Netcore, Netis routers at serious risk from hardcoded passwords : More than two million of the devices on the Internet may be vulnerable to hackers monitoring their Internet traffic, Trend Micro says

A line of routers from a China-based manufacturer has a serious flaw that could allow a hacker to monitor someone's Internet traffic, according to research from Trend Micro.

The routers are sold under the Netcore brand name in China and Netis outside of the country, wrote Tim Yeh, a threat researcher.

Trend found a "backdoor," or a semi-secret way to access the device, Yeh wrote. The password needed to open up the backdoor is hardcoded into the device's firmware. All of the routers appear to have the same password.

"Attackers can easily log into these routers, and users cannot modify or disable this backdoor," he wrote.

Backdoors can be used for legitimate product support, but coding such access methods into software is generally discouraged for fear of abuse.

The Netcore and Netis routers have an open UDP port, 53413, which can be queried since the routers have an externally accessible IP address, Yeh wrote. Trend Micro scanned the Internet and found more than 2 million IP addresses with the open UDP port, which could indicate vulnerable equipment.

"Almost all of these routers are in China, with much smaller numbers in other countries, including but not limited to South Korea, Taiwan, Israel, and the United States," Yeh wrote.

Trend Micro has notified the company but did not receive a response. Company officials reached in Shenzhen didn't have an immediate comment.

By using the backdoor, an attacker could upload or download files to the device. A router's settings could also be changed to allow a hacker to monitor a person's Internet traffic as part of a man-in-the-middle attack, Yeh wrote.

Trend also found that a file containing a username and password for the routers' Web-based administration control panel is stored unencrypted, which could be downloaded by an attacker.

It doesn't appear that most Netcore and Netis routers support the installation of other open-source firmware packages, such as dd-wrt or Tomato, that could be used to replace the vulnerable software, Yeh wrote.

"Aside from that, the only adequate alternative would be to replace these devices," he wrote.

Mobile apps could be abused to make expensive phone calls : Mobile applications often don't warn users before a call is made, which a developer says could be misused

A security precaution skipped in mobile applications such as Facebook's Messenger could be abused to make an expensive phone call at a victim's expense, a developer contends.

Phone numbers often appear as links on a mobile device. That is possible by using a Uniform Resource Identifier (URI) scheme called "tel" to trigger a call.

URI schemes are a large family of descriptions that can tell a computer where to go for a certain resource, such as launching a mail application when an email address is clicked.

Andrei Neculaesei, a full-stack developer with the wireless streaming company Airtame in Copenhagen, contends there's a risk in how most native mobile applications handle phone numbers.

If a person clicks on a phone number within Apple's mobile Safari browser, a pop-up asks if a person wants to proceed with a call.

But many native mobile applications, including Facebook's Messenger and Google's +, will go ahead and make the call without asking, Neculaesei wrote on his blog.

Mobile apps can be configured to display a warning, but on most applications it's turned off, Neculaesei said via email on Thursday.

He found a malicious way to abuse the behavior. He created a Web page containing JavaScript that caused a mobile application to trigger a call after someone merely viewed the page. The JavaScript automatically launches the phone number's URI when the page is opened.

A demonstration on his blog showed how a malicious link, sent through Facebook's Messenger, will launch a call when viewed. Neculaesei wrote that someone could create a link that when viewed immediately launches a call to a premium-rate number, which the attacker gets the revenue from.

His testing found that Facebook's Messenger app, Apple's Facetime, Google's Gmail, and Google + applications do not warn users before launching a call.

A Facebook spokeswoman said Friday its mobile application would be updated soon to fix the issue. Google couldn't be immediately reached for comment.

Neculaesei wrote that he only tested a few big-name apps, but it's probable that smaller teams and platforms haven't thought about the risk either.

Neculaesei's finding dovetails with research presented earlier this month at the Bsides security conference in Las Vegas.

The biggest iPhone security risk could be connecting one to a computer : Design quirks allow malware to be installed on iOS devices and cookies to be plucked from Facebook and Gmail apps

Apple has done well to insulate its iOS mobile operating system from many security issues, but a forthcoming demonstration shows it's far from perfect.

Next Wednesday at the Usenix Security Symposium in San Diego, researchers with the Georgia Institute of Technology will show how iOS's Achilles' heel is exposed when devices are connected over USB to a computer or have Wi-Fi synching enabled.

The beauty of their attack is that it doesn't rely on iOS software vulnerabilities, the customary way that hackers commandeer computers. It simply takes advantage of design issues in iOS, working around Apple's layered protections to accomplish a sinister goal.

"We believe that Apple kind of overtrusted the USB connection," said Tielei Wang, a co-author of the study and research scientist at the institute.

Last year, Wang's team developed Jekyll, an iPhone application with well-masked malicious functions that passed Apple's inspection and briefly ended up on its App Store. Wang said although the research was praised, critics contended it might have been hard to get people to download Jekyll amid the thousands of apps in the store.

This time around, Wang said they set out to find a way to infect a large number of iOS devices and one that didn't rely on people downloading their malicious app.

Their attack requires the victim's computer to have malware installed, but there's a thriving community of people known as "botnet herders" who sell access to large networks of compromised computers.

Wang said they conducted their research using iOS devices connected to Windows, since most botnets are on that platform, but their attack methods also apply to OS X.

Apple requires a person to be logged into his account in order to download an application from the App Store. But Wang and the researchers developed a man-in-the-middle attack that can trick an Apple device that's connected to a computer into authorizing the download of an application using someone else's Apple ID.

As long as the application still has Apple's digital signature, it doesn't even need to still be in the App Store and can be supplied from elsewhere.

But Apple is pretty good at not approving malicious applications, so the researchers found another way to load a malicious app that didn't involve the App Store.

Apple issues developer certificates to those who want to do internal distributions of their own applications. Those certificates can be used to self-sign an application and provision it.

Wang's team found they could sneak a developer provisioning file onto an iOS device when it was connected via USB to a computer. A victim doesn't see a warning.

That would allow for a self-signed malicious application to be installed. Legitimate applications could also be removed and substituted for look-alike malicious ones.

"The whole process can be done without the user's knowledge," Wang said. "We believe that it is a kind of weakness."

Wang said Apple has acknowledged the team's research, some of which was shared with the company last year, and made some changes. An Apple spokeswoman in Sydney did not have a specific comment on the research.

One of Apple's changes involved displaying a warning when an iOS device is connected to a particular computer for the first time, advising that connections should only be made with trusted computers, Wang said. That advice is only displayed once.

To be sure, Apple has powerful ways to disable such attacks. It can remove applications from the App Store, remotely disable applications on a device and revoke developer certificates. And it's questionable if an attacker would see an economic benefit from infecting large numbers of iOS devices.

But state-sponsored hackers and cyberspies opt for stealthy, targeted attacks aimed at just a few users. This method could be of use if an attacker knows exactly who is using a specific, compromised computer.

They also found another weakness when an iOS device is connected over USB. The host computer has access to a device not only through iTunes but also via a protocol called Apple File Connection, which is used for accessing images or music files.

That protocol has access to files within iOS's application directories, which include secure, "https" cookies, according to their research paper. Cookies are small data files that allow Web services to remember that a person is logged in, among other functions.

Cookies are especially sensitive since they can be used to hijack someone's account. iOS prevents applications from accessing each other's cookies. But it doesn't stop a desktop computer from grabbing that information, Wang said.

The researchers recovered login cookies, including those for Facebook and Google's Gmail. Neither of those companies had a comment.

The best advice is to not connect your phone to a computer, especially if you think the computer might be infected with malware.

"Just avoid that," Wang said.

The study was co-authored by Yeongjin Jang, Yizheng Chen, Simon Chung, Billy Lau and Wenke Lee.

Hackers steal data on 4.5 million U.S. hospital patients : Community Health Systems says the breach occurred in April and June

A major U.S. hospital operator says hackers based in China broke into its computer systems and stole data on 4.5 million patients.

Community Health Systems said the attack occurred in April and June of this year, but it wasn't until July that it determined the theft had taken place.

Working with a computer security company, it determined the attack was carried out by a group based in China that used "highly sophisticated malware" to attack its systems. It didn't release specific details of the attack.

"The attacker was able to bypass the company's security measures and successfully copy and transfer certain data outside the company," it said in a filing with the U.S. Securities and Exchange Commission.

The group is apparently known to U.S. federal law enforcement authorities, which are now involved in the case. But the identity of the group was not disclosed.

The hackers got away with patient names, addresses, birthdates, telephone numbers and Social Security numbers of the 4.5 million people who were referred to or received services from doctors affiliated with the company in the last five years. The stolen data did not include patient credit card, medical or clinical information.

Community Health Systems, based in Franklin, Tennessee, is one of the largest hospital operators in the U.S. with 206 hospitals in 29 states from New York across the South to the Pacific coast.

The attack ranks as the second largest disclosed attack to hit the U.S. medical industry in the last few years, according to data from the Department of Health and Human Services.

The only one that was bigger involved data on 4.9 million military clinic and hospital patients stolen from Science Applications International Disclosed in 2011, the loss happened when data backup tapes containing records from 1992 through September 2011 were lost.

A second incident that comes close was the theft of a personal computer from Advocate Medical Group in a 2013 burglary that contained information on around 4 million patients.

The biggest iPhone security risk could be connecting one to a computer : Design quirks allow malware to be installed on iOS devices and cookies to be plucked from Facebook and Gmail apps

Apple has done well to insulate its iOS mobile operating system from many security issues, but a forthcoming demonstration shows it's far from perfect.

Next Wednesday at the Usenix Security Symposium in San Diego, researchers with the Georgia Institute of Technology will show how iOS's Achilles' heel is exposed when devices are connected over USB to a computer or have Wi-Fi synching enabled.

The beauty of their attack is that it doesn't rely on iOS software vulnerabilities, the customary way that hackers commandeer computers. It simply takes advantage of design issues in iOS, working around Apple's layered protections to accomplish a sinister goal.

"We believe that Apple kind of overtrusted the USB connection," said Tielei Wang, a co-author of the study and research scientist at the institute.

Last year, Wang's team developed Jekyll, an iPhone application with well-masked malicious functions that passed Apple's inspection and briefly ended up on its App Store. Wang said although the research was praised, critics contended it might have been hard to get people to download Jekyll amid the thousands of apps in the store.

This time around, Wang said they set out to find a way to infect a large number of iOS devices and one that didn't rely on people downloading their malicious app.

Their attack requires the victim's computer to have malware installed, but there's a thriving community of people known as "botnet herders" who sell access to large networks of compromised computers.

Wang said they conducted their research using iOS devices connected to Windows, since most botnets are on that platform, but their attack methods also apply to OS X.

Apple requires a person to be logged into his account in order to download an application from the App Store. But Wang and the researchers developed a man-in-the-middle attack that can trick an Apple device that's connected to a computer into authorizing the download of an application using someone else's Apple ID.

As long as the application still has Apple's digital signature, it doesn't even need to still be in the App Store and can be supplied from elsewhere.

But Apple is pretty good at not approving malicious applications, so the researchers found another way to load a malicious app that didn't involve the App Store.

Apple issues developer certificates to those who want to do internal distributions of their own applications. Those certificates can be used to self-sign an application and provision it.
Wang's team found they could sneak a developer provisioning file onto an iOS device when it was connected via USB to a computer. A victim doesn't see a warning.

That would allow for a self-signed malicious application to be installed. Legitimate applications could also be removed and substituted for look-alike malicious ones.

"The whole process can be done without the user's knowledge," Wang said. "We believe that it is a kind of weakness."

Wang said Apple has acknowledged the team's research, some of which was shared with the company last year, and made some changes. An Apple spokeswoman in Sydney did not have a specific comment on the research.

One of Apple's changes involved displaying a warning when an iOS device is connected to a particular computer for the first time, advising that connections should only be made with trusted computers, Wang said. That advice is only displayed once.

To be sure, Apple has powerful ways to disable such attacks. It can remove applications from the App Store, remotely disable applications on a device and revoke developer certificates. And it's questionable if an attacker would see an economic benefit from infecting large numbers of iOS devices.

But state-sponsored hackers and cyberspies opt for stealthy, targeted attacks aimed at just a few users. This method could be of use if an attacker knows exactly who is using a specific, compromised computer.

They also found another weakness when an iOS device is connected over USB. The host computer has access to a device not only through iTunes but also via a protocol called Apple File Connection, which is used for accessing images or music files.

That protocol has access to files within iOS's application directories, which include secure, "https" cookies, according to their research paper. Cookies are small data files that allow Web services to remember that a person is logged in, among other functions.

Cookies are especially sensitive since they can be used to hijack someone's account. iOS prevents applications from accessing each other's cookies. But it doesn't stop a desktop computer from grabbing that information, Wang said.

The researchers recovered login cookies, including those for Facebook and Google's Gmail. Neither of those companies had a comment.

The best advice is to not connect your phone to a computer, especially if you think the computer might be infected with malware.

"Just avoid that," Wang said.

How hackers used Google to steal corporate data : Attackers used Google Developers and public DNS to disguise traffic between the malware and command-and-control servers

A group of innovative hackers used free services from Google and an Internet infrastructure company to disguise data stolen from corporate and government computers, a security firm reported.

FireEye discovered the campaign, dubbed Poisoned Hurricane, in March while analyzing traffic originating from systems infected with a remote access tool (RAT) the firm called Kaba, a variant of the better known PlugX.

The compromised computers were discovered in multiple U.S. and Asian Internet infrastructure service providers, a financial institution, and an Asian government organization. FireEye did not disclose the name of the victims.

The unidentified hackers had used spear-phishing attacks to compromise the systems, then used the malware to steal sensitive information and send it to remote servers, FireEye said.

What was unique about the attackers was how they disguised traffic between the malware and command-and-control servers using Google Developers and the public Domain Name System (DNS) service of Hurricane Electric, based in Fremont, Calif.

In both cases, the services were used as a kind of switching station to redirect traffic that appeared to be headed toward legitimate domains, such as adobe.com, update.adobe.com, and outlook.com.
"It was a novel technique to hide their traffic," Ned Moran, senior threat intelligence researcher for FireEye, said Thursday.

The attackers' tactics were clever enough to trick a network administrator into believing the traffic was headed to a legitimate site, Moran said.

The malware disguised its traffic by including forged HTTP headers of legitimate domains. FireEye identified 21 legitimate domain names used by the attackers.

In addition, the attackers signed the Kaba malware with a legitimate certificate from a group listed as the "Police Mutual Aid Association" and with an expired certificate from an organization called "MOCOMSYS INC."

In the case of Google Developers, the attackers used the service to host code that decoded the malware traffic to determine the IP address of the real destination and edirect the traffic to that location.

Google Developers, formerly called Google Code, is the search engine's website for software development tools, APIs, and documentation on working with Google developer products. Developers can also use the site to share code.

With Hurricane Electric, the attacker took advantage of the fact that its domain name servers were configured, so anyone could register for a free account with the company's hosted DNS service.

The service allowed anyone to register a DNS zone, which is a distinct, contiguous portion of the domain name space in the DNS. The registrant could then create A records for the zone and point them to any IP address.

In addition, Hurricane did not check whether newly created zones were already registered or owned by other parties, FireEye said.

Google and Hurricane were notified of the malicious use of their services, Moran said. Both companies had removed the attack mechanisms.

"We appreciate FireEye discovering and documenting this unusual attack, so that we could immediately fix our service to eliminate the possibility of this type of abuse in the future," Mike Leber, a spokesman for Hurricane said in an email sent to CSOonline.

Moran believed the services were victims of hacker creativity versus a flaw.

"These are services offered online that can be used for good or ill," he said. "A gun can be used to protect and a gun can be used to hurt."

Microsoft, Google, others back Facebook in New York privacy dispute : Facebook is seeking important rulings on the collection of bulk user data under gag orders

Key technology companies including Google, Microsoft and Twitter on Friday filed in support of Facebook's dispute with the New York County District Attorney's office over the collection of user data in bulk under a gag order for a fraud investigation.

The New York Civil Liberties Union and the American Civil Liberties Union also filed an amicus curiae brief Friday in support of the Facebook plea.

Facebook said in June that a court in New York directed it to turn over to law enforcement virtually all records and communications for 381 accounts, including photos, private messages and other information. The social networking company was also prohibited from informing the targeted persons who included "high schoolers to grandparents, from all over New York and across the United States."

Of the 381 people whose accounts were covered under the warrants, 62 were later charged in a disability fraud case, Facebook said. The NYCLU in a statement Friday objected to "broad fishing expeditions" by government into personal and social conversations with family and friends with no regard to user privacy.

In its appeal in the appellate division of the New York State Supreme Court, Facebook is asking the court for the return or destruction of the data. It has also asked for a ruling on whether the warrants, which authorized collection of large amounts of personal information and communications without an "apparent connection to the crimes under investigation, or procedures requiring the return of the seized information," are in violation of the Fourth Amendment to the U.S. Constitution that prohibits unreasonable searches and seizures of property.

The company is also asking for a ruling on whether the gag provisions of the warrants violated the Stored Communications Act and the First Amendment, and as importantly whether it has standing to challenge the warrants on behalf of its users.

The trial court had ruled in the negative in September on these issues, according to a Facebook filing. The court documents and warrants were unsealed after Facebook's appeal.

Dropbox, Google, LinkedIn, Microsoft, Twitter and Yelp in their motion for leave to file an amicus curiae brief argue that the service provider has third-party standing to raise the constitutional rights of its subscribers, particularly as the provider is subject to a gag order.

"Unless Facebook is able to assert its subscribers' constitutional rights -- and any of its own rights -- the legality of the government's actions with respect to those subscribers will escape review altogether. And had the government chosen to indict no one, no one would have been the wiser," according to the filing.

Foursquare Labs, Kickstarter, Meetup and Tumblr separately filed a brief asking that the trial court's order should be reversed and the bulk warrants quashed. To act as custodians of their users' private information, Internet companies must have the choice to either object to unlawful government intrusions or notify users of such intrusions, according to the filing. "The Trial Court's order denying both options must be reversed," the companies said in an amicus curiae brief.

Describing themselves as the "New York Amici," the small and medium-size platforms said smaller companies may not have the resources to litigate each search warrant or court order, which makes it important to provide users with notice and an independent opportunity to object.

The New York County District Attorney's office could not be immediately reached for comment. Facebook said it did not have a comment beyond its remarks in June.

21 अगस्त से बुक कीजिए हिंदी में डोमेन नेम...

नई दिल्ली। सरकार वेबसाइट्स के देवनागरी लिपि में डोमेन नेम बुकिंग 21 अगस्त से शुरू करेगी। पहले इसे 15 अगस्त से शुरू किया जाना था।

देवनागरी लिपि का इस्तेमाल हिंदी, मराठी, डोगरी के अलावा आठ अन्य आधिकारिक भाषाओं में लिखने के लिए किया जाता है। इसमें एक्सटेंशन 'डॉट भारत' होगा। वेबसाइट के लिए डोमेन नेम की बुकिंग 350 रुपये में और सब-डोमेन नेम की बुकिंग 250 रुपये में होगी।

पहले दो महीने ट्रेडमार्क या कॉपीराइट वाली कंपनियां ही बुकिंग करवा सकेंगी।

Oracle issues fix for Java update that crippled some Web apps : A work-around is available for users who are unable to apply Java upgrades, Oracle says

There's relief available for users who applied a recent Java update that stopped some Web applications from being able to launch.

Oracle has issued Java 7 Update 67 which contains a fix for the problem that cropped up in Java 7 Update 65, according to an official blog post.

The issue only involves a number of Web Start and Applet applications, and not any client or server-side software, according to the blog. The new Java update "is not a security fix or Critical Patch," the blog states.

Administrators should direct their users to download and install the update, Oracle added. The blog also describes a manual work-around users can take if they're unable to upgrade Java.

Those in such a bind should open their Java control panel, select the Java tab, then click "view." Once there, they should enter the number 7 in the area marked "runtime parameters," and then backspace over it, according to the blog.

While the issue resolved by Java Update 67 doesn't involve security, Oracle has faced pressure from community members following the discovery of high-profile vulnerabilities in the widely used programming language, which it gained control of through the acquisition of Sun Microsystems in 2010.

Last year, Oracle's head of Java security promised the company would fix Java's issues and step up its community outreach efforts.

Oracle's most recent quarterly Java security update, issued in July, contained 20 fixes. That total was down significantly from the 37 Java fixes shipped in the April update and 36 issued in January.

5 reasons Internet crime is worse than ever : Why does Internet crime remain a menace? These five reasons have enabled us to accept it -- but that complacency may not last

I've been fighting Internet crime for more than 20 years. In the old days, the daily malware hot sheet was known as the Dirty Dozen -- because it listed only a dozen malware programs. Today we have literally hundreds of millions of malware programs, thousands of professional hacking organizations, and tens of thousands bit players who steal hundreds of millions (if not billions) of dollars via the Internet every year.

Though we have smarter online users, better detection tools, and a host of legal tools at our disposal, Internet crime is worse than ever. It's been a long time since I've run into someone who hasn't had his or her life impacted by Internet crime.

How did we ever let Internet crime get so big? Why do we let Internet criminals get away with so much that it impacts and threatens nearly every transaction we commit over the Internet? Read on:

1. Internet criminals almost never get caught

The world is full of malicious individuals who have no problem skirting rules and laws, as well as taking property that belongs to other people. Bad people exist -- and the Internet is a very low-risk neighborood in which they can run amok.

There are tens of thousands of Internet criminals, almost none of whom get caught or prosecuted. If you're an Internet criminal, you have to be especially brazen for a long time -- and make mistakes -- before you get caught.

You don't have to be a mastermind or uber hacker. One of the most popular misconceptions is that you have to be hyperintelligent to get away with cyber crime. The exact opposite is true. Most Internet criminals I've met (and chatted with online) are not particularly smart. They couldn't program a simple notepad application, and they certainly don't have to be as smart as the average defender.

They simply lack morals, buy programs from other, smarter programmers, and want to roll the dice and take the risk. But they aren't taking any real risk, and that's the central problem: You can get rich without much risk of getting caught. Until this equation changes, we will never see a significant decrease in Internet crime.

2. Indefinite legal jurisdiction

Most Internet crime takes place across international borders. Law enforcement agencies are always limited to jurisdictional boundaries. For instance, a city police officer in Billings, Mont., can't easily arrest someone in Miami, Fla. We have federal law enforcement agencies, which reach across city and state boundaries, but they can't easily traverse international boundaries.

The FBI can't go to China and arrest someone just because they have legal evidence a crime being committed by a person there. They have to submit a request, which will likely be ignored, to Chinese authorities. But let's not pick on the Chinese. It's not like we're going to arrest an American citizen and ship him off to Beijing anytime soon, either, regardless of the evidence.

Sometimes law enforcement agencies of one nation work with another nation's law enforcement, but these occasions are rare. Plus, the really big ones involved with the majority of the Internet crime, like Russia, China, and the United States, certainly don't cooperate with each other.

3. Lack of legal evidence

Another huge impediment to successful convictions is the lack of official, legal evidence. Most courts accept "the best representation" of evidence recorded during the commission of a crime. But most computer systems -- and many networks in totality -- don't collect any evidence at all, much less evidence that might stand a chance of holding up in court. I'm still surprised by the number of computers I investigate that don't, at a minimum, have event logging turned on.

Even if more evidence was collected, most of it wouldn't stand up to a decent lawyer, assuming it would even be allowed in court. Collecting and preparing good legal evidence takes planning and commitment. Few organizations have the dedication or expertise.

4. Lack of resources

Few victims or victim advocacy groups have the resources, technology, or funding to pursue Internet criminals. I know many people who have lost tens of thousands of dollars to fraudulent transactions, including car sales, stock trades, bank transfers, and so on. Unfortunately, the amount lost usually pales compared to the cost of the resources that would be needed to recover the funds.

Many victims are too ashamed of their own gullibility to report the crime. If they do, a report will be taken -- and that's that. Your local enforcement agency isn't about to cross international boundaries to try and to recover your personal money. You can report it to the proper authorities, but rarely will they do anything to recover the damages or prosecute.

5. Cyber crime isn't hurting the economy enough (yet)

Lastly, the amount of Internet crime isn't hurting economies enough to raise a global red alert. Sure, Internet crime probably results in the loss of hundreds of millions -- or perhaps several billion -- dollars each year, but that amount of crime has persisted for a long time, well before the Internet.

Most of today's Internet crimes are newer versions of crimes and scams that have been occurring for decades before the Internet was around. Take credit card fraud: Retail stores would once look up known fraudulent credit card numbers in little paper books that the credit card vendors handed out. Nigerian scams have been around, via paper letters, phone calls, or faxes, at least since the 1990s.

Unfortunately, most Internet crime is seen as a necessary cost of doing business. As long as the majority of transactions are legitimate, the noise will be acceptable.

The solution is right in front of us

I've often wondered what it would take for our world to decide to diminish Internet crime substantially. We've had the means and technology to do so for a long time. We are not waiting for some fantastic new technology. Everything we need we already have, except for global consensus on how to do it and actually enabling the new features.

Personally, I think it's going to take a huge disaster. A digital catastrophe will happen eventually and bring down much of the Internet for a few days -- or shut down financial markets for a few hours or more. Passive acceptance of Internet crime will no longer be tolerated. We'll finally have to do something about it.

SAP ties up with Apigee for API management : Apigee's platform will serve as a middleman between SAP systems and mobile apps

SAP will resell software from Apigee in a move to help customers and partners build mobile applications, products and services that securely tap data from SAP systems.

The deal will result in a product called SAP API Management, a rebadged version of Apigee's Edge platform, which will be available in both on-premises form and on SAP's Hana Cloud Platform, according to an announcement Thursday.

The Apigee product's approach should calm the nerves of conservative SAP system administrators, who may be resistant to allowing external applications to call into critical back-end systems directly, said Joav Bally, chief product manager for Gateway and SAP API Management.

He compared Apigee's platform to a bouncer at a nightclub. "It decides who gets into the club or not," he said.

Apigee stands between back-end systems and applications running on mobile devices, websites, POS (point of sale) systems and other places, according to the company's website.

The applications interact with a proxy API (application programming interface) sitting on Apigee's platform, which relays calls to the back end. Apigee provides a framework for security and authorization, as well as the ability to throttle the amount of traffic moving through an API in order to avoid overloading back-end systems.

The proxy approach means SAP customers will have the ability to make changes to their systems as long as they maintain the API on Apigee. In turn, developers don't have to rewrite anything in order to handle such changes, since their applications talk only to the API.

Apigee also provides customers with analytics showing how their APIs are being used, as well as various ways to charge third-party developers for access to APIs.

With the Apigee deal, SAP is signaling a desire to keep pace with rivals such as Salesforce.com when it comes to opening up its software to the world in a secure way. In November, Salesforce.com introduced a new version of its platform that features 10 times as many APIs as before, allowing for a much wider array of integration scenarios.

"APIs are hot, and not just for digital businesses," said IDC analyst Al Hilwa, via email. "In a way, all companies are finding ways to connect with customers and partners through digital means, no matter the product. This is driving a huge wave of architecting systems for external use through APIs."

With Apigee, SAP is partnering with a company that has a wealth of experience in API management, Hilwa added: "SAP is wise to accelerate its investment in this area and support its large contingency of customers with their API efforts."

SAP is also trying to attract partners, particularly startups, to build software for its Hana cloud platform and marketplace, hoping to repeat the success Salesforce.com has had with its own AppExchange. The addition of Apigee's technology to the mix is clearly aimed at making it easier for those companies to interact with SAP systems.

Google makes Hangouts more enterprise friendly : Hangouts and Chromebox for Meetings get a business-focused update

Google is looking to make your work day a bit more social and is taking its Google Hangouts into the business arena.

The company is trying to make it easier for enterprises to use Hangouts for face-to-face, if not in-person, meetings, according to Clay Bavor, vice president of product management for Google Apps.
The Hangouts feature, which was first introduced as part of Google+, comes to the enterprise as part of a slew of new features for Google Apps for Business customers.

Starting today, even non-Google+ users can use Hangouts at work. Any Google Apps customer can start or join a high-definition video meeting that connects up to 15 participants -- from a computer or Chromebox for Meetings device. Google noted that the same ability will "soon" be available on smartphones and tablets.

"Hangouts is now covered under the same Terms of Service that support our other Google Apps for Business products, like Gmail and Drive," wrote Bayor, in a blog post. "That means we've got your back with 24x7 phone support and a 99.9% guaranteed uptime, as well as ISO27001, SSAE 16/ISAE 4302 and SOC 2 certification. Additional enterprise integration with Google Apps Vault is coming by the end of the year."

Taking Hangouts to the business community is another way for Google to get its foot in the door with enterprises. However, it's also part of the company's effort to push out Chromebox, Google's Chrome OS-based corporate meeting device, to a bigger, and more business-minded, audience.

"In the coming months, we'll be making Chromebox for Meetings work better in rooms of all shapes and sizes," Bayor wrote. "In larger conference rooms, you can connect two displays to one Chromebox for meetings device to see your audience and project a presentation at the same time. And if you've ever wanted a dedicated setup for video meetings for your home, new personal calendar integration means you will be able to easily set up Chromebox for meetings outside the office."

He added that IT administrators can better manage meetings directly from the Google Apps Admin Console, giving them options like remote starting, muting and ending a meeting.

"Google is moving into the enterprise, or at least trying to," said Ezra Gottheil, an analyst with Technology Business Research. "I know Hangouts was introduced with Google+, but Hangouts is cleaner, more understandable, and more business-friendly, as a stand-alone chat, video-chat, video-conferencing application."

Google is scheduled to hold a Hangout on Aug. 19 to go over the new features.

Google used this video to introduce its update to Chromebox for meetings, while making Hangouts easier to use in the enterprise.

Judge rules against Microsoft in email privacy case : The company is compelled to comply with a U.S. warrant for emails held on a server in Ireland, a judge rules

A U.S. district court judge has ruled against Microsoft in the company's effort to oppose a U.S. government search warrant for emails stored in Ireland.

On Thursday, Judge Loretta Preska of the U.S. District Court for the Southern District of New York rejected the company's appeal of an earlier ruling requiring it to turn over emails stored in the company's facility in Dublin. Preska ruled that Microsoft will not have to turn over the emails while it files an appeal.

Preska, in an oral ruling from the bench, sided with a magistrate judge's April ruling quashing Microsoft's opposition to the warrant, related to a criminal case, from the U.S. Department of Justice.
Microsoft will appeal Preska's ruling to the U.S. Court of Appeals for the 2nd Circuit, the company said. Microsoft has argued that the DOJ has no authority to issue warrants related to emails stored outside the U.S.

"The only issue that was certain this morning was that the district court's decision would not represent the final step in this process," Microsoft general counsel Brad Smith said in a statement. "We will appeal promptly and continue to advocate that people's email deserves strong privacy protection in the U.S. and around the world."

U.S. law has long required search warrants to name the specific location of the information they seek, instead of requiring a company receiving the warrant to search multiple locations for the information, as has happened in the Ireland case, Microsoft has argued. U.S. search warrants also haven't been able to reach overseas, just as U.S. residents wouldn't want foreign courts to be able to search domestic locations, Smith has said.

U.S. Attorney Preet Bharara of the Southern District of New York has opposed Microsoft's attempts to invalidate the warrant. If Microsoft's interpretation of the law is upheld, Web services providers could move content around the world in an effort to avoid law enforcement requests, Bharara wrote in a brief to the court.

Microsoft EMET 5.0 security tool puts a leash on plug-ins : Latest version of the free toolkit allows administrators to block third-party plug-ins -- a favored route for attackers

The latest release of a Microsoft security tool that's designed to stop exploits lets administrators control when third-party plugins are launched, a long favored route for attackers.

Microsoft has been steadily improving and adding more capabilities to the Enhanced Mitigation Experience Toolkit (EMET), a free tool that strengthens the security of non-Microsoft applications by using defenses built within Windows, such as ASLR (Address Space Layout Randomization) and DEP (Data Execution Prevention).

The latest 5.0 iteration, released Thursday, includes something called "Attack Surface Reduction," which can block some of an application's modules or plugins that might be abused, wrote Chris Betz, senior director of the Microsoft Security Response Center.

He wrote that Microsoft Word, for example, can be prevented from loading an Adobe Flash Player plugin or allow Java plugins to only run from intranet-zone sites rather than outside ones.

Third-party software is often favored by hackers as finding vulnerabilities in the Windows operating system has become more difficult. Java, an application framework for running applications, is often targeted, as well as applications from Adobe Systems.

EMET has been configured by default to block Adobe's Flash plugin from being loaded by Word, Excel and PowerPoint.

Another improvement to EMET deals with digital certificates, which are used to secure a SSL (Secure Socket Layer) connection, Betz wrote. EMET now has a blocking mode that will tell Internet Explorer to halt an SSL connection if an untrusted certificate is detected without sending session data.

Microsoft also hardened EMET in light of successful efforts at bypassing mitigations in its 4.0 version. Earlier this year, researchers from Bromium, which develops security technologies based on micro-virtualization, found that more technical hackers could bypass all of EMET's protections.

The company worked on hardening EMET against bypass techniques, which are possible "when a memory corruption within an EMET-protected application can be abused to overwrite selected memory areas and corrupt data belonging to EMET itself," according to a technical writeup.

Microsoft sues Samsung, says it stopped paying for patents : Samsung is requires it to pay licensing fees to Microsoft for the Android phones it sells

Microsoft filed suit against Samsung on Friday, claiming the device maker has backed out of an agreement that requires it to pay licensing fees to Microsoft for the Android phones it sells.
Samsung has not honored the agreement since at least last September, when Microsoft announced it was acquiring Nokia's devices and services business from Google, Microsoft alleged in the complaint.

"Samsung breached the license agreement last fall by refusing to make its Fiscal Year 2 royalty payment on time and then refusing to pay interest on its late payment, and is threatening to breach the License Agreement again with respect to its ongoing royalty payment obligations," says the complaint, which was filed Friday in federal court in New York.

Microsoft and Samsung have been meeting for months to resolve a disagreement over the contract, to no avail, Microsoft said Friday in an accompanying blog post.

"We don't take lightly filing a legal action, especially against a company with which we've enjoyed a long and productive partnership," wrote Microsoft corporate vice president and deputy general counsel David Howard.

"Unfortunately, even partners sometimes disagree," he wrote.

The companies entered into a patent cross-licensing agreement in 2011 under which Samsung would pay Microsoft to use its technology in the Android phones and tablets it sells.

But after Microsoft's Nokia acquisition was announced, Samsung decided to stop complying, Microsoft said Friday.

"Samsung began using the acquisition as an excuse to breach its contract," Microsoft's Howard wrote. Samsung did not ask the court whether the Nokia acquisition invalidated the contract, he wrote.
A Samsung spokeswoman said via email that the company would review the complaint in detail "and determine appropriate measures in response."

Since 2011, sales of Samsung-made smartphones running Google's Android operating system have grown substantially, according to industry research firm IDC. Samsung's smartphones, which include the Galaxy S5 and S4, now have a roughly 30 percent share of the global market, according to IDC.