Sunday, 29 March 2015

Microsoft offers Windows 10 as free upgrade, even to pirates

Microsoft offers Windows 10 as free upgrade, even to pirates

Microsoft is feeling generous with its Windows 10; it will be offering this upcoming operating system as a free upgrade to every user of Windows 7 or later. Even pirated copies of Windows are eligible for an upgrade too.

The reason for this is the rampant piracy in China, although the Philippines has its fair share of users that aren’t using genuine Windows too. Microsoft is doing this in its effort to “re-engage” the millions of users back to its ecosystem. This should also encourage stalwarts of Windows XP to switch to a more modern version and help them get the best security features they need. The company will certainly lose revenue in the process, but it will make up for it through its Office productivity suite, Skype and other online services.

Microsoft previously announced that Windows 7 and 8 users would receive the new OS for free, but it hadn’t mentioned about non-genuine users at the time.

Aside from resolving piracy issues, Microsoft has also confirmed that Windows 10 will launch this summer, with 190 countries and 111 languages to be covered in the initial launch.
[Source: Reuters]

Cisco IP Phones Vulnerable To Remote Eavesdropping

hacking-cisco-ip-phones
A critical vulnerability in the firmware of Cisco small business phones lets an unauthenticated attacker to remotely eavesdrop on private conversation and make phone calls from vulnerable devices without needing to authenticate, Cisco warned.
LISTEN AND MAKE PHONE CALLS REMOTELY
The vulnerability (CVE-2015-0670) actually resides in the default configuration of certain Cisco IP phones is due to "improper authentication", which allows hackers to remotely eavesdrop on the affected devices by sending specially crafted XML request.

Moreover, the vulnerability could be exploited by hackers to make phone calls remotely from the vulnerable phones as well as to carry out other attacks by making use of the information gathered through the audio interception activity.
AFFECTED DEVICES
The devices affects the Cisco's small business SPA300 and SPA500 Internet Protocol (IP) phones running firmware version 7.5.5, however, Cisco alerts that later versions of these device may also be affected by the flaw.
It’s likely that some phones have been configured to be accessible from the Internet, so it would be very easy for hackers to locate the vulnerable devices that run on vulnerable software versions by using the popular Shodan search engine.
"To exploit this vulnerability, an attacker may need access to trusted, internal networks behind a firewall to send crafted XML requests to the targeted device," the Cisco advisory says. "This access requirement may reduce the likelihood of a successful exploit."
Cisco has confirmed the issue, which was discovered and reported by Chris Watts, a researcher at Tech Analysis in Australia, along with two other flaws -- an XSS vulnerability (CVE-2014-3313) and a local code execution vulnerability (CVE-2014-3312).
VULNERABILITY UNPATCHED, YET SOME RECOMMENDATIONS
The company hasn’t patched the problem yet and is working on a new version of the firmware to fix the issue, although the company offers some recommendations in order to mitigate the risk:
  • Administrators are advised to enable XML execution authentication in the configuration setting of the affected device.
  • Administrators are advised to allow network access only to trusted users.
  • Administrators are advised to use Solid firewall strategies to help protect the affected systems from external attacks.
  • Administrators may also use IP-based access control lists (ACLs) to allow only trusted systems to access the affected systems.
  • Administrators are advised to closely monitor the vulnerable devices

Hacking Air-Gapped Computers Using Heat

hacking-hotel-wifi
There is no end to users problem when it comes to security. Everything is easily hackable — from home wireless routers to the large web servers that leak users' personal data into the world in one shot.
If you love to travel and move hotels to hotels, then you might be dependent on free Wi-Fi network to access the Internet. However, next time you need to be extra cautious before connecting to Hotel's Wi-Fi network, as it may expose you to hackers.
Security researchers have unearthed a critical flaw in routers that many hotel chains depend on for distributing Wi-Fi networks.
The security vulnerability could allow a hacker to infect guests with malware, steal or monitor personal data sent over the network, and even gain access to the hotel’s keycard systems and reservation.
HACKING GUEST WIFI ROUTER
Several models of InnGate routers manufactured by ANTlabs, a Singapore firm, have a security weakness in the authentication mechanism of the firmware.
The security vulnerability (CVE-2015-0932), discovered by the security firm Cylance, gives hackers direct access to the root file system of ANTlabs's InnGate devices.
With root access, hackers could be able to read or write any files from or to the devices’ file system respectively, including data that could be used to infect the devices of Wi-Fi users.
Researchers have found nearly 277 hotels, convention centers, and data centers across 29 countries that are affected by this security vulnerability. Although, the number could be much larger as the flaw has potential to impact Millions of users who gets on the hotel’s network for free Wi-Fi access.
However, the security researchers found more than 100 vulnerable devices located in the United States, 35 devices in Singapore, 16 in the UK, and 11 in the United Arab Emirates.
Justin W. Clarke, a senior security researcher of the Cylance SPEAR (Sophisticated Penetration Exploitation and Research) team, says the vulnerability also gives the attacker access to a computer owned by the operating organization.
THE VULNERABILITY GETS WORSE
In some cases, researchers found the InnGate devices were configured to communicate with a Property Management Systems (PMS). This could also be leveraged to gain deeper access into a hotel's business network, allowing a hacker to identify guests and upcoming guests at a hotel and their room number.
Moreover, PMS is often integrated with the phone system, POS (point-of-sale) system for processing credit card transactions, as well as electronic keycard system for accessing doors to guest rooms at hotels.
So, this vulnerability could also potentially allow an attacker to access and exploit these hotel's systems.
"In cases where an (ANTlabs) InnGate device stores credentials to the PMS, an attacker could potentially gain full access to the PMS (Property Management Systems) itself," the researchers wrote in a blog post published Thursday.
HOW THE VULNERABILITY WORKS?
The flaw lies in an unauthenticated Rsync daemon running on TCP 873 used by the ANTlabs devices. The Rsync daemon is an extraordinarily versatile file copying tool widely used to backup file systems as it can automatically copy files from one location to another.
The Rsync daemon can be password-protected, but the ANTlabs device that uses it requires no authentication.
Once hackers have connected to the Rsync daemon, they are then able to read and/or write to the file system of the Linux-based operating system without any restrictions.
Due the widespread nature of the vulnerability, ANTlabs has rolled out a patch addressing CVE-2015-0932 with an alert about the critical flaw being issued by US-CERT.
This isn't first time when researchers have discovered this kind of attack targeting guests at Hotels, late last year Kaspersky Labs uncovered a hacking campaign, dubbed DarkHotel, targeting guests at five-star hotels in Asia and the US by subverting their Wi-Fi system
 

Simplest Way to Check If Your Emails Are Being Tracked

Simplest Way to Check If Your Emails Are Being Tracked
You might be not aware of the companies that know pretty much everything related to your email activities like when you’ve opened email sent by one of their clients, where you are located, what device you’re using, what link you click, all without your consent, even if you haven’t click any link provided in that email.
Companies like Yesware, Bananatag, and Streak track emails, usually by adding small pixels or images to those emails which inform the companies that when and where their emails have been opened by the recipients.
If you find this something different then let you know that this sort of email tracking is very common practice adopted by many companies. However, in order to detect these tracking emails, now you have a simple but effective tool.
 

UGLY EMAIL -- DETECT EMAIL TRACKERS
Dubbed "Ugly Email", a new Chrome extension warns you when an email you receive in your Gmail inbox have the ability to track you, and it even works before opening the email.
Installing Ugly Email is very simple and easy. Once installed, you'll see a tiny little eye symbol next to any email that include tracking pixels from one of the three companies that include Bananatag, Streak, or Yeswear. Here's what it looks .
Sonny Tulyaganov, Ugly Mail’s creator, also confirmed that "Ugly Mail also doesn’t store, save, or transmit any data from your Gmail account or computer; everything takes place on the user’s end," Brian Barrett of Wired wrote.
HOW TO INSTALL
  1. In order to install Ugly Email service, you just need to:
  2. Go to Ugly Email on the Chrome Web Store
  3. Click the "Add to Chrome" button, and you're all set!
Now, you can sit back and relax because Ugly Email will assured you that which emails arriving in your Gmail inbox are tracking you.
FEW LIMITATIONS
However, there are some limitations with Ugly Email at this time. Firstly, Ugly Email is currently built for Gmail only, so outlookers can’t get advantage of the service.
Secondly, Ugly Email works only on Google’s Chrome browser, so you need to make sure that you’re using Google Chrome as your web browser while using the service. Although Tulyaganov says that Firefox and Safari versions are in the works.
Lastly, Ugly Email is currently effective against only three pixel-tracking providers -- Yesware, Bananatag, and Streak, although it will continue to add more tracking services to its list. At this time, it isn’t clear how long that might take
 

Android Wear App for iPhone and iPad compatibility may Launch Soon

android-wear-app-ios-iphone
As you may be aware, you need an Android smartphone to use an Android Wear smartwatch, but if you carry an Apple iPhone or iPad, you’ll soon be able to use the same Android Wear smartwatch, without relying on unofficial third-party app support.

Google is reportedly going to release its a new iOS app over to the App Store that will allow iPhone and iPad users to pair Android Wear devices such as Moto 360 and LG G Watch with their Apple products, French outlet 01net claimed.


Android Wear App for iPhone and iPad compatibility may Launch Soon



OFFICIAL ANDROID WEAR APP FOR iOS
Google’s new move to go cross-platform with an iOS app would expand support for the wearable platform beyond Android devices and target the potential market of tens of Millions of Apple users that may not be interested in purchasing an Apple Watch. As well as, with lower prices and strong design, a fair amount of Android Wear smartwatch demand would likely be there.

The search engine giant is possibly planning to launch the Android Wear app for iOS at Google’s annual developer conference in late May 2015, although the company may push the agenda depending upon the sales of the Apple Watch, which will be launched in the coming weeks.

UNOFFICIAL iOS APP SUPPORTS ANDROID WEAR
Recently, iOS app developer Ali Almahdi have also made an app that connects iOS to Android Wear device, same what Google is planning to officially launch.

In a video submitted to The Hacker News, Almahdi demonstrated the hack on how custom developed iOS app allows his Moto 360 Android Wear smartwatch to sync directly with his iPhone device, without having Jailbreak or root access.

GOOGLE TO CLUB WITH APPLE?
Right now, I can’t say if Google really be able to convince Apple into approving an Android Wear app for iOS as well as Apple users into using it, but if this happens, it would be highly profitable for both Google and its Android partners.

However, much details aren't available yet. But, it would definitely require additional efforts, as it wouldn't be an Android-to-Android connection any more, rather it’s an Android-to-iOS connection.

In case, Apple denied approving the Google’s proposal, the search engine giant could partner-up with Microsoft to widespread its Android wearable market. Another Gadget report suggests that Microsoft’s upcoming rumored smartwatch might be compatible with both iOS and Android devices.


Android Wear App for iPhone and iPad compatibility may Launch Soon