Thursday, 3 September 2015

Facebook Tests a Human-Powered Digital Assistant M

In the traditional times, we used to have a secretary for managing our everyday tasks efficiently. But the technological advancement is going through such a rapid pace that it is hard to keep things organized with an assistant. Some major tech firms like Apple, Microsoft and Amazon are eagerly working towards making life much easier with focus on developing advanced digital assistant.

These digital will possess the capability to make it extremely easier and smooth to complete everyday tasks without facing any undue stress or hassle.

Now the social media giant Facebook is looking at the prospect of bringing such digital assistant for its billions of users spread all across the world.

Facebook testing new digital assistant named M

Facebook had recently announced that it is testing a relatively new service for its Messenger app. This new service is named as M, which essentially happens to be a digital assistant which is aimed at helping users perform simple tasks such as making reservation or ordering products and other actives with ease and grace. Once the testing phase is completed then this new service will be incorporated within its Messenger chatting app. Face Messenger app is high popular messaging app, which is used by more than 700 million active users throughout the globe.

With the help of the digital assistant M users will be able to text as well dictate question to the M, which will respond according to the users input. It can be even to asked to purchase some items from the internet or to book reservations at popular dining places or it can even recommends places which can be explored by the users.

Facebook to get stiff competition from other Digital Assistants

Facebook is arriving in the digital assistant M service after warming the bench for a long time within which Apple, Microsoft and Google had brought their powerful digital assistant. Apple already offers embedded Siri a digital assistant which works by voice processing and assists users in performing various daily tasks. Similarly Microsoft offer Cortana digital assistants in a range of devices which makes life quite easier and simpler for the users.

Google rides on the Google Now and Amazon offer Echo which performs the similar kind of services with ease and simplicity. It will be hard for the users to switch to another digital assistant or even take use of it when they already have Digital Assistant running on their phone, tablet or laptop.

More start-ups riding on the wave of digital assistant

Some start-ups like Magic and Operator are also working developing digital assistants by taking a new human powered approach and integrating it within their apps. The human powered approach allows them to fulfill users request with the help of real customer service representatives. While Facebook approach in developing its digital assistant is hybrid of two major approaches i.e., use of algorithms and real customer representatives which helps M in delivering much better and intelligent results. As of now Facebook M is in beta phase and a small group of people is testing it.

Parallels Can Help You Put Windows on Your Apple Mac

Loved Windows and wish if someone can bring it in your Mac laptop? Now there is a company, which is listening to your wishes, and it has brought brand new software, which will offer such exquisite features. Parallels had recently announced its new version of software, which can effectively bring the most loved features of the Windows 10 Os on the Mac devices. This software has been named Parallels 11 and it comes loaded with the capability of running full version of Windows OS on the Mac computers without the need of any rebooting.

Features of Parallel 11

The earlier versions of the Parallels had supported the Windows 10 but this one brings a whole range of new features. Parallel 11 signature feature is the Coherence mode wherein Mac users can easily run the elements of the Windows OS alongside the Apple’s OSX. This wasn’t possible in the earlier versions and this feature is aimed at providing the best of features of both the OS on a single platform in a redefined manner.

Apple’s Siri is only limited to its range of iPhone and iPad devices and it has yet to make its appearance on the Mac series of laptops. But Microsoft had already brought its Cortana digital assistant onto the Windows laptop from along with the Windows Phone platform. Parrallel 11 best feature is the bringing of Cortana on the Mac laptops. This voice controlled assistant can be brought alive wither by going through the Windows taskbar or by just saying “Hey Cortana” on the Mac.

Cortana woks amazingly on Mac

On putting Cortana under limited test in the Mac laptop, this feature happened to work amazingly well without any glitches. Users can easily call up the Cortana and conduct searches, set reminders, check out the weather and traffic conditions as well as hearing some jokes , all of it on their Mac. As usual, the response wasn’t completely perfect as it gives on the Windows laptops but it was extremely good for most of the normal tasks.

Parallels brings huge improvement in software with new version

Parallels latest version of its software is well defined and subtle with the aim of making the task of switching between the two major computer OS i.e. Windows and OSX a breeze. Parallel 11 allows the users to see both the Windows Action Center as well as the Apple’s Notification Center at same time without any hindrance. Users will be surprise to find how well both the Os are working in coherence by just looking in the Apple dock, which will be listing out all the open Windows programs and the Windows taskbar.

Furthermore, Parallels also brought the Mac’s “Quick Look” feature, which allows users to preview by just hitting the spacebar in the Windows mode. One small feature, which is worth mentioning is that right-click on the file resulting in opening of file in Mac works well in the Windows also. Parallels 11 will be made available at a price of just $80 and it will also support the upcoming Apple’s OS called El Captain.

Web Address Explosion is Bonanza for Cyber-Criminals


Explosion in Internet Addresses

According to an industry study which had been published recently, an explosion in various new Internet addresses has developed opportunities for criminals misusing shady domains like zip. kim. or party. The attackers are on the prowl of new domains like urging users in downloading malware and divulge personal data or spam their friends and a liberalisation of the Web had increased the number of top level domains tenfold in the last two years.

An investigation of tens of millions of websites had been conducted by enterprise security company Blue Coat and found that the most dangerous top level domain – TLDs were .zip, .review and country, while the safest new ones were .london, .tel and .church.

Blue Coat mentioned in its study that TLDs ideally would all be run by security-conscious operators who diligently review new domain name applications and reject those which do not meet a severe set of criteria and the reality for several of these new neighbourhoods is that this does not occur. The body which tends to manage the Web identifiers, the Internet Corporation for Assigned Names and Numbers - ICANN, had launched an initiative in order to expand the number of TLDs to encourage competition and choice online.

Generic Top-Level Domains

Initially there were only six not including country codes like .com, .edu, .gov, .mil, .net and .org. Enterprises interested in selling new TLDs had to pay $185,000 by way of fee to internet industry regulator – ICANN and demonstrate that they had the potential of running a registry.

They are presently in the process of introducing more than a thousand new web address endings which is known as generic top-level domains. The extent of the global Web domain name sales market seems to be hard to determine since several sales are private and sought-after domains tend to change hands for millions of dollars though more vague ones could be had for about 99 cents.

The world’s largest accredited registrar of domain names, - GoDaddy (GDDY.IN) had made sales of $1.4 billion last year and was worth at $3 billion in an earlier public offering this year. This year, Bain Capital had bought Blue Coat for $2.4 billion in an indication of strength of demand for cyber security technology.

Unscrupulous Operators on the Lookout of Hold Companies to Ransom

Law firm Hugh James clarifies that the cyber squatters tend to buy addresses alike those of well-known companies or which they expect that the companies may need in the future. The cyber criminals then expect to sell the web address for an overstated sum or profit from the extra web traffic resulting from well-known brand appearing high in online searches, boosting their own advertising revenue.

Around 198 cybersquatting disputes have been registered over the last eight months in comparison to the 48 in the first eight months after the new naming system had been introduced. This comprise of Red Bull which had challenged the use of `’ and Laura Ashley had challenged the use of Tracey Singlehurst-Ward, Senior Associate at Hugh James had stated that, `businesses are being forced to spend time and money in these disputes. Tech-savvy, though often unscrupulous operators are on the lookout to hold established companies to ransom.

Tuesday, 1 September 2015

Samsung Smart Fridge Leaves Gmail Logins Open to Attack


Samsung Smart Fridge – MiTM attacks on Connections

Security researchers have identified a possible way of stealing user’s Gmail identifications from Samsung smart fridge. At the recent DEF CON hacking conference, Pen Test Partners have discovered the MiTM – man-in-the-middle, weakness which enabled the exploit at the time of the IoT hacking challenge. The hack was against the RF28HMELBSR smart fridge, a part of Samsung’s line-up of Smart Home appliances that is controlled through their Smart Home app.

Though the fridge gears SSL, it tends to fail in validating SSL certificates thus enabling man-in-the middle attacks on most of the connections. Internet connected devices are designed to download Gmail Calendar information to on-screen display. Security shortcomings would mean that hackers who tend to be on the same network could possibly steal Google login information from their neighbours.

According to a security researcher at Pen Test Partners, Ken Munro, `the internet-connected device is designed to download Gmail Calendar information on its display and it seems to work the same way like any device running a Gmail calendar. User or owner of the calendar, logged in, can make updates and those changes are then seen on any devices which a user could view the calendar on

Fridge Fails to Validate Certificate

The fridge fails to validate the certificate while the SSL is in place and hence the hacker who tend to access the network where the fridge is on, probably through a de-authentication and fake Wi-Fi access point attack, can man-in-the-middle, the fridge calendar client and steal Google login information from the neighbours.

Since the fridge has not yet been in Europe, the UK based security consultancy fell short of time at DEF CON in trying to interrupt communications between the fridge terminal and the software update server. Efforts were made to mount a firmware-based attack through a customer updates was not successful but they had more safety when it pulled apart the mobile app and discovered the possible security problem in the process, though was not confirmed.

Name of a file that was found in a keystore of the mobile app’s code indicated that it comprises of the certificate which was used to encrypt traffic between the mobile app and the fridge.

Working on IoT Security/Hacking Research

The certificate had the correct password though the information to the certificate seemed to be stored in the mobile app in an obscured manner.

Then the next step would be to find out the password and use the certificate data in order to confirm to the fridge and send commands over the air to it. Pedro Venda of Pen Test Partners adds that `they wanted to pull the terminal unit out of the fridge in order to get physical access to things such as the USB port and serial or JTAG interfaces, but were unable to do so since they had run out of time. The MiTM is sufficient enough to expose a user’s Gmail information’.

 The team at Pen Test Partners are working on more IoT security and hacking research. It had published research that revealed Samsung’s smart TV’s failure to encrypt voice recordings sent through internet, in February. Samsung had informed that they were looking into the issue and stated that `at Samsung they understand that the success depends on consumer’s trust and the products and services provided. Protecting consumers’ privacy is the top priority and will work hard each day to safeguard valued Samsung users’.

Certifi-gate Vulnerability


Certifi-gate Vulnerability – Disclosed at Black Hat Conference

Mobile application manipulating the Certifi-gate vulnerability which was disclosed at Black Hat conference in Las Vegas earlier this month has been removed from the Google Play store. Although the number of Recordable Activator downloads, which is a screen recorder app for Android devices soars between 100,000 and a half million, researchers at Check Point Software Technologies discovering the vulnerability stated that it would be successfully manipulated on only three devices.

The company had mentioned in a blog post, that the data seems to come from Check Point’s home-based Certifi-gate scanner application. Data from scans utilising the scanning app portray that LG devices the most are at a risk, together with Samsung and HTC, and 16% of the devices responding to scans indicate that they host vulnerable plugins. Certifi-gate which was revealed at Black Hat, three weeks ago and when misused, enables an attacker to take complete control of the device by using malicious mobile app or SMS message. The weakness is due to the third party remote support tools which are either pre-installed on Android devices by the developers and/or carriers, or are available to be downloaded.

Mobile Remote Support Tools – mRST

Mobile remote support tools – mRST tend to be generally signed with OEM certificates proving them system level privileges for the purpose of handling remote support tasks. It was revealed by Check Point at Black Hat that there are authentication problems which could be bypassed by malicious app utilising one of these mRST tools.

The issue with Recordable Activator is that it tends to download vulnerable form of TeamViewer as well as abused insecure communication between the app and system-level plugins. App that are signed with OEM certificates are treated as trusted and evade native Android restriction avoiding app like Recordable Activator in obtaining excessive permissions.

It could then be utilised in exploiting the prevailing authentication vulnerability as well as connect with the plugin in order to record whatever is happening on the screen, according to Check Point. Ohad Bobrov, researcher of Check Point, had explained at Black Hat that a malicious app tends to impersonate the original mRST to obtain access to everything on the device.

Tools Pre-installed with No UI

Bobrov stated during a press conference at Black Hat that the reason of this problem was that on several devices, these tools are preinstalled and in many cases since these tools do not have a UI, one is not aware of its existence on the device since one does not see an icon and it is not visible on the device to show that it exists.

Thus it tends to get easier for an attacker to take control of it. Check Point states that to patch up this problem is not easy since the tools which are generally preinstalled, may need manufacturers to push updated ROMs to vulnerable devices. Though new versions of remote support tools like TeamViewer tend to be released, the older versions could still be likely to be in circulation for a while.

He further adds that it would take a long time till a new version comes up though but the more problematic issue is not the bug but its architecture. The vendors and OEMS have signed this vulnerable mRST with their certificate and one cannot withdraw or else the plugin will not function.