invasion of privacy.

One of thousands of unsecured foscam baby cams insecam
Randomly clicking around revealed an elderly woman sitting but a few feet away from a camera in Scotland. In Virginia, a woman sat on the floor playing with a baby; the camera manufacturer was Linksys. There was a baby sleeping in a crib in Canada, courtesy of an unsecured Foscam camera, the brand of camera most commonly listed when pointing down at cribs. So many cameras are setup to look down into cribs that it was sickening; it became like a mission to help people secure them before a baby cam “hacker” yelled at the babies.
Unsecured Foscam baby cam insecam

I wanted to warn and help people who unwittingly opened a digital window to view into their homes, so I tried to track down some security camera owners with the hopes of helping them change the default username and password. It is their lives and their cameras to do with as they think best, but “best” surely doesn’t include using a default username and password on those cameras so that families provide peep shows to any creep who wants to watch.

Unsecured Linksys insecam

The site lists the camera manufacturer, default login and password, time zone, city and state. The results for each camera are also theoretically pinpointed with longitude and latitude on Google Maps. That can be opened in another browser window, zoomed into, converted to Google Earth, then Street View in hopes of seeing an address to take into a reverse phone look-up. It’s slightly easier if it’s a business and you see a name on a building. There may be an easier way, as it was slow and frustrating.
Unsecured IP surveillance camera insecam

I’m unwilling to say how many calls I made, or else you might think I enjoy banging my head against the wall. It was basically how I spent my day yesterday. Too many times the location couldn’t be determined, led to apartments, or the address wasn’t listed in a reverse phone search. After too many times in a row like that, I’d switch to a business as it is much easier to pinpoint and contact.

One call was to a military installation. Since the view was of beautiful fall foliage, it seemed like a “safe” thing to find out if that camera was left with the default password on purpose. Searching for a contact number led to a site that was potentially under attack and resulted in a “privacy error.” Peachy. Then I had two things to relay, but no one answered the phone. After finding another contact number and discussing both issues at length, I was told to call the Pentagon! Holy cow and yikes!

MITM attack Chrome privacy warning Chrome privacy warning

About six hours into trying to help people, I was used to talking to the manager of establishments and explaining the issue. During a call to a pizza chain place, the manager confirmed the distinct views from eight channels of cameras before things got ugly.

Managers, don’t shoot the messenger; a person out to hurt you might dig into a Linux box with root, but no exploit or hacking is needed to view the surveillance footage of your unsecured cameras! It’s exceedingly rude to yell or accuse a Good Samaritan of “hacking” you. If your cameras are AVTech and admin is both username and password, or Hikvision “secured” with the defaults of admin and 12345, then you need to change that. Or don’t and keep live streaming on a Russian site.

Unsecured security camera with 16 channels insecam

After an exasperating day of good intentions not being enough to help folks, hopefully raising awareness will help. It would be great if these manufacturers would start wrapping the boxes in tape that yells, Be sure to change the default password! In some security camera models, no password is even required.

If you don’t recall your username/password combo, then download the manual of your camera model, reset the device like you would a wireless router, and aim for a strong password to truly provide security this time. This might be a good place to start for support or manuals for Foscam, Linksys, AVTech, Hikvision, Panasonic, but some of the unsecure security cams are simply listed as IP cameras.

I don’t know what else to do if the FTC doesn’t again bring the hammer down on companies that don’t do enough to stop people from having their lives invaded. Take the issue and manufacturer names to Craigslist to try and get the attention of people in specific towns? But that would simply point back to the site and open even more people to having their privacy invaded.

Mostly, it falls on us, dear security-conscious readers, to nudge our not-so-techy friends and remind our families how very important it is to set strong passwords on security cameras unless they want to give the whole world a free pass to watch inside their homes.


 

MCTS Training, MCITP Trainnig

Best Microsoft MCTS Certification, Microsoft MCITP Training at certkingdom.com

Fire your mobile app programmer and build it yourself

This vendor-written tech primer has been edited by Network World to eliminate product promotion, but readers should note it will likely favor the submitter’s approach.

Everyone used to hire mobile app developers to build custom programs, but that often resulted in shoddy, insecure programs that sometimes didn’t even work. And even when the software suited the need, chances are it was a colossal waste of money.

Today you can program without programming. Even business people can define and build apps that suit their needs – in just hours or days, depending on the complexity. Or have them built for you for as a low as $500 from a provider harnessing the same automated software creation tools.

Either way you go, it is a far cry from shelling out $50,000 or more, which is what you typically pay a mobile developer for just one piece of software for just one mobile platform.

We are not talking about overly simplistic, do nothing bits of software. With today’s new visual approach to designing and generating mobile software, you can create sophisticated custom business apps. These apps can work with data from the Web, cloud or your own internal systems – or all three, and can include pre-built features such as: forms, lists, database services, web services, location services, and strong security and encryption.

It is particularly easy to create apps for companies in these vertical industries: real estate, health care, construction, job estimating, insurance and more.
New tech to the rescue

For decades the Holy Grail of programming was to get there without programming. Many stabs have been taken, such as Fourth Generation Languages (4GL), object oriented programming where objects could be reused and stitched together to create new programs, and code generation, where you define what you need and the system creates the code for you.

All this work laid the foundation where we are finally achieving the promise of programming without programming. In the mobile space in particular a number of new companies are making all this work.

The key is visual development. By leveraging myriad pieces of software that have been written and fully vetted, the end user, even a non-technical person, visually designs the app they need and the system assembles the app based on what we used to call objects. And because all these components have been used in thousands of apps, they are secure and the bugs long since worked out.

Some vendors offering this new approach focus on easing creation of mobile applications that replace paper forms, letting IT customize or build apps that are then run as Software as a Service (SaaS).

Others offer a Platform as a Service (PaaS) approach. Initially PaaS was simply a way of offering a software development stack in the cloud, so programmers needn’t worry about configuring, updating and maintaining development systems. Now the stack itself is richer with the advent of true visual-based and model-driven development, and the cloud is better able to host these developed apps as well.

There are multiple PaaS options today. One approach allows stakeholders to model what they want their app to do, and then have that interpreted by a runtime environment. While another allows business users to decide what they want, describe it by manipulating icons that represent a large catalog of fully tested services, objects, actions or lines of code, and then the system builds a full piece of software whose components are automatically integrated.

The savings are real

Research by AnyPresence, a Backend-as-a-Service (BaaS) provider, shows most companies spend at least $50,000 for an app. Close to 25% spend more than $100,000.
102714 mobileapp

Using traditional methods, mobile apps aren’t just expensive to build, they take a tremendous amount of time to complete. Let’s say you just want a program that takes information from a database and puts it in a simple list, maybe to let salespeople check inventory. That could take one to two months to build and cost over $25,000, says AnyPresence. And that is for just one platform.

Want an enterprise app that integrates with your business processes? You’ll need an awfully big piggy bank because that will run you over $150,000.

What’s more, eventually you’ll need to update that app, which can cost serious bucks. Forrester says the initial cost of development is only 35% of the overall two-year cost. Part of this cost is updating and upgrading. This may be due to new feature requirements, changes in business processes, the need to run on or exploit new mobile environments or to port to currently unsupported operating systems. MGI Research says mobile apps have, on average, one major update ever six months.

With visual programming and application generation you can add new features or just freshen the interface with a few swipes of a WYSIWYG editor, then touch the screen to distribute the update. Programmers call this iteration, and they earn much of their livelihood this way.



MCTS Training, MCITP Trainnig

Best Microsoft MCTS Certification, Microsoft MCITP Training at certkingdom.com

 

 

Google to kill off SSL 3.0 in Chrome 40

To protect against POODLE attacks and other vulnerabilities in SSL 3.0, Google will remove support for the aging protocol in version 40 of its Chrome browser.

Google plans to remove support for the aging Secure Sockets Layer (SSL) version 3.0 protocol in Google Chrome 40, which is expected to ship in about two months.

The decision comes after Google security researchers recently discovered a dangerous design flaw in SSL 3.0. Dubbed “POODLE,” the vulnerability allows a man-in-the-middle attacker to recover sensitive, plain text information like authentication cookies, from a HTTPS (HTTP Secure) connection encrypted with SSLv3.

Even though POODLE is the biggest security issue found in SSL 3.0 so far, it is not the protocol’s only weakness. SSL version 3 was designed in the mid-1990s and supports outdated cipher suites that are now considered insecure from a cryptographic standpoint.

HTTPS connections today typically use TLS (Transport Layer Security) versions 1.0, 1.1 or 1.2. However, many browsers and servers have retained their support for SSL 3.0 over the years — browsers to support secure connections with old servers and servers to support secure connections with old browsers.

This compatibility-driven situation is one that security experts have long wanted to see change and thanks to POODLE it will finally happen. The flaw’s impact is significantly amplified by the fact that attackers who can intercept HTTPS connections can force a downgrade from TLS to SSL 3.0.

Based on an October survey by the SSL Pulse project, 98 percent of the world’s most popular 150,000 HTTPS-enabled sites supported SSLv3 in addition to one or more TLS versions. It’s therefore easier for browsers to remove their support for SSL 3.0 than to wait for hundred of thousands of web servers to be reconfigured.

On Oct.14, when the POODLE flaw was publicly revealed, Google said that it hopes to remove support for SSL 3.0 completely from its client products in the coming months. Google security engineer Adam Langley provided more details of what that means for Chrome in a post on the Chromium security mailing list Thursday.

According to Langley, Chrome 39, which is currently in beta and will be released in a couple of weeks, will no longer support the SSL 3.0 fallback mechanism, preventing attackers from downgrading TLS connections.

“In Chrome 40, we plan on disabling SSLv3 completely, although we are keeping an eye on compatibility issues that may arise,” Langley said. “In preparation for this, Chrome 39 will show a yellow badge over the lock icon for SSLv3 sites. These sites need to be updated to at least TLS 1.0 before Chrome 40 is released.”

Google Chrome typically follows a six-week release cycle for major versions. Chrome 38 stable was released on Oct. 7, meaning Chrome 40 will probably arrive towards the end of December.


MCTS Training, MCITP Trainnig

Best Microsoft MCTS Certification, Microsoft MCITP Training at certkingdom.com

Go to Top