very important software

Thursday, May 23, 2013

Install pirated iOS apps without jailbreaking your device

If you wanted to install pirated apps on your iPad, iPhone or iPod touch up to this point, you’d first need to jailbreak your device – a process that many users simply didn’t want to fool with for a number of reasons. But that’s all changed now as there are at least two apps that allow users to install pirated apps without having to root the operating system.
The new services are gaining momentum after another popular pirate installer, Installous, met its demise late last year. This new breed of services, led by Zeusmos and Kuaiyong, make it easier than ever to install apps as they facilitate one-tap installs that can be done on non-jailbroken devices.

Zeusmos is available free of charge on jailbroken devices although, interestingly enough, there is a fee associated with using it on non-jailbroken units. It seems kind of counterproductive to charge to install pirated apps but in an interview with TWN, the 15-year-old creator said it was a way to try before you buy.
Kuaiyong, on the other hand, is a web-based installer that is free for all to use. Users can install apps directly from their iOS devices or use a desktop app to install them using a data cable. Using the app will disable iTunes synching but as the publication notes, that likely won’t be much of a deterrent for those interested in downloading the latest and greatest apps without paying for them.
It goes without saying that those interested in either product should proceed at their own risk as Apple is sure to shut these services down in due time.

WindowsAndroid lets you run Android natively within Windows

It’s already possible to run Android apps on Windows PCs thanks to a clever little app called BlueStacks. But now a group of Chinese developers are looking to take it a step further by actually allowing you to run the entire Android 4.0.3 “Ice Cream Sandwich” operating system, complete with Google Play support, as a native application on your on Windows Vista, Windows 7, or Windows 8 machine.
For now the project is still very much in development and as such it still requires a lot of tweaking to get things working properly. For instance, the Google Play Store needs to be side-loaded separately, and once you get that running most apps will still show up as incompatible since they don’t recognize your computer as a valid Android device. A thread on Reddit offers some guidance on how to get around this problem.

WindowsAndroid provides users with a stock Android user interface and leverages the Dalvik virtual machine to run Android apps. Since there’s no need for emulation apps can reportedly take advantage of your system’s hardware and graphics card for hardware acceleration. The program will support most screen resolutions and those that don’t have a touch screen can use their mouse and keyboard to navigate the interface.
Running Android on a desktop will have little to no practical use for most people, but the project itself seems interesting nonetheless and it’s worth a look if you haven’t had a chance to play with the platform yet. To try it out you’ll need to fill out a form on the developer’s site to get a download link on your inbox.

Microsoft yields: boot to desktop, Start menu options in Windows 8.1

microsoft, windows, metro, windows 8, start menu, blue, windows blue, windows 8

Microsoft may be ready to address two of the most common complaints about Windows 8 with its upcoming “Blue” update. Specifically, The Verge cites sources familiar with the company’s plans who claim builds of Windows 8.1 are being tested with an option to skip the “Metro” start screen and boot directly to the traditional desktop. A separate report from ZDNet seconds this and also suggests that the Start menu might make a comeback.
Signs of a boot-to-desktop option were spotted a few days ago in a leaked build of Windows Blue. Apparently the option is disabled by default and there’s currently no toggle to enable it in the operating system’s settings panel. But the code is there. It’s possible Microsoft still hasn't decided on whether to implement this in the final Blue release, though ZDNet’s Mary Jo Foley says her sources have confirmed “this is now looking like the plan.”
Whether Microsoft will bring back the Start button is even more uncertain. The Verge says the “hot corners” that bring up the modern-style Start menu and the Charms bar will remain intact if the boot to desktop option is enabled, but Foley says Microsoft is also considering bringing back the Start button as an option.
It’s worth noting that you can accomplish both behaviors -- boot to desktop and bringing back the start menu -- through some fairly simple workarounds or using third party software. But having the options baked into the Windows 8 UI through the system settings screen would make things much simpler for all users.

Microsoft has so far been reluctant of letting users skip the modern-style interface so easily, and defended its stance by saying users find the new interface easy to learn once they give it a chance.
While it's understandable that the company is trying to push a consistent user experience that spans across multiple Windows devices, those against ‘Metro’ claim the interface doesn’t really make sense for non-touch-screen machines. If the new options indeed make it to Windows 8.1 it will give everyone the option to make a gradual shift or just maintain the classic Windows feel... at least for a while longer.

Viber launches messaging app for PC and Mac as competitors stick to mobile

Third-party messaging applications are big business on mobile, with many users looking to break away from the expensive text messaging plans offered by carriers. WhatsApp is likely the most used of these apps, but Viber is looking to take the throne away with the launch of its messaging client on PC and Mac (with Linux coming soon). WhatsApp, and most of Viber's competitors, are 100-percent focused on mobile, which just might give Viber an edge in the market, since its users will be able to use the app on all of their devices.

Viber already has over 200 million users, so it's not exactly a newcomer trying to take on the big boys. But while the service has that many users signed up, the company did not specify how many of them are active users.
The Mac and PC versions of Viber should feel comfortable to anyone who has used Skype, Messages for Mac, or any other popular desktop-based messaging service. It can be used for texting, voice calls, and video chats. The video chat feature only works from desktop-to-desktop for the time being.
To go along with the desktop releases, Viber is also updating its mobile applications with some slick new features such as video messages, new stickers, last online status and more. As you'd expect, the desktop version syncs with the mobile apps, and users can even push their calls from desktop to mobile with a single tap, allowing them to continue a conversation if they have to leave the house for one reason or another.
Will this move put Viber ahead of WhatsApp and its other competitors? Time will tell, but it most certainly seems like a smart decision, what with so many users spending a large part of their day in front of computer screens.

Technology from Africa Ensures the Cloud Works When Your Connection Doesn’t

The “cloud” is great for places that enjoy uninterrupted power and Internet connections. But for large swathes of the world, where blackouts are common and connections unreliable, accessing files stored remotely on the Internet is a massive hassle. Forget about downloading Adobe Creative Suite. Simply working on a Google doc can be aggravating.

That’s why the people behind Ushahidi, open disaster-mapping software, built BRCK (pronounced “brick.”) BRCK is a wi-fi router and mobile modem in one, with eight hours of battery life to keep it going when the power runs out. It can sit in an office connected by ethernet and switch seamlessly to a 3G or 4G connection if the line goes down. It can also support up to 20 wireless connections and has 16 gigabytes of storage so it can work as a back-up network drive. Connect it to some processing power, such as a Raspberry Pi cheap computer, and you have yourself a mini-server.
Erik Herzman, an Ushahidi co-founder, dreamed up BRCK more than a year ago as a solution to connectivity problems at the iHub, Nairobi’s best-known space for hackers to congregate. The result is a working prototype and a Kickstarter crowdfunding campaign that’s raised more than a third of the $125,000 target in less than five days. What makes BRCK stand out from Kickstarter’s clutter is that it solves a very real need: the iHub, for instance, currently has four Internet providers to ensure connectivity, and a BRCK could lessen the need for so much redundancy.
Read the full story on Quartz.

Choosing and Protecting Passwords

Why do you need a passwordPasswords are a common form of authentication and are often the only barrier between a user and your personal information. There are several programs attackers can use to help guess or "crack" passwords, but by choosing good passwords and keeping them confidential, you can make it more difficult for an unauthorized person to access your information.

Think about the number of personal identification numbers (PINs), passwords, or passphrases you use every day: getting money from the ATM or using your debit card in a store, logging on to your computer or email, signing in to an online bank account or shopping cart...the list seems to just keep getting longer. Keeping track of all of the number, letter, and word combinations may be frustrating at times, and maybe you've wondered if all of the fuss is worth it. After all, what attacker cares about your personal email account, right? Or why would someone bother with your practically empty bank account when there are others with much more money? Often, an attack is not specifically about your account but about using the access to your information to launch a larger attack. And while having someone gain access to your personal email might not seem like much more than an inconvenience and threat to your privacy, think of the implications of an attacker gaining access to your social security number or your medical records.
One of the best ways to protect information or physical property is to ensure that only authorized people have access to it. Verifying that someone is the person they claim to be is the next step, and this authentication process is even more important, and more difficult, in the cyber world. Passwords are the most common means of authentication, but if you don't choose good passwords or keep them confidential, they're almost as ineffective as not having any password at all. Many systems and services have been successfully broken into due to the use of insecure and inadequate passwords, and some viruses and worms have exploited systems by guessing weak passwords.

How do you choose a good password?

Most people use passwords that are based on personal information and are easy to remember. However, that also makes it easier for an attacker to guess or "crack" them. Consider a four-digit PIN number. Is yours a combination of the month, day, or year of your birthday? Or the last four digits of your social security number? Or your address or phone number? Think about how easily it is to find this information out about somebody. What about your email password—is it a word that can be found in the dictionary? If so, it may be susceptible to "dictionary" attacks, which attempt to guess passwords based on words in the dictionary.
Although intentionally misspelling a word ("daytt" instead of "date") may offer some protection against dictionary attacks, an even better method is to rely on a series of words and use memory techniques, or mnemonics, to help you remember how to decode it. For example, instead of the password "hoops," use "IlTpbb" for "[I] [l]ike [T]o [p]lay [b]asket[b]all." Using both lowercase and capital letters adds another layer of obscurity. Your best defense, though, is to use a combination of numbers, special characters, and both lowercase and capital letters. Change the same example we used above to "Il!2pBb." and see how much more complicated it has become just by adding numbers and special characters.
Longer passwords are more secure than shorter ones because there are more characters to guess, so consider using passphrases when you can. For example, "This passwd is 4 my email!" would be a strong password because it has many characters and includes lowercase and capital letters, numbers, and special characters. You may need to try different variations of a passphrase—many applications limit the length of passwords, and some do not accept spaces. Avoid common phrases, famous quotations, and song lyrics.
Don't assume that now that you've developed a strong password you should use it for every system or program you log into. If an attacker does guess it, he would have access to all of your accounts. You should use these techniques to develop unique passwords for each of your accounts.
Here is a review of tactics to use when choosing a password:

Don't use passwords that are based on personal information that can be easily accessed or guessed.
Don't use words that can be found in any dictionary of any language.
Develop a mnemonic for remembering complex passwords.
Use both lowercase and capital letters.
Use a combination of letters, numbers, and special characters.
Use passphrases when you can.
Use different passwords on different systems.

How can you protect your password?

Now that you've chosen a password that's difficult to guess, you have to make sure not to leave it someplace for people to find. Writing it down and leaving it in your desk, next to your computer, or, worse, taped to your computer, is just making it easy for someone who has physical access to your office. Don't tell anyone your passwords, and watch for attackers trying to trick you through phone calls or email messages requesting that you reveal your passwords (see Avoiding Social Engineering and Phishing Attacks for more information).
If your internet service provider (ISP) offers choices of authentication systems, look for ones that use Kerberos, challenge/response, or public key encryption rather than simple passwords (see Understanding ISPs and Supplementing Passwords for more information). Consider challenging service providers that only use passwords to adopt more secure methods.
Also, many programs offer the option of "remembering" your password, but these programs have varying degrees of security protecting that information. Some programs, such as email clients, store the information in clear text in a file on your computer. This means that anyone with access to your computer can discover all of your passwords and can gain access to your information. For this reason, always remember to log out when you are using a public computer (at the library, an internet cafe, or even a shared computer at your office). Other programs, such as Apple's Keychain and Palm's Secure Desktop, use strong encryption to protect the information. These types of programs may be viable options for managing your passwords if you find you have too many to remember.
There's no guarantee that these techniques will prevent an attacker from learning your password, but they will make it more difficult.

Transfer files easily between desktop and mobile devices.

Like underwear, changing your browser every once in awhile can give you a fresh feeling. If you're at that point where you're ready to try something different, Maxthon's Cloud Browser is an option worth investigating. We bring it up because Maxthon let us know it just added a LAN transfer feature that allows users to transfer files of any size from their browser directly to any device on their network.
"The addition of LAN transfer will make sizable improvements in users’ everyday web experience," said Karl Mattson, VP of International for Maxthon. "Customers with the newest and fastest home Internet services can now move a 1 GB file from one device to another more than five times faster than the alternative ‘up-over-and-down’ cloud services."
It's a pretty neat feature made more useful by the fact that Maxthon's Cloud Browser is available on multiple platforms, including Windows and Android (iOS and Mac coming soon).
If you want to kick the brower's tires, you can download it from Maxthon's website.

How to unlock your smartphone's automating potential with Tasker

Turn your Android smartphone into a multi-tasking automated genius with the Tasker app.

Are smartphones really all that smart? Sure, they can do almost anything with the right app installed, but that just makes them versatile, not smart. The next wave of smartphone apps is where we'll really start to see them do clever things, using technologies such as augmented reality, image and voice recognition and context-based automation.

Tasker belongs in that third category, and works by letting you automate your smartphone to do almost anything when specific conditions are satisfied. This can be based on things like the time of day, GPS location, battery percentage, or a particular contact. Want to send an automatic text to your significant other to let them know you're going to be home late if you're still at work after 6pm? Too easy. How about automatically turning off auto-sync when the battery reaches 10% and you're not at home, or dimming your smartphone screen during sleeping hours so you're not blinded by the backlight in case you want to do some nocturnal web browsing? Piece of cake!

Tasker's ability to access every setting and app on your smartphone makes it incredibly powerful, as does the fact that it supports multiple conditions for each task, giving you the flexibility to create tasks that fit your needs exactly. If you've ever found yourself saying “If only my phone could…”, chances are that Tasker can do it.

We'll use the first idea, sending an automatic text to your significant other based on your GPS location, day and time, to give you an idea of how Tasker works. Once you fire up the app, create a profile name called “Working late”. You'll then see the ‘First Context' screen. Tap on time and choose the time period you want the condition to activate. For this example, we'll choose 18.00 to 18.00. Enter those parameters and tap the green tick button. You'll now need to enter what happens once that condition is met. Don't worry about the other conditions – we'll add those later.

From the Task Selection window, click ‘New Task' and write ‘Send SMS'. After you hit the green tick, tap the ‘+' button to add the action. Click the ‘Phone' option and select ‘Send SMS'. In the next screen, you can specify the number to send the SMS to (tap the magnifying button to access your address book) and write the message that you want to send. Tick the check box if you want the SMS to be stored in your messaging app once it has sent, and tap OK when you're done.

Now you can go back and add the second and third conditions, which are that it's a weekday and you're at work. Note: you can only complete the third condition when you're physically at work. Tap the 18.00 button and click ‘Add'. Tap ‘Day', tap ‘Month Day' and change it to ‘Week Day'. Then tap on all of the weekdays (or whatever days you work) and tap the green tick. Finally, tap on the 18.00 button again and select ‘Add > Location'. Press the button in the bottom right corner to get your smartphone's GPS to find you on the map. Once it has pinpointed your location, press OK. In the Name Context box, write “Workplace” and hit OK. Press the tick button in the bottom toolbar, and you're done!

BitTorrent for everyone

Setting up uTorrent on your server solves a lot of problems and lets you trigger downloads from anywhere so they’re ready when you need them.

Using a server as a centralised peer-to-peer downloader has a number of advantages: it’s (probably) always switched on; you can download files to a shared directory; it can be easily administered for bandwidth usage and you avoid having multiple peer-to-peer clients flooding your upload channel. That last one is especially important in homes with multiple P2P users, since running several P2P clients at once stands a good chance of flooding the router and making all internet activity painfully slow.
For those who wish to run it on a server, uTorrent has had a web interface for some time, but in version 3 of the BitTorrent client the developers have made it extremely easy to set up. You don’t even have to worry about firewall negotiation and IP addresses/dynamic DNS for remote access — everything is managed through the uTorrent Remote web service.

Setting up uTorrent Remote is as easy as entering a username and password.

uTorrent Remote lets you access your BitTorrent client from anywhere and any device just by visiting remote.utorrent.com in your web browser. This gives you fully functional remote control of your uTorrent installation. You can add new torrents, stop and start existing ones and even transfer downloaded files from the server to the device you’re accessing it from.

The Android uTorrent Remote app lets you control the program from a mobile.

To set up uTorrent Remote, just click on the remote control icon in the top right-hand corner of the uTorrent window. This takes you to the Remote section of the preferences panel. Then just check the box to enable Remote and add a username and password. You’ll be asked to answer a security question, and that’s it. uTorrent gathers no private information.

The Remote interface for uTorrent looks a lot like the local one.

Now head over to remote.utorrent.com and log in. You’ll be shown a very similar interface to the standard uTorrent one, with a bar at the top where you can paste URL links to .torrent files, links to RSS feeds or you can upload a .torrent file from the machine you’re using. Once you start a download, it will be controllable from either the web interface or the regular interface.

How to stream video to an Android device

All you need is the combination of ES File Explorer and MoboPlayer on your tablet, a shared folder of videos on your PC and you're away. Here's how.

Like iOS, Android doesn't officially support a huge array of audio and video codecs -- it's a little better than iOS, but not by much. However, where they differ is the supply of software codec packs. Video players such as MX Player and MoboPlayer are brilliant -- not just because they're great players, but because they can play a huge array of video formats by simply installing a codec pack. The trick is knowing which pack to install -- if you have an Nvidia Tegra-based tablet or any of the cheap tablets with a Cortex A-series CPU, you need to install the ARMv7 pack.
All Tegra-based tablets feature H.264 hardware acceleration, so they're capable of playing back at least 720p (1,280 x 720-pixel) video, even on a dual-core model. Quad-core Tegra tablets can do 1080p (1,920 x 1,080 pixels). Those tablets using the Chinese-built Allwinner A10 ARM CPU also have hardware acceleration. But when you talk about software video decoding, you're relying now on the CPU to do the job and that's where things get tough -- dual-core Tegra tablets will do DVD-resolution reasonably well, but single-core A10-based tablets can struggle even with that.
However, on the whole, the ability to use passive/progressive streaming makes this an easy option on Android tablets. All you need is the combination of ES File Explorer and MoboPlayer on your tablet, a shared folder of videos on your PC and you're away. Both ES File Explorer and MoboPlayer are free, so there are no limitations to worry about and any ads pushed onto the device aren't visible during actual playback.

Stream video to an Android tablet

Step 1 :
First, share a folder of videos on your server or PC. In Windows 7, right-click on the folder, choose 'Properties', click the 'Sharing' tab, click the 'Share' button, select 'Everyone' from the drop-down box, click the 'Add' button and press 'Share'.

Step 2 :
Install ES File Explorer and MoboPlayer along with the ARMv7 codec pack from the Play Store. Fire up ES File Explorer, select the 'LAN' tab, press the Menu button and choose 'New > Scan'. When you see your PC listed by its IP address, tap the screen and select the computer by tapping the IP address icon.

Step 3 :
Select the shared folder with your movies, click on a movie and select the movie player you want to play the file with. (Depending on the file type, you may be given more than one media player option if you have multiple players installed on your device.)

Step 4 :
The video should now begin playing. Adjust the aspect ratio if necessary to fit your screen.

Watching on TV

If your Android tablet has HDMI output, you can plug it into your big-screen TV and watch the show. Check your tablet for the type of output used -- many use the microHDMI connector and you can pick up a micro-to-standard HDMI cable from eBay for under $5 shipped that works nicely (at least it does on Toshiba's AT1S0 we tested).

Swype Finally Comes Out Of Beta, Debuts On Google Play Store

The popular keyboard input app is now selling for all Android devices at Rs 54 for a limited period.

Swype has been a popular keyboard input utility for Android users (and some chosen Nokia Symbian users as well) since 2010. While the tool has been compatible with most Android devices, downloading the utility on required you to register on its beta site after which, users would be furnished with a download URL. Although free to use, that version was plagued by certain hardware issues, and offered limited support. The app which is now available on Google Play Store is selling for around Rs 54, there is a 30-day free trial version that you can use before making a purchase. That being said, the publisher suggests that this price is under a "Limited Time Offer" so you better get the app before its cost is hiked.
Some of the features on the new app include voice recognition in around 36 languages, three keyboard modes (the original Swype keyboard, a small and moveable keyboard, and a split keyboard), support for 60 languages and 20 dialects, gesture support, and the well-known auto-predict modes. Check out the video below to know how the app's features work.

Android 4.2.2 Firmware For Samsung GALAXY S3 Leaked

The upgrade will bring some S4 features to the handset, expected to release officially in June.

A new Android 4.2.2 Jelly Bean test firmware for Samsung GALAXY S3 has surfaced, which is expected to start seeding soon. A SamMobile report states that apart from the regular enhancements that Android 4.2 brings with it, the Android 4.2.2-JDQ39 update is expected to incorporate various features that are found in Samsung's latest flagship, the GALAXY S4.
SamMobile says that the Android 4.2.2 would officially be available from June this year, after completion of the current test stage. As for the features, you can expect an improved notification screen, new Settings app UI, new lockscreen with animated ripple and light effects, and even the new S-Voice from the GALAXY S4. Apart from these, other enhancements that are expected to grace the S3 include:

New Screens Modes called Adapt Display and Professional photo that aid users wanting to play around with on screen effects/colours.
Daydream Mode (an essential screensaver for your smartphones, a feature of Android 4.2).
Driving Mode.
Gallery Mode with white background.
Samsung apps viewable in full screen.
Smart Switch widget.
Actionable notifications.
Redesigned User Interface, which is expected to be similar to the tabbed interface found in the GALAXY S4.
Enhancement in Samsung's S-Voice feature.

We expect new camera features with the update as well, but details about that are sketchy as of now. For more, check out the video below.
http://www.youtube.com/watch?feature=player_embedded&v=8K02KtMA-ik#t=0s

Saving Google Maps destinations for easy navigation

Saving destinations also decreases the chance of making an error when trying to return to that spot

Saving a destination in Google Maps makes it easier to navigate to and also lessens the chance for error when entering or trying to remember an address.
To see a step-by-step guide of this Tech Tip, watch a video on YouTube.
Destinations can be starred from a mobile device running Google Maps or from the Web. After searching for an address or location, click on the pin for the destination and switch on the star icon. Starred destinations will be synched across all Google accounts and devices. Starred destinations are easier to find and will type ahead on both mobile and desktop versions of Google Maps. Starring locations is a good idea for local errands and for vacations and business trips to other states and countries.
When traveling to a place with unreliable mobile data reception or expensive data rates, it's also a good idea to save an offline version of Google Maps. Once in the application on a mobile device, press the options button and select "make available offline." Pan and zoom the map until the area to be downloaded is highlighted. Click "done" and the map will be downloaded to the mobile device and be able to be used when mobile data isn't available.

How to use social media to create business value

Companies are still struggling with the cultural changes that a social business implementation requires

What makes your business a top business? According to a new report from the IBM Institute for Business Value, it could be how well your company implements social business.
In "The Business of Social Business," authors James Cortada, Eric Lesser and Peter Korsten argue that social is no longer "simply a 'sandbox' for the under-30 generation." Merely developing and deploying the technology isn't enough.
"Companies at the forefront are doing more than developing a presence on major platforms. They are taking their external social tools and embedding them into core business processes and capabilities. They are using social approaches not only to communicate better with their suppliers, business partners and, perhaps, most important, their employees."
IBM's study of more than 1,100 businesses around the globe reveals that investment in social business is on the rise: 46% of the companies surveyed increased their investments in social business in 2012, and 62% indicated they are going to increase their expenditures in the next three years.
The sudden rise of social business is challenging the corporate culture at some companies, which respondents indicate is something they're struggling with: Nearly three-quarters report they were underprepared for the required cultural changes.
"Executives are concerned because social business represents a different way of thinking about employees, customers and how work is accomplished, as well as the potential risks of increased organisational openness and transparency," the report says.
Here's a look at the study's top findings, plus tips for how your company can transform into a successful social business.

Embedding social into the organisation

"Our survey and interviews have made one thing clear," the report says. "Those organisations experiencing the most success in social business approaches know they have to make fundamental changes in the way their employees worked across the entire enterprise."
Successfully embedding social business into an organisation requires three steps, according to the report:
1. Consider how to incorporate social metrics into traditional enterprises and processes.According to the report, only about 20% of organisations are able to define key performance indicators and track the ROI of social business efforts. Those that couldn't do so struggled with their social initiative.
But quantifying results based only on cost-savings isn't sufficient, the report finds. Instead, businesses should consider piloting a project to demonstrate the hard and soft benefits of a social initiative and compare it to the performance of individuals not using the social tool.
"We also heard from respondents that justifying the ROI of social effort is only one potential use of social data," the report says. "Analytics can make it possible for organisations to integrate social and traditional data sources to make more effective decisions about customers and the workforce. By examining the residual data from social activities, organizations can develop valuable insights not previously available."
2. Understand and manage the risks associated with social business.Respondents to IBM's survey cite a number of concerns about the use of social business tools: attacks on their brands, legal issues, data security and privacy, and unintended disclosure of company information.
About half the companies surveyed say they do not have effective processes in place to deal with these concerns, while nearly a quarter say they do, and another third have efforts underway, according to the report.
Successful businesses have established policies for employees to follow when engaging in social business and have a governance structure for managing and monitoring enterprise-wide social business behaviour, the report says. In addition, successful businesses must achieve the following:

Identify potential exposures, proactively involve the right experts and develop risk management plans.
Think through their problems and understand regulatory drivers and their impact on the organisation.
Ask questions about why a behavior is a risk and how to mitigate it.
Engage key functional experts before problems occur. These include people from areas such as HR, legal, IT, communications, finance and risk.

3. Establish a unique application of traditional change management principles to influence corporate culture and performance.According to the survey, 48% of organisations have support from the C-suite, but only 22% believe that managers are prepared to incorporate social business into their daily practices.
IBM suggests three actions that will assist people in understanding the value of social initiatives, involve the right stakeholders and provide the appropriate support and motivation:
1. Get people involved in using the right tools. Create hands-on opportunities to use new social business tools; provide one-on-one coaching and reverse mentoring and encourage leaders to model desired behaviors to signal social "permission"; and capture success stories through the use of social tools such as wikis, blogs and videos.
2. Apply traditional change management concepts to support transitions. Appoint a number of social business champions or subject experts to encourage and accelerate adoption; provide education about why this is important and what the guidelines are for using social media tools inside and outside the organisation; and recognize desired usage and behaviours.
3. Incorporate social approaches to supporting the change. Develop user narratives and scenarios of possibilities provided by using social approaches; use social networking approaches to identify and engage with influence leaders; provide support to employees, partners and customers.
"The case for why more organisations are implementing social business practices comes down to sustaining their competitiveness and profitability in economies in which rivals, partners and customers are adopting new ways of conducting business," the report says. "More than simply using social media tools, we have entered a new period of fundamental transformation in the way work is done at all levels of the enterprise and across all organisational boundaries."

Download: AMD Catalyst 13.1 WHQL driver

Good news for Radeon owners: AMD's latest WHQL-certified Catalyst driver (13.1) has finally materialized. After an unusually long wait -- no doubt thanks in part to AMD's recent "dynamic release" policy -- 13.1 contains all the improvements 12.11 beta made in October, but adds further bug fixes, enhancements and refinements.
Download AMD's Catalyst 13.1 (WHQL)
Note: All packages work with both desktop and mobile GPUs

Windows XP 32-bit | 64-bit
Windows Vista 32-bit | 64-bit
Windows 7 32-bit | 64-bit
Windows 8 32-bit | 64-bit
Linux 32-bit | 64-bit
Catalyst 13.1 release notes

AMD is touting some definite performance gains with Catalyst 13.1, at least when compared to 12.10 (the last official WHQL release). Noteworthy improvements for HD 7000-series desktop GPUs include a supposed 10-15 percent boost in Battlefield (up to 20 percent for certain maps) and an "up to 25" percent bump in Far Cry 3 with 8xMSAA and SSAO enabled @ 1600p.
Here are some other highlights:

Up to 7% more performance in Metro 2033
Up to 10% more performance in DiRT Showdown
Up to 8% more performance in Sleeping Dogs
Up to 12% more performance in Civilization V
Up to 10% more performance in StarCraft II
Up to 8% more performance in Sniper Elite: V2
Up to 5% more performance in Max Payne 3

Catalyst 13.1 also delivers fantastic news for owners of gaming laptop stuffed with Radeon HD 7970M GPUs and Enduro-based switchable graphics (e.g. some Alienware M17, MSI GX60 owners). After resolving issues discovered in previous drivers, gamers may see gains as big as 40, 50 -- even 90 percent -- for some titles. Examples include: AvP (11%), Battlefield 3 (25%), Call of Duty (13%), DiRT Showdown (62%), Just Cause 2 (90%), StarCraft 2 (25%) and Skyrim (45%).
In addition to performance improvements, 13.1 brings various bug fixes and tweaks to Windows 7, Windows 8 and certain desktop software.

A sporadic system hang encountered with a single AMD Radeon HD 7000 Series GPU seen on X58 and X79 chipsets.
An intermittent hang encountered with AMD Radeon HD 7000 Series GPUs in an AMD CrossFire + Eyefinity setup.
Missing fonts in XBMC
No video found in Media Player Classic Home Cinema when using full or half floating point processing
Skyrim lighting (missing a lighting pass) for the AMD Radeon HD 7900 Series
Skyrim cloud corruption experience in various in game locations
A hang playing Dishonored on the AMD Radeon HD 6000 and AMD Radeon HD 5000 Series
Engine and memory clocks running too high when the GPU is idle.
GPU activity runs at lower values than expected seen on the AMD Radeon HD 7870.
Corruption seen in Darkness 2 and Carrier Command when using AMD CrossFire configurations
Adobe Premier Pro CS6 may fail to launch
Hang experienced with AMD Crossfire and Eyefinity enabled on X58 and X78 chipsets
Corel PaintShop Pro X3 – Hangs at the "Initializing Command Manager" window
Company of Heroes 2 – display corruption experienced when AA is enabled in the AMD Catalyst Control Center
Cyberlink Powerdirector 10 crashes intermittently.
Company of Heroes : Tales of Valor – Flickering experienced when AA is disabled
Max Payne 3 – Flickering experienced in DirectX 9 mode with forced AA enabled
Cyberlink PoweDVD 10 – crashes intermittently
VLC - Green texture corruption seen in 720p MPEG2 video clips
Black screen encountered when "Alternate DVI mode" is enabled in the AMD Catalyst Control Center
Green display corruption seen in Skype webcam video

The list of known issues is a short one, indicating Sleeping Dogs may fail to launch under certain configurations. The second notice is for Shogun 2: Total War owners, who may experience flickering while playing the game with "medium quality" settings. Happy gaming. Finally, to give you a fresh start Advanced Micro Devices introduced the AMD Catalyst Un-install Utility to remove previous versions of their drivers.

Latest Nvidia GeForce WHQL drivers optimized for Crysis 3, Far Cry 3

crysis, nvidia, geforce, drivers, far cry 3, geforce whql drive

The latest GeForce drivers from Nvidia are now available for download, described as an essential upgrade for serious gamers. The GeForce 314.07 WHQL-certified drivers (Windows Hardware Quality Labs) promise a huge performance boost for single-GPU and multi-GPU configurations running Crysis 3 and several other games.
Specifically, gamers are told to expect a performance boost of up to 65 percent in Crytek’s sci-fi shooter. Those into Assassin’s Creed III will see gains of up to 27 percent while Civilization V players should see 19 percent higher frame rates. Call of Duty: Black Ops 2 receives a 14 percent boost, Dirt 3 fans will see gains of up to 14 percent, Just Cause 2 should be around 11 percent better and finally, Deux Ex: Human Revolution, F1 2012 and Far Cry 3 players can expect a 10 percent boost overall.
Nvidia also added a 3D Vision profile for Crysis 3 as well as an SLI profile for DmC: Devil May Cry and an updated profile for the free-to-play third-person co-op shooter Warframe.
Drivers are available for desktop systems running Windows XP, Windows 7 and Windows 8 while notebook users can pick up packages for Windows 7 and Windows 8.
It’s worth pointing out that performance improvements benefit all GeForce GTX graphics card but to varying degrees. Nvidia says they would love to be able to show the level of improvement for every single GPU but it’s just not feasible given the number of benchmarks required. As always, your mileage will also vary based on supporting hardware.

Google could unify chat services under a single product called Babble

Google has built a number of communications platforms around different services over the years. There’s Google Talk for text, voice and video chats, Hangouts for group video conferencing, Messenger for mobile messaging, Chat for Drive collaboration, and Voice for online voicemail and merging all your phone numbers into one.
They’re mostly based on an open platform called XMPP but they don’t always interact with each other very well -- if at all. According to a report on Geek.com, however, that’s about to change soon.
Google is reportedly working to combine its existing communication platforms into one unified service called Babble. Details are scarce at the moment but the site’s unnamed sources believe the service is likely to be unveiled at Google I/O in mid-May. Not a lot is expected in the way of new features, but rather a consistent experience across platforms and services, and Geek.com says the change will happen in two phases:

Babble continues Google’s trend towards organization by conversation. You can share photos in chat windows just like you would in G+ Messenger, start a Hangout with anyone in your contact list, and the conversations are threaded across all the existing services. Moving forward, the individual services will all be pushed onto the single platform, and you’ll be able to use the same chat window across all of Google’s products with the same features available everywhere.

Babble is expected to come with new apps for Android and Chrome OS -- and if past experience is any indication it will eventually come to iOS too. Having a consolidated service could help Google compete more effectively with the likes of Facebook Chat, Apple’s iMessage, and BlackBerry Messenger.
This isn’t the first time we’ve heard about Google looking to unify its communications platforms. Google Product Manager Nikhyl Singhal admitted as much in last year’s I/O conference. Back in February, developer François Beaufort also sparked some speculation that such as service was in the works after posting a screenshot to his Google+ showing off an icon with four messaging bubbles piled on each other.

Extend your Office 365 free trial up to 180 days with this trick

A relatively little known trick to extend Microsoft Office’s 30-day trial period up to six months has been around for several years. The process in question revolves around a rearm command, aimed at enterprise administrators who use a single copy or image to deploy the software company-wide, which can be run a maximum of five times for an extra 30-day grace period each before having to enter an activation key.
This was the case with Office 2010, it’s still there on the newly released 2013 edition, and now the folks at How-To Geek report that the same trick works with the subscription-based Office 365 package.

The procedure is exactly the same, too. Simply open a command prompt window as administrator and run a file named "ospprearm.exe" which should be located in %installdir%\%Program Files%\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform, where %installdir% is "C:" on most machines and %Program Files% will be the Program Files (x86) folder If you installed the 32-bit suite on a 64-bit version of Windows.
As mentioned above, the command can be used up to five times, and if used at the end of each 30-day grace period, you can run Office 365 -- and the regular desktop editions -- for up to 180 days without paying a dime.
As a reminder, if you have a valid .edu email address you can score an even sweeter deal for Microsoft’s subscription based productivity suite. All you need to do is register at officeforstudents.com for a three month trial -- or double that if you share the deal on Facebook -- and after the trial period is over a license for the educational package costs $79.99 for four years and is good for up to two PCs or Macs. Students can renew the offer one time, so in total they could theoretically get eight years of Office 365 for just $160.
Microsoft has been touting the subscription-based Office 365 over its desktop counterpart. According to the company, the web-based suite will be updated more frequently with the latest features and allows small businesses and households with up to five computers or mobile devices to access everything for one price.

Facebook enables free voice calling for Android users in the US

Facebook has rolled out an update to its Messenger app for Android that will allow users of the social network to start free voice and video calls with friends over a Wi-Fi or data connection. The free calling service launched for US and Canadian iPhone users back in January, while Android users received the feature early last month but only in Canada -- and 22 other countries since then.
The rollout will happen gradually throughout the day and doesn’t require a manual update -- although you and your friends will need to have the latest current version of Facebook's standalone Messenger or Home apps installed in order for the feature to work.
The feature is a bit buried within Facebook’s messaging clients. To initiate calls from Messenger you’ll need to tap the ‘i’ icon button to the top right on a conversation and then select Free Call from your friend’s contact card. If you're using the new Chat Heads app that arrived with Facebook Home, you'll need to tap the three dots next to a person's name to move the conversation to the Messenger app before you can make a call.
This is the latest in a series of moves aimed at gaining a stronger presence in people’s smartphones, including the launch of a new home screen for Android as well as a new chat client called Chat Heads that lets you keep a Facebook conversation going with chats overlaid on top of whatever screen or app you are at any particular time -- the feature isn’t as pervasive in iOS, however, where it’s limited to the Messenger client.
It's worth noting that Facebook has offered voice and video calling on its site since 2011 through a tie-up with Skype, but the new VoIP feature on mobiles isn’t built on that partnership.

Google Now finally arrives on the iPhone and iPad

It’s been a long time coming but Google has finally brought its Google Now service to the iPhone and iPad. Arguably a more comprehensive alternative to Apple’s Siri, the personal assistant feature uses a natural language user interface to answer questions, make recommendations, and deliver information to the user even before he asks for it by predicting what they want based on user settings and past search habits.
Unlike its Android sibling, which is available system-wide with a swipe up from the home button, Google Now on iOS is confined to the Google Search application. But once you’re actually in the app the look and feel is pretty much identical on both platforms, and you’ll have access to almost as many as Now cards, including birthdays, weather, upcoming appointments, traffic, scores from you favorite sports teams, places, and more.

New cards come up based on users’ Google Account activities or their location to provide “the right information, just at the right time” and can be swiped off-screen when the information is no longer relevant.
Some of the Android features missing from Google Now's iOS app include cards for showing airline boarding passes and movie tickets bought through Fandango -- likely because it duplicates functionality from Apple's built-in Passbook and is therefore restricted from the App Store.
It also lacks the ability to push high-priority alerts, fetch information on concerts or nearby events, and while Google Now will be able to display your upcoming appointments, it will only pull that information from your Google Calendar, instead of sourcing them from the native Apple Calendar app as well.
All in all, Google Now will still be a better experience on Android, but at least most of the functionality will be on iOS -- and you could get system-wide functionality on a jailbroken device too.
Those worried about privacy -- this is Google, after all -- can access the settings menu to clear their search history and cookies, turn off location reporting and on-device history, deactivate Google Now altogether or just decide what information should Google fetch for you on a per card basis.

Google now offering 15GB of free storage, shared across all services

Google announced on Monday that storage capacity across Drive, Google+ and Gmail is climbing to 15GB. The changes, revealed just ahead of the company’s annual Google I/O developers conference, will begin to roll out over the coming weeks according to an official blog post on the subject.

The move now makes Google the leader in free storage capacity. Dropbox currently offers 2GB of free space, Microsoft SkyDrive gives users 7GB of free storage and Amazon Cloud Storage, Apple iCloud and SugarSync all offer 5GB of free storage.
In the blog post, Clay Bavor, product management director for Google Apps, said the combined storage space means users won’t have to worry about how much they are storing and where. If you were a heavy Drive user but still had plenty of storage in your Gmail account, that’s no longer an issue, because you can now use the storage any way you want, he noted.
To help users along, Google is making updates to the Google Drive storage page so people will better understand how they are using storage space. There will be a convenient pie chart that breaks down usage across Drive, Gmail and Google+ Photos, we’re told.
It’s certainly welcomed news for users of Google services as the idea of having to juggle storage and manage which accounts to allocate more storage to is now a thing of the past. Why exactly Google decided to give everyone 15GB of free space, however, is still up for debate.

Gmail updated with quick action buttons, Google Wallet integration

Amid all the hubbub of its I/O developer conference, Google has found time to teach Gmail some new tricks with the introduction of quick action buttons that will let you act on emails without even opening them. The buttons appear next to certain types of messages, so if someone sends you a calendar invite, for example, a button will show up on top of the email line that lets you RSVP or decline the invitation.
Reviewing goods, movies, restaurants and services is another common action that can be performed directly from the inbox, according to Google. Other supported actions include one-click replies for tasks like confirming registration emails, and linking to airport check-in sites when receiving flight confirmation details.

Speaking of flight confirmation emails, Google is also introducing interactive cards that display all the important information at the top of emails, so you can check whether your flight and connections are on time at a glance.

The new quick action buttons will roll out over the next few weeks to all Gmail users. The company is calling on developers and companies to create their own quick actions, with initial partners already including big names like Spotify (to play songs mentioned or linked to in emails) as well as Netflix.
In somewhat related news, Google recently announced another noteworthy addition to Gmail that taps into the company’s Wallet service to allow sending money via attachments. A dollar-sign icon will be added to the row of options in the compose window, and those who have linked Google Wallet to their bank account or who have Google Wallet balance can send money to their contacts by clicking on it.

Recipients don't have to be on Gmail, but they do need to have a Google Wallet account. Transferring money is free when the funds come from a linked bank account or a user's Google Wallet balance, but those who use a linked debit or credit card must pay a flat fee of 2.9 percent or $0.30 minimum per transaction. There’s also a $10,000 per transaction and $50,000 over a five-day period limitation for the service.

Know the 4 denial of service types that can threaten the Domain Name System

With the number of denial of service (DOS) attacks growing overall, a variety of techniques are being used to take advantage of the Domain Name System’s openness to direct attacks against DNS servers and even against targets that do not maintain a DNS server.

The asymmetrical nature of DNS queries — the response often is much greater than the query — can turn the system against itself by amplifying attack traffic. With the number of attacks on the rise, security experts have recommended that organizations change their approach to defending against DOS attacks.
Radware’s Global Application & Network Security Report for 2012 cited a 170 percent increase in DNS denial of service attacks from 2011 to 2012 and described four types of attacks targeting or using DNS.
Basic DNS flood
This is much like a brute-force DOS attack against any server, using high volumes of traffic to overpower a DNS server. This can use UDP (User Datagram Protocol) packets, which are accepted by DNS servers and do not require a connection, making it easy to spoof the IP address and hide the identity of the attacking computers.
Even though this is a brute force attack, the attack resources needed are relatively small, since just 10 PCs generating 1,000 DNS requests per second could swamp the capacity of a typical DNS server. Additional computers could be used to further distribute and hide the source of the attack.

This technique actually manipulates DNS servers into directing attack traffic at a target through the use of spoofed IP addresses. Requests are sent to a third-party DNS server or servers using the address of the intended target. Replies are sent to the target server, which can be overwhelmed by the volume of DNS traffic.
The volume of attack traffic is increased because a DNS reply typically is three to 10 times larger than the request. This amplification can be increased another tenfold by using specific DNS requests that require longer answers. The attacker remains hidden behind the DNS servers that are sending replies to the target.
Recursive DNS attack
This leverages the hierarchical nature of DNS, which Radware calls the most sophisticated and asymmetric type of DNS attack. When a recursive DNS server receives a request to resolve a domain name that it does not have cached, it sends out queries to other DNS servers, hoping to get an answer that can be returned. By sending multiple recursive requests for domain names not cached by the target server, an attacker can force the target to send out many requests of its own and wait for responses, quickly using up processing power, memory and bandwidth.
Because of the low amount of traffic needed to generate a recursive attack, it often can fly under the radar of defenses that are tuned to high volumes of traffic.
Garbage DNS attack
This is a volume-based attack using large UDP packets to overwhelm network pipes, which takes advantage of the fact that DNS is a necessity. Because availability on the Internet requires the Domain Name System, organizations will not block the targeted DNS port at the router level, giving a clear shot at the target for a distributed DOS attack.

Sometimes, the Internet just breaks

We tend to think of the Internet as part of a virtual world — cyberspace — in which battle is continuously being waged between hackers and defenders using the 1s and 0s of binary code. It’s easy to forget that the Internet relies on a physical infrastructure that can break.
As Ted Stevens, Alaska’s late Republican senator, famously pointed out, the Internet is a series of tubes. When one of them breaks, your Internet connection can go dark.
The latest State of the Internet report from Akamai noted a concerted wave of distributed denial of service attacks in the third quarter of last year, some producing traffic levels as high as 65 gigabits/sec. But it also noted four disruptions in that quarter that really did break the Internet, at least temporarily, but which probably had nothing to do with DDOS attacks.
Lebanon suffered an outage last July that took the country virtually offline for several hours and that was attributed to problems with a submarine cable in the Mediterranean between Lebanon and Cyprus on which it depends for Internet connectivity. Lebanon reportedly has plans for a second submarine cable to provide more bandwidth and back-up connectivity, but it has not yet appropriated money for it.
A month later, Jordan saw sharp drops in its Internet connectivity, the result of what reportedly was a cut in the power supply to the country’s main Internet service provider. An Internet blackout in Syria in July apparently was a denial of service attack, but that appears to have been carried out by Syria’s own government when local Internet provider networks routed through the state-affiliated Syrian Telecommunications Establishment were removed from the global routing table. This brief outage was neither the first nor the last time the government effectively pulled the plug on the nation’s Internet.
The most high-profile outage last year was at Go Daddy, the Internet registrar and Web hosting company, which in September was knocked out for five hours, leaving as many as 54 million domain names unavailable. The hacktivist collective Anonymous quickly claimed credit, but Go Daddy blamed it on internal network problems that corrupted router data tables, eventually exhausting its resources. In other words, a self-inflicted denial of service.
Not every outage is an attack. Sometimes a tube breaks.

Why do so many antivirus programs miss the same, old exploits

Old chain link fence with big hole cut in it

SAN FRANCISCO — Why do so many viruses get onto computers even when they're running updated antivirus products? The problem is two-fold, according to independent testing company NSS Labs.

Analysis of test results on popular antivirus products showed that not only do they miss known exploits, but the different products tend to miss the same exploits, opening up unexpected windows of opportunity for attackers.
"It was a major eye-opener," said Frank Artes, NSS research director and one of the authors of the report, which was released at the RSA Conference this week. "This is particularly important for government," he said, because of the large number of legacy systems agencies often maintain that are not supported by vendors or cannot be easily updated. "These machines are exponentially more at risk," because they must rely heavily on defenses such as antivirus software for protection.
NSS is demonstrating at the conference a tool, still in the early stages of development, that visualizes the gaps left by products in order to help users select the best combinations of security tools and prioritize patching and updating.
That antivirus products are porous comes as no surprise. "Many endpoint/AV vendors state that they are now processing well over 100,000 malware samples per day," NSS noted in a recent test report. "Yet NSS testing shows that the majority fail to block some of the most widely used and dangerous exploits from the past few years."

This apparently is because vendors sometimes drop older exploit signatures from their products to "make room" for new ones without impeding performance.
In a test by NSS of 13 widely used AV products in late 2012, success in blocking 144 well known exploits on machines running recent Windows operating systems ranged from a high of 92 percent to a low of 34 percent. Most products blocked less than 70 percent of the exploits.
The surprise came when researchers began looking at which exploits were successful. Conventional wisdom suggested that multiple products used in sequence would be more successful than using just one, with each catching something that the others had missed. "What we found instead is that there are large areas of correlation between products," Artes said — in some cases, they all missed the same thing.
Testers do not know why these overlaps occur. But using data modeling to see the correlations in results from NSS product tests, different combinations of products were tried to find optimal configurations. "There is not one combination of products that would result in blocking all 1,400 exploits used," he said. "We've beaten ourselves up trying to come up with a combination and we still see things being attacked."
NSS is working with vendors to help them correlate their signature defenses with commonly used exploits, but the bottom line for protecting IT systems remains the same has it has been for some time: Patch systems and keep antivirus up-to-date, but do not rely solely on signature-based defenses.

Why is Java so risky? 77 percent of agencies run unsupported versions

Only a handful of U.S. government computers are using the latest version of Java while more than three quarters of them are running unsupported versions of the software, which has been a common target for malware since 2010, according to an analysis by the Web security company Websense.

There are 52 update versions of Java in use, but as of this month, Oracle will update only versions of Java 7. That leaves a lot of unsupported versions on government and other computers.
JAVA ON THE .GOV DOMAIN
6.38 percent using latest update of Java 7.
23 percent using some version of Java 7.
77 percent using unsupported versions of Java 6 or earlier.
JAVA GLOBALLY
5.17 percent using latest update of Java 7.
21 percent using some version of Java 7.
79 percent using unsupported versions of Java 6 or earlier.
Source: Websence and Oracle

The government figures are in line with the global statistics for Java, which show a large number of versions in use. In the .gov domain there are 52 different update versions of the software being used, some of them more than five years old. This means that attackers do not have to depend on zero-day exploits to compromise these systems, but can rely on a growing number of commonly available exploit kits targeting known vulnerabilities.
“There have been an increasing number of targeted attacks aimed at government users,” said Charles Renert, vice president of research and technology at Websense. “This is a big hole in the IT infrastructure.”
Renert called the situation “a call to action to improve how Java is updated.”
But across-the-board updates to the current versions of software in an environment as complex as the government are impractical if not impossible, and to protect themselves agencies need to be able to identify and block the attacks before they can infect vulnerable software.
“The compromised content still has to hit the application, so stop the phishing and social engineering” that lure users into clicking on unsafe links and attachments, Renert said.
Java is a widely-used programming language for client-server Web applications. Vulnerabilities in it are significant concerns because Java runs on so many computers, often without users being aware of it. If users aren’t aware, it might not be updated regularly.
The large installed base of Java vulnerabilities has led to calls in recent months for abandoning the software. US-CERT in January released an advisory calling for users to disable Java in their browsers at least until a fix for the latest reported exploit was issued. Oracle, which owns Java, released the fix three days later, but the Computer Emergency Response Team of Carnegie Mellon’s Software Engineering Institute continued to advise users that “unless it is absolutely necessary to run Java in Web browsers, disable it, even after updating.”
To understand the extent of the problem of in-place vulnerabilities, Websense added Java version detection to its Advanced Classification Engine and used it to analyze tens of millions of Java endpoints on the ThreatSeeker Network.
Globally, 5.17 percent of analyzed endpoints are using the latest updated version of Java 7 (Version 1.7_17), released in March, compared with 6.38 percent in the .gov domain. At the same time update 17 was released for Java 7, Oracle released its last update, number 43, for Version 6 and announced that it no longer would update Version 6. Globally, nearly 79 percent of users still are using Version 6 or earlier. In government, about 77 percent are using the older versions.

The most commonly used version of Java in .gov is V 1.6_17 (update 17 of Version 6), at 27.41 percent. The next most common is Version 5, at 8.12 percent, which was replaced by Version 6 in 2006. Globally, the most commonly used version is V 1.6_16, at about 9 percent.
There are a number of reasons for the large installed base of outdated Java versions, Renert said. Java is a cross-platform technology, and patching it across multiple operating systems and applications is not a simple task. A lot of mobile devices use Java, and they are often outside direct enterprise management. “It’s a little harder to keep them up-to-date,” he said.
Finally, Java is updated independently of the applications using it, so an application will not necessarily be using the latest version of Java, even if the application itself has been updated. “This mix and match approach makes it difficult to keep up,” he said.
In this environment, application makers and users need to work more closely with Oracle to improve patching and updating policies and practices, Renert said.
But even at its best, updating is an incomplete solution. “The zero-days will always be a risk, and there will always be some out-of-date versions,” Renert said. “You have to assume that controls will be bypassed, that the bad guys are going to find a way around them.” Users need to understand the nature of the threats they are facing and be prepared to block them before they reach vulnerable applications, or block improper outbound traffic from compromised systems.
A full breakdown from Websense and Oracle of Java versions running on the .gov domain:
Version and update     Percentage of installed base
V 1.0 to 1.4                     1.90%
V 1.5                                8.20%
V 1.6_01                         0.04%
    _02                              0.30%
    _03                              0.33%
    _04                               0.01%
    _05                               0.47%
    _06                               0.68%
    _07                               1.30%
    _10                               0.08%
    _11                               0.05%
    _12                               0.47%
    _13                               1.37%
    _14                               0.30%
    _15                               0.51%
    _16                              0.55%
    _17                              27.41%
    _18                              0.87%
    _19                              0.21%
    _20                              2.35%
    _21                              0.84%
    _22                              1.77%
    _23                               0.92%
    _24                              2.21%
    _25                             0.28%
    _26                             3.58%
    _27                             0.65%
    _29                             1.58%
    _30                             2.76%
    _31                             4.38%
    _32                             0.73%
    _33                             1.11%
    _34                             0.87%
    _35                             4.44%
    _37                            1.20%
    _38                             0.66%
    _39                             0.93%
    _41                             0.15%
    _43                             0.55% (Final update of V 1.6; Oracle announced discontinuing support for all of V 1.6 on March 4, 2013)

Java 7 was released July 2011 fist updated in October, 2011
Version and update     Percentage of installed base
V 1.7_01                          0.11%
    _02                               0.17%
    _03                               0.07%
    _04                               0.53%
    _05                               1.63%
    _06                               0.11%
    _07                              4.79%
    _09                              2.82%
    _10                             0.47%
    _11                             1.71%
    _13                             0.85%
    _15                             3.12%
    _17                             6.38% (Current update, released March 4, 2013)

A total of 52 different versions/updates installed.

Source: Websense and Oracle

Kingston adds malware scanner to its secure drives

Kingston DataTraveler 4000 and DataTraveler Vault Privacy secure USB flash drives

When key drives were first released, everyone, including public-sector workers, embraced them. Then there was a bit of a backlash in government circles, with some agencies gluing their USB ports closed to prevent unauthorized devices from connecting because the drives offer a window for malware to enter networks. In recent years removable media has been at the center of major security events, as a vehicle of infection for the infamous Stuxnet worm and as a data exfiltration vector associated with the Flame virus.
Today, flash drives are just as convenient as when they were first released, but many also contain high levels of security, which has helped bring them back into government.
Kingston Digital, the flash memory affiliate of Kingston Technology Co., is looking to fight malware on portable drives with scanning technology from ESET and ClevX. The combination extends ClevX DriveSecurity powered by ESET’s proactive portable anti-malware technology to Kingston’s DataTraveler 4000 and DataTraveler Vault Privacy secure USB flash drives.
"Portable media is a common source of malware infection,” said Andrew Lee, CEO of ESET North America. “People often carry sensitive personal files on their USB drives, and they often don’t realize that their drive can be infected when plugged into a computer, and then that infection can be transferred to other machines. Together with Kingston and ClevX, we can offer a solution which keeps the contents of USB flash drives safe and malware-free and prevents malware from spreading via removable media."
According to Kingston, enterprise users can easily and immediately access ESET’s malware protection upon initialization of the Kingston secure USB flash drives with a strong password. There is no need for management configuration, making it easy for the end user and saving the IT department valuable setup time. Upon logging in and entering a password, the ESET engine scans for spyware, Trojans, worms, rootkits and viruses, without conflicting with the host resident anti-virus software, then notifies the user to take action if malware is detected. It also provides automatic hourly updates when an Internet connection is available.

Hackers' new trick for slithering through sandboxes

I recently had to have my computer disinfected, which was frustrating. My firewall is up, I keep my antivirus up to date, I’m cautious about opening e-mail and don’t click indiscriminately on links. But something got through.

A new report from Lastline, a security company that focuses on advanced malware, offers some insight into a new technique used by black hat writers to escape detection by having their code do busywork in a security sandbox until it is allowed out.
It should be noted that Lastline has a dog in this fight and is offering a solution to counter this new threat. But the information is still interesting.
A sandbox is a virtual environment with its own guest operating system where intercepted incoming code can be observed. If it acts maliciously or suspiciously, it can be tossed out. Observing behavior of code in a sandbox should detect and block malware regardless of whether the code or the vulnerability it exploits is already known.
The challenge for attackers, then, is to outwit the sandbox. They do that with environmental checking; malware might check for the presence of a virtual machine or it might query well-known registry keys or files that indicate a sandbox. Other malware authors instruct their malware to sleep for a while, waiting for the sandbox to time out.
Security vendors have countered by looking for behavior such as queries for registry keys and by forcing sleeping code to wake up.
The latest trick by malware writers is what Lastline calls stalling code. It delays the execution of a malicious code inside a sandbox and instead performs a computation that appears legitimate. Sort of like an intruder avoiding notice by carrying a clipboard through an office. Once the sandbox has timed out, the evasive malware is free to execute.
This is not the ultimate malware; evasive techniques can be countered by better sandboxes. Also, these techniques are no good if the vulnerabilities being exploited have been patched or if the signature of the code is known. Although signature-based detection has been shown to be an inadequate defense by itself, it still works well when it works. (We’ll look later at why it doesn’t always work.)
But it is a reminder that what the mind of one man can achieve, another can overcome. No attack and no defense is perfect, and the battle goes onI recently had to have my computer disinfected, which was frustrating. My firewall is up, I keep my antivirus up to date, I’m cautious about opening e-mail and don’t click indiscriminately on links. But something got through.
A new report from Lastline, a security company that focuses on advanced malware, offers some insight into a new technique used by black hat writers to escape detection by having their code do busywork in a security sandbox until it is allowed out.
It should be noted that Lastline has a dog in this fight and is offering a solution to counter this new threat. But the information is still interesting.
A sandbox is a virtual environment with its own guest operating system where intercepted incoming code can be observed. If it acts maliciously or suspiciously, it can be tossed out. Observing behavior of code in a sandbox should detect and block malware regardless of whether the code or the vulnerability it exploits is already known.
The challenge for attackers, then, is to outwit the sandbox. They do that with environmental checking; malware might check for the presence of a virtual machine or it might query well-known registry keys or files that indicate a sandbox. Other malware authors instruct their malware to sleep for a while, waiting for the sandbox to time out.
Security vendors have countered by looking for behavior such as queries for registry keys and by forcing sleeping code to wake up.
The latest trick by malware writers is what Lastline calls stalling code. It delays the execution of a malicious code inside a sandbox and instead performs a computation that appears legitimate. Sort of like an intruder avoiding notice by carrying a clipboard through an office. Once the sandbox has timed out, the evasive malware is free to execute.
This is not the ultimate malware; evasive techniques can be countered by better sandboxes. Also, these techniques are no good if the vulnerabilities being exploited have been patched or if the signature of the code is known. Although signature-based detection has been shown to be an inadequate defense by itself, it still works well when it works. (We’ll look later at why it doesn’t always work.)
But it is a reminder that what the mind of one man can achieve, another can overcome. No attack and no defense is perfect, and the battle goes on