G$earch

How to protect your Android on public Wi-Fi

Posted by Harshad

How to protect your Android on public Wi-Fi


How to protect your Android on public Wi-Fi

Posted: 17 May 2011 06:45 PM PDT

ConnectBot creates a secure tunnel using SSH to protect your data while it's in transit.

(Credit: Screenshot by Seth Rosenblatt/CNET)

Android phones and tablets running version 2.3.3 and earlier suffer from a calendar and contact information vulnerability on public Wi-Fi networks, according to a new report. However, there are some concrete steps you can to protect yourself.

Here's how it works. The vulnerability is in the ClientLogin Protocol API, which streamlines how the Google app talks to Google's servers. Applications request access by sending an account name and password via secure connection, and the access is valid for up to two weeks. If the authentication is sent over unencrypted HTTP, an attacker could use network sniffing software to steal it over a legitimate public network, or spoof the network entirely using a commonly-named public network, such as "airport" or "library." While this won't work in Android 2.3.4 or above, including Honeycomb 3.0, that only covers 1 percent of in-use devices.

Of course, the safest solution is to avoid using public, unencrypted Wi-Fi networks by switching to mobile 3G and 4G networks whenever possible. That's not always an option, especially for Wi-Fi-only tablet owners or those on tight data plans.

One legitimate if painstaking option is to disable syncing for the affected Google apps when connected via public Wi-Fi. The security risk affects apps that connect to the cloud by using a protocol called authToken, not HTTPS. The apps tested by the researchers who wrote the report revealing the vulnerability included Contacts, Calendar, and Picasa. Gmail is not vulnerable because it uses HTTPS.

However, this a cumbersome fix, as it requires going into each app before you connect and manually disable syncing during the time you're on the particular public Wi-Fi. A much easier solution is to use an app. One of the best apps for secure communication is SSH Tunnel (download), which was designed for Android users stuck behind the Great Firewall of China. SSH Tunnel has some limitations: You must root your phone to use it, and the makers strongly advise people not in China look elsewhere for a secure tunneling app.

A better solution appears to be ConnectBot (download), which even offers a version from its Web site that supports pre-Cupcake versions of Android.

Users of third-party custom ROMs like CyanogenMod ought to check what security enhancements their installed ROM comes with. CyanogenMod, for example, has VPN support built-in and turned off. Cyanogen users can access it from the Settings menu, tap Wireless and Network Settings, then tap VPN Settings.

Given the fragmentation on Android devices, this is a severe security risk that is mitigated only by its limitation to specific apps and public networks. The ideal solution is for Google to release app fixes or Android updates as soon as possible, although the company has given no indication of what steps it plans to take, or when. As always when using public Wi-Fi networks, proceed with caution.

JavaScript: Now powerful enough to run Linux

Posted: 17 May 2011 03:02 PM PDT

Fabrice Bellard released a JavaScript program that can run Linux in a Web browser window.

Fabrice Bellard has released a JavaScript program that can run Linux in a Web browser window.

(Credit: Screenshot by Stephen Shankland/CNET)

Step aside, Google Docs, there's a new JavaScript tour de force in town.

I'm talking about the latest project from programmer Fabrice Bellard, a JavaScript program that emulates an x86 processor fast enough to run Linux in a Web browser.

The JavaScript PC Emulator can do the work of an Intel 486 chip from the 1990s, but doesn't have a built-in floating point unit for numeric processing, Bellard said. Happily, Linux itself can emulate that, and a version of the operating system's core--2.6.20--runs on the foundation.

Bellard published a technical description of the JavaScript PC Emulator on Saturday, but today the project caught the notice of prominent techies, including Brendan Eich, a Mozilla programmer and the creator of JavaScript.

"I did it for fun, just because newer JavaScript engines are fast enough to do complicated things," Bellard said of the project. "I happen to be interested by the implementation of JavaScript engines these days--but I don't know yet if I will write my own any time soon! Anyway, this emulator was a way to learn how to write optimized code for recent JavaScript engines, in particular JaegerMonkey (for Firefox 4) and V8 (for Chrome)."

Bellard suggests some possibilities for more serious use, including benchmarks or running old DOS games. But probably the project's biggest practical repercussion is simply the news that JavaScript has matured enough to run an entire computer-within-a-computer.

Curious people can try the emulator with a modern browser that has fast JavaScript performance; it works with Firefox 4 but not newer versions of Google Chrome. And those who really want to dig in can look at the JavaScript PC Emulator's actual JavaScript code.

The project is the latest attention-getter from Bellard. The French programmer also wrote QEMU, software that can emulate one type of processor on another; FFmpeg, open-source software for playing and otherwise handling video and audio streams; QEmacs, a lightweight text editor for Unix systems; digital TV signal generator software that uses a computer's VGA card to broadcast TV over the air; Linmodem, Linux software that emulates a hardware modem chip; and a program that calculated pi to a then-record 2,699,999,990,000 digits using a mere personal computer.

Bellard also is a two-time winner of the Obfuscated C competition to produce clever but superficially incomprehensible programs in the C language.

Originally posted at Deep Tech

How to create a BitTorrent personal content channel

Posted: 17 May 2011 01:06 PM PDT

BitTorrent 8, released last week in beta, contains a sharp new feature that makes it easier than ever to create torrents of your personal files and share them with a personal group of friends or colleagues. The feature implementation isn't expected to change by the time that BitTorrent 8 graduates to its final version, so this How To ought to be viable for some time.

Create a Personal Content Channel in BitTorrent 8

Once you've installed BitTorrent 8 beta (download), take a quick tour of some of the public content channels that come with the program. This part isn't essential, however, it's worth seeing because it's a good place to get some ideas of the kinds of files you can share on your content channel. These pre-existing legal content channels include popular series like the TED educational lectures and legally shared music and movies. Click on one to add it to the channel bar at the top of the program.

Next, go to the My Files button on the right of the channel bar. If you haven't created a channel, this section will be blank. It's a little hard to see, but click the gray arrow just to the left of the My Files button and the Personal Channel wizard will open. Fill in your name, channel title, and upload an avatar to customize it. You can actually come back and do those steps later if you'd like.

To add files to share, Hit the More Content tab, click Browse for File, and navigate to the files that you own the rights to. Once added, you can write a note about the file, choose people to share the link to the torrent with over e-mail, Twitter, or Facebook, and engage in real-time conversations with those friends directly from the central pane of the BitTorrent interface.

The link that gets sent out detects if the recipient has BitTorrent 8. If they don't, the link downloads the installer and automatically subscribes them to the channel after installation. If they do, it simply adds the channel. The channel acts as a grouping mechanism for the torrents contained within. Each file added gets its own torrent, so that subscribers don't have to fiddle with choosing files within a torrent.

BitTorrent has also said that it will guarantee the minimum health of the torrent. The equivalent number of seeders for that is still in flux, although BitTorrent lead engineer Thomas Ramplelberg said that it's currently around seven seeders.

The impact of Personal Content Channels on legally owned, personal file-sharing could be massive. It's a great tool for sharing high-resolution audio and video files that you own without having to reduce the file size first. Parents can share pictures and video with each other from school plays or sports events; artists of all kinds could share high-quality versions of both final works and works-in-progress with editors or fans; and businesses with multiple offices could use it to quickly transfer documents and multimedia presentations between disparate locations.

Currently, the beta is available only in English and only for Windows computers. For the duration of the beta, personal content channels will not have file size restrictions, and is free to use. BitTorrent was unable to comment on whether the service would continue to be free of restrictions after BitTorrent 8 final was released, but it's still a killer file-sharing feature that combines the speed of torrents with the crispness of the high-quality files that our portable devices can now create.

Google's speedier iPhone app '20 percent' faster

Posted: 17 May 2011 12:19 PM PDT

Revamped Google Search on iPhone

Google hopes its revamp (right) offers up a cleaner layout for finding links.

(Credit: Google)

Google released an update to its Google Search app for iPhone today, claiming that the new and improved app is up to 20 percent more responsive than the previous version.

Interestingly, Google has decided that one of its signature features slows down performance and might erode accuracy. Just Talk uses the iPhone's accelerometer to activate voice search when you lift the phone to your ear, and was quite the stir when it first debuted. It's now turned off by default, though you can enable it in the settings and you can still manually launch a voice search by pressing the microphone button in the app.

In addition, Google has jiggered the search results to make them more finger-friendly. Fonts are larger, and you no longer have to precisely tap a link to open the page; you can just hit just the target area. It looks like the concept of "fat fingered" selection has sunk in.

Google Search is free, and it's available in the App Store for devices running iOS 3.0 and above.

Originally posted at iPhone Atlas

Report: Android phones vulnerable to snooping attack

Posted: 17 May 2011 11:03 AM PDT

This is a screenshot of the Wireshark program sniffing out an authToken as an Android device accesses Picasa Web Albums.

This is a screenshot of the Wireshark program sniffing out an authToken as an Android device accesses Picasa Web Albums. Click to enlarge.

(Credit: Jens Nickels,Bastian Konings, Florian Schaub)

Most of the Android smartphones on the market are susceptible to an attack in which someone could access calendar and contact data over an unencrypted Wi-Fi network, a team of German researchers said in a new report.

The problem is fixed in the latest version of Android, but 99.7 percent of all Android devices are running older versions, they said. Attacks can be carried out over unencrypted Wi-Fi hot spots by an attacker sniffing an authentication token (authToken) used by the Android devices when they communicate with the Google services, according to "Catching AuthTokens in the Wild: The Insecurity of Google's ClientLogin Protocol," which was released Friday.

It is "quite easy" to launch an impersonation attack against Google Calendar, Contacts, and Picasa Web albums on newer Androids, and theoretically all Google services using the ClientLogin authentication protocol for access to its data APIs (application programming interfaces), the report said.

A Google representative confirmed that the latest version of Android, 2.3.4 for smartphones, and 3.0 for tablets does not have the problem. "We're aware of this issue, have already fixed it for calendar and contacts in the latest versions of Android, and we're working on fixing it in Picasa," he said in an e-mail statement.

Here's how it works. With the ClientLogin Protocol, applications request an authToken from the Google service by sending an account name and password via an HTTPS (hypertext transfer protocol secure) connection. The authToken is valid for up to two weeks and is used for subsequent requests to the Google service API. If the authToken is sent over unencrypted HTTP, an attacker could use network sniffing software, like Wireshark, to grab it, the researchers said.

"For instance, the adversary can gain full access to the calendar, contacts information, or private Web albums of the respective Google user," they wrote. "This means that the adversary can view, modify, or delete any contacts, calendar events, or private pictures. This is not limited to items currently being synced but affects all items of that user."

An attacker could grab multiple authTokens by setting up a Wi-Fi access point with the same name of a common wireless network provider, such as T-Mobile, Starbucks, or AT&T Wi-Fi and wait for Android phones with default settings to automatically connect to a previously known network and start syncing immediately, according to the report. Syncing would fail, but the attacker could capture authTokens for each service that attempted to sync.

Not only does this expose Calendar data, but also exposes information about users' contacts. An attacker also could change the stored e-mail addresses of contacts and the Google user would be at risk then of inadvertently sending sensitive information to the attacker instead of the intended recipient, the researchers noted.

"We tested this attack with Android versions 2.1 (Nexus One), 2.2 (HTC Desire, Nexus One), 2.2.1 (HTC Incredible S), 2.3.3 (Nexus One), 2.3.4 (HTC Desire, Nexus One), and 3.0 (Motorola XOOM) and with the native Google Calendar, Google Contacts, and Gallery apps (or respective synchronization services)," the report said.

This pie chart from Google shows that as of May 2 most Android devices were on older versions of the operating system.

This pie chart from Google shows that as of May 2 most Android devices were on older versions of the operating system. (Click to enlarge.)

(Credit: Google)

Calendar and Contacts apps transmit requests in clear text via HTTP up to Android 2.3.3 and are therefore vulnerable to this type of attack. Since Android 2.3, the Gallery app provides Picasa Web Albums synchronization, which is also not encrypted, the researchers said. In Android 2.3.4 the Calendar and Contacts apps began using an HTTPS connection, however the Picasa sync does not, they said.

Android users should update to Android 2.3.4 as soon as possible. "However, depending on your phone vendor you may have to wait weeks/months before an update is available for your phone," the researchers wrote.

Also, Android users should switch off automatic synchronization in the settings menu when connecting with open Wi-Fi networks and avoid using open Wi-Fi networks at all when using the apps.

Updated 3:34 p.m. PT with official Google statement saying its is working to fix the Picasa issue.

Originally posted at InSecurity Complex

Office² HD 4.0 adds PowerPoint support, mostly

Posted: 17 May 2011 09:00 AM PDT

Office², the app that lets you view and edit Microsoft Office Documents, has just today announced support for PowerPoint Presentations with version 4.0, making it a good way to take your Microsoft work with you on your iPad, but it has one major limitation.

It's no secret that when Apple's first iPad hit stores, working people wondered if they could get rid of their laptops and use the touch screen for business and productivity purposes. Apple offered up solid, but abbreviated versions of their own iWork suite (with some Microsoft compatibility), but many users' companies relied on Microsoft Office, and wanted the same controls from the core Office apps (such as Word and Excel) and the same user experience of Microsoft's Office suite on the iPad.

Office²

We were able to open and edit Word documents with ease and the proper formatting carried over perfectly.

(Credit: Screenshot by Jason Parker/CNET)

Byte² seemed to be on the right track, having developed Office² last April for iOS, which let you view and edit Microsoft Office documents including Word docs and Excel spreadsheets. Office² 4.0, released today, adds PowerPoint presentations to that list, adding another integral business medium for users so they can view, edit, and preview their presentations on the iPad. The only problem is, it doesn't work for the latest version of PowerPoint, meaning that you'll be able to edit the older .PPT files, but you'll only be able to view the latest PPTX files. Byte² says that it will be rolling out PPTX file support in the near future, but this may be the issue that prevents people from buying this app. It's also worth noting that Apple's Keynote already lets you view and edit PPTX files, but you'll need to pay $9.99 just for Keynote alone; Word and Excel documents would require you buy Pages ($9.99) and Numbers ($9.99) to open the other file types.

Office²

We had to use an older PowerPoint presentation for this screenshot, but it worked fairly well (say hello to the old CNET logo).

(Credit: Screenshot by Jason Parker/CNET)

Office² also lets you connect to any of several cloud-based services to upload and transfer your documents. Services like MobileMe, DropBox, Google Docs, MyDisk, and others are all supported, making it easy to connect to the service you use most.

Along with cloud storage support, Office² supports legacy Office files--both Office 2010 and Office 2003 Excel and Word documents can be viewed and edited on your iPad. Adobe Reader support means you also can read or create Adobe PDF files wherever you are.

Overall, Office² looks like it's on the right track for letting you view and edit Microsoft Office documents on the iPad, with some basic tools to edit docs while on the go. But until Office² offers all the latest file types, some users may want to wait for future versions.

New Slacker Premium merges radio with on-demand

Posted: 17 May 2011 12:01 AM PDT

(Credit: Slacker Radio)

Slacker Radio, the popular streaming radio site and mobile application (iPhone | Android | BlackBerry), has just launched a third tier of service, bringing yet another layer of listening options to its music-hungry users. Dubbed Slacker Premium Radio, the new tier is the first to merge the ease and unpredictability of programmed radio stations with the power of an on-demand music service. Slacker's menu, dramatically bolstered by this new Premium offering, now appears to have something for pretty much everyone.

(Credit: Slacker Radio)

As a Basic, first-tier user you can listen to Slacker's standard curated and socially programmed radio stations. Meanwhile, as a Radio Plus subscriber you can enjoy ad-free radio with unlimited skips and the ability to cache stations on a mobile device. Now, with the new Premium Radio subscription for $9.99 a month, you can get truly granular with your listening experience by picking out any song or album in the entire Slacker Radio catalog and adding it to your queue. In addition, you can access station playlists, top-50 charts for every station, single-artist radio stations, and much more. Artist pages are also a nice touch, with in-depth biographies, discographies, and other info, only available to Premium subscribers.

If you're willing to shell out the cash, Slacker Premium Radio really is an ultimate streaming radio experience.

(Credit: Slacker Radio)

And of course, with its powerful new Premium Radio service, Slacker has also posted an upgrade to its mobile app, which is ready for download on iOS, Android, and BlackBerry devices today. This new upgrade enables all of the new features for Premium subscribers, as well as a few new features for all listeners, including the ability to create a radio experience based on several stations or several artists at a time.

Slacker Premium Radio is available for $9.99 a month either through Slacker.com or through direct carrier billing (for participating mobile carriers). But for a limited time, you can get a free subscription by visiting www.facebook.com/SlackerRadio. If streaming radio is a part of your daily life, we highly recommend at least trying it out.

0 comments:

Post a Comment