• Security Experts at Sophos explained the efficiency of the business model known as Cybercrime-as-a-Service in the specific case of Vawtrak botnet.

    The term Cybercrime-as-a-Service refers the practice in the cyber criminal ecosystem to provide product and services for use by other criminals. In September 2014, a report from Europol’s European Cybercrime Centre (EC3), the 2014 Internet Organised Crime Threat Assessment (iOCTA) report, revealed the diffusion of the business model in the underground communities and highlighted that barriers to entry in cybercrime ring are being lowered even if criminal gangs have no specific technical skills.

    Criminals can rent a botnet of machines for their illegal activities, instead to infect thousands of machines worldwide. These malicious infrastructures are built with a few requirements that make them suitable for the criminals, including User-friendly Command and Control infrastructure and sophisticated evasion techniques.
    The botnets are very flexible and could be used for several purposes, including to serve malware or to send out spam emails. For example, the botnet’s computers can be configured to serve as proxies or even — once all the other usability has been sucked out of them — as spambots.

    An example of banking malware botnet is Vawtrak, also known as NeverQuest and Snifula. According data provided by Sophos, Vawtrak was the second most popular malware distributed by malicious drive-by downloads in the period between September and November.

    Sophos published an interesting paper on the cybercrime-as-a-service model applied to the Vawtrak botnet, titled “Vawtrak – International Crimeware-as-a-Service“.
    “If you look at the client-side, the commands used, and the debugging code, suggests that it’s more user friendly than some of the other malware we look at,” said James Wyke, senior threat analyst at Sophos Ltd. “It’s almost certainly going to be a point-and-click Web-based interface. Simplicity is one of Vawtrak‘s positive points.”

    Despite Wyke hasn’t personally evaluated the Vawtrak for leal and ethical reasonsSophos was able to investigate the activities Vawtrak platform is being used for. The experts recognized a pattern in the “modus operandi” of the Vawtrak clients, which used the botnet to target banks and other financial institutions worldwide. The attackers are able to run sophisticated attacks in a methodical way, by-passing two-factor authentication mechanisms and implementing custom injection mechanism.

    The experts revealed that Vawtrak was used by criminal organization in US to compromise both large banks (i.e. Bank of America and Citigroup) and smaller financial institutions (i.e. Bank of Oklahoma, Cincinnati’s Fifth Third Bank, the Columbus-based Huntington National Bank).

    There are tens of thousands of computers already infected and in the network, Wyke said.
    cybercrime-as-a-service botnet infections

    That makes it smaller than some of its competitors but, because of its business model, it might actually be more profitable.
    The cybercrime-as-a-service model developed for the Vawtrak botnet allows customers to choose specific types of infected machines, to customize the botnet to hit a specific target (i.e. banks, private firms) or to request specific types of stolen data.
    “If you want banking credentials for certain banks, or certain regions of the world, they can start campaigns targeting those banks or those countries,” said Wyke. “We’re moving away from the model where the cybercriminals write their own software, or sell you a kit and you go away and create your own botnet,” Wyke said.

    The availability of stolen data makes the model of sale Cybercrime-as-a-Service very attractive for criminals that can use them to run further attacks by having more information on the targets.

    The Vawtrak botnet provides also specific data hijacked by the botnet, including banking access credentials, that allows the criminals to deliver new strain of malware to the infected computers.
    “This is a flexible business model,” he said. “Once the machine starts sending out spam it becomes obvious that it’s infected with malware and it’s not going to be infected much longer,” he said.

    Experts at Sophos suggest to keep defense systems up-to-date and provide a free removal tool for the Vawtrak botnet on the company website.

  • A basic guide to the Internet's underbelly -- the Dark Web.

    Deep or Dark?

    There's a difference between the "Deep Web" and "Dark Web." While the "Clear Web" is the surface area which is indexed by search engines such as Google and Yahoo, the Deep Web is an area search engines can't crawl for or index. Plunging in further, the Dark Web is a small area within the Deep Web which is intentionally hidden from discovery.

    How do you access the Dark Web?

    You can't use standard access methods to gain entry into the Dark Web. The most common method is through the Tor network, an anonymous network created from nodes which disguise online activity. In order to use Tor, you need the Tor browser, and may also need to be issued an invitation to access certain .onion domains hidden within the Dark Web.

    Wait, .onion domains?

    An .onion address is the result of Onion networking -- low-latency communication designed to resist traffic analysis and surveillance. The use of Onion networking is not a perfect solution to maintain anonymity, but it does help disguise who is communicating with whom.

    It's not just drugs

    Many of us heard when the underground marketplace Silk Road, one of the largest hidden within the Tor network, was taken down following an investigation by US authorities. However, there are many more vendors peddling their wares within the Dark Web. While drugs are the most commonly-thought of when it comes to the secretive area, you can also purchase a plethora of other illegal goods. Weapons, porn, counterfeit money and fake identities, hacked accounts and even hitmen can be found if you have the cash. If someone annoys you, sending over a SWAT team as a "prank" is also possible.

    It's also something of an eBay for peculiar items.

    A quick browse and I could buy lifetime membership passes to popular services such as Netflix, old consoles, clothing, emulators and DVDs, a car or two and bulk weight loss pills. Technology is also popular -- there is a wealth of devices available -- both counterfeit and apparently legitimate -- if you know where to look.

    The Dark Web is used for more than buying and selling.

    So-called "ethical" hacking and political forums, archives of forbidden books, tips on how to care for your cat -- there are potentially thousands of private .onion addresses hosted which go beyond marketplaces.

    Trading is hardly safe or risk-free

    Whether you take a risk with buying bargain designer clothes on the Clear Web or sink a few Bitcoins in purchasing illegal items through the Dark Web, neither is risk-free.
    Vendors and sellers might be trying to avoid the eyes of legal enforcement in the darker side of the Internet, but this doesn't stop scams from taking place. Scam vendors and quick grab-and-run schemes run rampant -- especially as there is no way to follow up with failed sales down the legal route.

    Buying and selling through the Dark Web

    How do you trade without being linked to bank accounts? Virtual currency is the most common method, which includes "tumbling," a laundering process which destroys the connection between a Bitcoin address which sends virtual currency and the recipient in the hopes of covering a user's tracks. Some vendors offer escrow services which holds Bitcoin in trust until goods have been delivered and both parties are happy -- although value fluctuations linked to Bitcoin use makes this move risky.

    Avoiding spying eyes

    Aside from using the Tor browser and VPNs, a number of buyers and sellers use "Tails," free software which can be booted from flash storage to provide end-to-end encryption for your browsing sessions.
    To further cover their tracks, vendors and sellers will often also use public Wi-Fi hotspots to conduct their business.

    Reddit is used as a communication platform for Dark Web transactions

    Although far from exhaustive, the best Clear Web resource to bounce around and learn a little about the darker, nastier aspects of the Internet is on Reddit. There are sub-forums in which Dark Web vendors and buyers exchange news, thoughts and seller reviews. Advice is also issued on how best to "clean house," create safe "drop" zones to pick up packages ordered from the Dark Web and what to do if you think law enforcement is keeping an eye on you.

    There is a whole lot more to know about the Deep web. Click this link to read more.

  • Microsoft's Windows 10 was launched some few weeks ago, but questions -- lots of questions -- still remain about the new operating system, from when it will be taken to the bosom of enterprise to whether some of Microsoft's moves leading up to it were premeditated.

    Microsoft expert, Steve Kleynhans, spoke at length about the latest OS answering 10 questions about Windows 10. Kleynhans' responses were lightly edited for length.

    Will Windows 10 beat Windows 7's first-year adoption rate, which stood at 22% of all Windows PCs at the end of 12 months? 

    "It is quite likely that Windows 10 will beat Windows 7's adoption in the first year due to three factors," said Kleynhans. "First, the free upgrade will probably be taken by a relatively healthy portion of the population. Second, more users have automatic updates enabled today than six years ago. And third, compatibility between Windows 7 and Windows 10 is significantly better than between Windows XP and Windows 7. There will be a lot fewer blockers to get in the way.

    "Enterprise adoption isn't likely to be significantly better in the first year. However, enterprises will move more quickly to Windows 10 than Windows 7 and there will be a few motivated to move a bit earlier if only because of the one-year free upgrade deadline. There are fewer barriers to moving with Windows 10, including in-place upgrades and no new Internet Explorer [IE] version to wrestle with, so while enterprises will take a bit longer than consumers to get started, both should be a lot higher with Windows 10."

    When will enterprises begin adopting Windows 10 in force? 

    "Companies never do anything quickly, so aside from some aggressive early adopters, most organizations will use 2016 as a time to study the new OS and potentially run some pilots," Kleynhans said. "Real roll-outs might start in late 2016, but are more likely to really kick off in 2017."

    What's Windows 10's biggest draw for enterprises? 

    "Two things: security and lighter-weight management," said Kleynhans. "There are a number of security enhancements, from biometric log-ins to hardware-enabled protection for parts of the OS, that will be compelling to enterprises.

    "Similarly, the ability to use a store for provisioning users, enabling a self-service model, and potentially opening options for BYOD will be attractive.

    "In the short term most companies are looking at Windows 10 as providing them access to 2-in-1 devices that users find intriguing, without having to figure out Windows 8 or deal with some of its enterprise shortcomings. But regardless of any goodness in the product, the biggest driver will ultimately be Windows 7's end-of-life."

    What in Windows 10 -- or about it -- will be the biggest inhibitor to adoption by enterprise? 

    "Probably inertia," said Kleynhans. "For the most part, hardware and software compatibility isn't a big blocker, although official ISV [independent software vendor] support may be, especially in regulated industries. But doing a large-scale Windows migration is a major project. While it is nice to say that this is the last one enterprises will have to do, they still have to do this one.

    "Like any major project, it will take budgeting of time and resources. It will be disruptive. There are also things to learn and integrate into existing processes, such as the new servicing model, selecting a branch, and changes in how they manage things in order to keep current and supported."

    [Computerworld couldn't resist a follow-up question about Kleynhans' reference to "the last one enterprises will have to do," asking him if that would, in fact, be the case. "I think Microsoft believes that," Kleynhans answered. "That's the plan of record. But things change. In 10 years, who know what will happen?"]

    Will enterprises accept Windows 10's new patching and update schemes, or will they reflexively lock down devices with LTSB (long-term servicing branch) and just treat Windows 10 as they now do Window 7? 

    "Some enterprises will undoubtedly try to fall back to the LTSB because it will seem safe and familiar," agreed Kleynhans. "But I suspect that they will quickly discover that the limitations make it unsuitable for a large portion of their users.

    "Once they address the new update cadence for some users, it will be straightforward to extend it to a larger group, lessening the appeal of the LTSB. We will probably see some companies start with the majority of their users on LTSB, but quickly shift towards only those who really need it. By 2019 it is likely that LTSB will be a small percentage of users, less than 10%."

    Will Windows 10 measurably help Microsoft in mobile?

    "Well, it couldn't hurt," countered Kleynhans. "But it really is a big question whether it will draw developers to the platform with the kind of apps that are being developed for iOS and Android.

    "The only thing that truly solves the problem is market share. If a developer perceives the entire Windows 10 ecosystem as a target, the market share number will look pretty good. However, it is likely that most phone developers will continue to focus solely on the Windows smartphone number, and that will dampen their interest."

    What about Microsoft's Universal app strategy? Will that have an impact? "Microsoft certainly hopes it will," said Kleynhans. "But any impact will be a relatively slow build. It will be one more option in a broad collection of options for developers, even if they only focus on the PC: Should I develop a Web app, should I write a traditional Windows app, keep building .NET?

    "I think developers targeting PCs will settle on a combination of Web and Universal apps, but that is likely to be 2018 or later, when a critical mass of Windows 10 devices is in businesses.

    "Universal Windows apps are most immediately compelling to businesses looking at building something that needs to be accessed on a tablet and a PC, or potentially a 2-in-1. So it will help Windows 10 gain a stronger foothold in vertical business applications with a mobility component.

    "In the short term, there may also be some success with games. People like casual games as a simple distraction, even on PCs, so that will be a reasonably good target."

    Will there be a repeat of the scramble to get off Windows XP as Windows 7 nears retirement in January 2020? "There is a lot more awareness of the end-of-life of Windows 7 than there was of Windows XP's," Kleynhans said. "It is still fresh in the minds of a lot of companies, and so you are seeing it pop up on long-range road maps.

    "Generally, companies will plan to be more proactive and will have great intentions about avoiding the mad dash to the finish line in 2019, but the realities of business, and human nature, will cause plans to slip. I expect it will be less of a scramble, but it will still be a scramble."

    Will Microsoft be able to continue to charge for the OS or will it revert to a support model for revenue? "Microsoft will continue to charge for Windows," Kleynhans asserted. "The real question is whether users perceive that they are paying for Windows.

    "The vast majority of users will get Windows as part of the device and the cost will be buried in the device, like the cost of the screen or battery. Unless you are building your own PCs, it won't be visible. Users will get all the updates on that device for free so they won't perceive that they ever pay for Windows.

    "Enterprises, on the other hand, will be gradually coaxed towards a Software Assurance model with flexibility, deeper support, and additional management and security capabilities being the carrots offered over traditional volume licensing. This will look much more like a subscription model."

    In hindsight, several of Microsoft's moves in 2014 now seem to be preliminary steps toward Windows 10, including the requirement that businesses migrate to Windows 8.1 Update within four months, and the deprecation of most IE editions other than IE11. Were these part of a master plan, or was Microsoft simply trying things?" "It's probably best to think of this as more an evolutionary process than a detailed master plan," said Kleynhans. "Obviously, there was always a plan to get people off older versions of IE. The specific timing, though, was in place before the details of Windows 10 were locked down.

    "I look at the updates for Windows 8.1 as being tweaking and testing towards a goal of faster updates, rather than long-term steps in a grand scheme. Remember there was a regime change in Windows, and Microsoft for that matter, right in the middle of all of this, and what we are seeing now is the output of the new leaders, tempered with some marketplace realities."

    The Connected Car

    The way cars are made, bought and driven is changing with mobile communications. This paves the way to a driverless future

    IN A generation from now, your journey home may go a bit like this. As you leave your office, an empty car rolls up. Perhaps you summoned it, or maybe this is a regular pickup. On the way home you listen to your favourite music, watch a television show or catch up with the news. You barely notice as the car slows down or speeds up to avoid other vehicles, except for when it pulls aside to let an ambulance through. Some of the other cars have drivers using a steering wheel, but many of them, like yours, have no wheel at all.
    Despite that hold-up your journey is much faster, even though there are more cars on the road than in 2014. When you arrive home, the car heads off to its next client, or to park somewhere and wait for a call. You don’t know or care. After all, it’s not your vehicle: you summon a car only when you need one.

    Tantalising glimpses of this future are common today, most notably in Google’s bubble-shaped prototype of an autonomous car. The internet giant has been running Toyotas and other models adapted for driverless travel up and down Highway 101 in Silicon Valley for a couple of years now, using on-board sensors to keep the vehicles on the straight and narrow.

    Other experiments use a different approach to ensure safe journeys. Some 3,000 drivers in Ann Arbor, Michigan, have had wireless internet connections fitted to their cars. These are used to feed information to and from other vehicles and the transport infrastructure. The system will, for instance, warn a driver about to overtake a car if there is a chance of a collision with an oncoming vehicle, or change a traffic light to green if safe to do so. The number of vehicles involved in the project, run by the University of Michigan and largely funded by America’s Department of Transportation, could triple over the next few years.

    What is happening in Michigan is part of a much broader trend: the rise of the “connected” car. This is the coming together of communications technologies, information systems and safety devices to provide vehicles with an increasing level of sophistication and automation. It is a process that will change not just how cars are used but also the relationship between a car and its driver. This, in turn, will affect the way vehicles are made and sold. Eventually, it is the connected car that may deliver a driverless future.

    The kit that enables this is starting to appear in new vehicles. Some of the most advanced driver aids can be specified in certain Mercedes-Benz models. These cars are already capable of doing a fair bit of autonomous driving. For instance, the German company’s new “Intelligent Drive” package has a feature which, in congested traffic moving at less than 60kph (37mph), allows the driver to let the car steer, brake and accelerate by itself. The system uses a combination of ultrasonic and radar sensors along with cameras that monitor all around the vehicle. Because Mercedes drivers like to be comfortable, it will even automatically adjust the suspension before the car hits a pothole in the road.

    Many features in modern cars are becoming accessible to smartphones that connect to the vehicle. A smartphone app allows the driver of an electric BMW i3, for example, to check the battery capacity of his vehicle while it is being topped up at a recharging station. Audi, part of the Volkswagen group, is working on a system which would allow a driver to get out of the car and use his smartphone to instruct the vehicle to park itself.

    Connected cars are a marriage of two types of mobile technology: the mechanical sort, which revolutionised transport in the 20th century, and the electronic variety, which has transformed telecoms in the 21st. A recent report by analysts at Citigroup, a bank, used data from IHS, a research firm, to divide the ways that mobile telecoms are influencing motoring into three useful groups.

    The car app

    The first bunch is made up of services and applications delivered via mobile networks to a car—either to systems that are part of the vehicle or to devices, such as smartphones or tablets, carried by the driver or passengers and connected to the car wirelessly or with a cable. The most obvious example are “infotainment” systems, which stream music, video, satellite navigation and traffic information. The second consists of services based on data supplied from the car, such as advance warning that a part needs to be replaced. And the third category brings together multiple vehicles, communicating with each other and with smart infrastructure, from roadside sensors to traffic signals and remote data centres, to make traffic flow more smoothly and safely.

    Broadly speaking, services in the first group are the most widespread already. “The cards in infotainment have been dealt,” says Andreas Mai of Cisco, a network-equipment giant. People already have their favourite services, like iTunes, Spotify or TripAdvisor, on their smartphones. Surveys, though, suggest that car buyers place a higher value on services that make travelling safer, save them time or money, or alert them to problems with their vehicle. These services lie mainly though not wholly in the second and third groups. But widespread availability may take several years.

    The number of cars with some sort of networking ability today is small, perhaps only 8% of the global total, according to McKinsey, a consulting firm. But by 2020 around a quarter of all cars, mainly the more expensive sort, will be online. The build-up will be relatively slow because many old cars stay on the road for a decade or so. But for new cars things are changing rapidly. BMW has been embedding SIM cards for mobile connectivity in all its new cars since April. By 2020, around 90% of all manufacturers’ new models are likely to have them, according to Machina Research, another consulting firm. The market then starts to look particularly juicy. A recent report by GSMA, the mobile operators’ trade body, says revenues from the sale of in-vehicle services, hardware and the provision of connectivity itself will treble over five years to reach $39 billion by 2018. Machina reckons it could rise to a staggering $422 billion by 2022, most of it coming from connected services to and from vehicles.

    Description: http://cdn.static-economist.com/sites/default/files/imagecache/full-width/images/print-edition/20140906_TQD003_0.jpg

    Car buyers are expected to be keen on connected services once they get to know about them and see them in action. This much is clear from the limited offerings already available. The ability for the car itself to call the emergency services automatically in the event of an accident is reckoned by many drivers to be a valuable feature of GM’s OnStar, a connected safety and navigation system which in effect enables a vehicle to function as a phone. A separate app also allows OnStar users to lock and unlock the car’s doors remotely, start the engine and find the vehicle on a map if the driver forgets where he parked it. GM aims to have the service available in nearly all its cars worldwide by 2015.

    But regulators are also forcing the pace. The European Union wants a system that automatically calls for help in the event of a crash to be fitted to all new vehicles by 2015. Russia has similar plans and Brazilian cars will need to be fitted with trackers as a way to reduce theft. Encouraged by the Ann Arbor test, in February America’s National Highway Traffic Safety Administration said it would begin working on a regulation to require vehicle-to-vehicle (V2V) communication to be fitted in all new cars.
    On the digital dashboard

    Different applications require different technologies. A search for a parking space would probably go over public mobile networks from an app, whether on the driver’s smartphone or one running on a digital dashboard. For safety features, such as preventing a car from pulling out in front of another, V2V communication is essential, says Kurt Sievers of NXP, a semiconductor company. Public networks will be too slow for this and may lack the capacity. His company is making systems with dual antennae to cope with reception difficulties, because radio waves from moving vehicles tend to bounce off buildings and other surfaces. Authentication of signals matters too, to prevent cars taking unnecessary avoiding action.
    With increased connectivity between cars, driver aids will become much more sophisticated. A connected car would, for instance, receive not just information about a hazard detected by its own sensors, but also alerts from a vehicle farther along the road or around a blind corner.

    Description: http://cdn.static-economist.com/sites/default/files/imagecache/full-width/images/print-edition/20140906_TQD004_0.jpg

    Connectivity can also help provide more real-time information about traffic hold-ups, beyond that already provided by satellite-navigation devices. The addition of vehicle-to-infrastructure communication (V2I) takes things further still. Whereas the connected cars in Ann Arbor can change the timing of traffic lights, a combination of V2V, V2I and automated driving could do away with traffic lights completely. Cars could be co-ordinated so that they avoid one another at road crossings. Not having to stop at road crossings would reduce congestion.
    The sensors in vehicles that check things like tyre and oil pressures, as well as brakes and engine performance, will also have a role. Pavan Mathew of Telefónica, a mobile-network operator, points out that many drivers dread the moment when a dashboard warning light flicks on. Remote monitoring and messaging can swiftly send a note to the driver about the extent of the problem.

    Vehicles’ diagnostic systems could also pick up faults before they are manifested as black smoke pouring from an exhaust pipe or a horrible grinding noise from the engine. Cars could then be brought in for repair before trivial problems develop into big ones. Following the lead of Tesla, a Californian maker of electric cars, more faults might one day be fixed remotely over the internet by a software upgrade.
    Indeed, checking on cars remotely has plenty of other possibilities that may reduce (or worsen) stress levels. Online services will allow, for instance, closer monitoring of the driving behaviour of teenagers beyond the basic warnings of aggressive braking or exceeding speed limits that the “black boxes” supplied by some insurance companies presently provide. And not just younger drivers. Insurers are likely to offer any driver a lower premium if technological monitoring of his driving habits shows he is being careful.

    Exactly who will deliver all these new motoring services is far from clear. It is by no means certain that it will be traditional carmakers, even though they are all busily developing, making and marketing increasingly connected vehicles. In the past consumers have expected the new technologies that appear in cars quickly to become standard features for which they pay little if anything extra. Electric windows, anti-lock brakes and power steering are now almost universal.

    The connected car, however, has created powerful new competitors in the motor industry’s traditional supply chain. And some of those new competitors are keen to win themselves a big slice of the action. These are mobile-telecoms operators, makers of networking gear, developers of V2V and V2I technologies, producers of consumer hardware and systems, software firms and creators of mobile apps.

    Cars will become bundles of different technologies, not only of devices but also of consumer brands, all vying for the driver’s attention in a sometimes uneasy alliance with carmakers. Apple and Google are locked in competition for control of the digital dashboard. In response to CarPlay, a vehicle-infotainment system developed by Apple, Google in June launched a rival called Android Auto.

    Mobile-phone operators see the connected car as yet another device to be hooked up to their networks. In America, AT&T is letting drivers of GM cars add their vehicles to their data plans, alongside their smartphones and tablets, for $10 a month. In future, which mobile network you use may affect your choice of car. In a recent poll Nielsen, a market-research firm, found that half of Americans who owned cars made since 2009 would be less likely to buy a new car if it had a different data plan from their smartphone.
    Invisible competitors

    Not everyone trying to get in on the act will be visible to the driver. All the data going to and from cars and infrastructure will have to be transmitted and processed. That adds to demand for chips, network equipment and data centres. Cisco, for example, envisages a lot of processing taking place not in the “cloud” of central data centres but more speedily and conveniently within a “fog” of intelligent networks.

    Fiat Chrysler’s boss, Sergio Marchionne, is worried that it will cost his company money to “provide a venue to host other people’s parties”
    Carmakers know they will have to share the benefits of the connected car. Some seem gloomy about their prospects of getting any of them at all. Fiat Chrysler’s boss, Sergio Marchionne, is worried that it will cost his company money to “provide a venue to host other people’s parties”. Some carmakers see more of an opportunity to profit as they could benefit beyond their share of the monthly charges for connectivity. Using the data to tweak the design and performance of their vehicles by identifying components that are more likely to cause problems will both help them to improve the cars they produce and cut warranty costs. Good connectivity should help to reinforce brand loyalty too.

    The relationship between carmakers and their customers is at arm’s length at present, operating through a dealership system that is reminiscent of that between handset-makers and operators. After selling a car through a franchised dealer, further interaction with car buyers is limited to a dealership visit every couple of years for a service (or sooner if there is a problem). Connectivity will bring the customer and carmaker closer together. Ship and forget will be supplanted by ship and update, which is what makers of computers and mobile devices do already. So far car companies seem unclear about what this will mean for how they do business.

    Getting closer to their customers should at least make the carmakers more responsive. The data can help manufacturers and dealers target customers more efficiently. As well as sending details of offers, dealers might better fit a particular car to a driver through an analysis of individual driving habits. They could suggest extra features that would suit some motorists, from hybrid technology to modest add-ons. Some carmakers are already miles along this road. Elon Musk, Tesla’s boss, laughs at the suggestion that his customers would accept anything less than a high degree of connectivity and interaction when he sells them an electric car.

    The data could help customers know more about cars too. Motorists will have the ability to find out the actual miles per gallon a car will do in the real world rather than trust the claims made by car companies, which use a box of tricks to make their vehicles unrealistically frugal during tests.

    Carmakers, usually conservative and slow-moving, are getting ready. Aside from the engine, body and interior, cars already contain lots of electrical architecture. Most of the big firms have set up connected-car groups to work alongside their electrical engineers to ensure that the hardware and software required for connectivity fit. Detroit’s car guys are deferring to techies, poached from the software industry, who are adept at dealing with app-makers and the like. Carmakers are looking closely at Tesla, which describes itself as a “software company that builds cars”, for inspiration.

    Connectivity will eventually change the way cars are integrated into transport systems. Car sharing, either through car clubs run by the big rental firms or peer-to-peer services, will be far easier when communication between vehicles and potential passengers is seamless and any car can be accessed and operated securely by any smartphone. Making journeys using several forms of transport, including a car, will be smoother if it is easier to find car-sharing locations or parking spaces close to connecting points for trains or buses.

    And with increasing automation and connectivity there will be less need to have to own or drive these vehicles yourself. Today’s experimental autonomous cars stuffed full of on-board sensors are only part of the solution. The development of systems that let cars talk to cars, and to the world beyond, will be just as important on the road to a driverless future.

  • Apple’s iOS 8, the latest version of the operating system for iPhone, iPad, and iPod, is now available. It’s pretty darn slick, and it’s what everyone who orders a new iPhone 6 will get when those devices start arriving on Friday. But the upgrade is also available for existing Apple devices. Should you upgrade right now?
    If your answer is an instinctive, “Heck, yeah; I’m in!” then read our guide and get going. 
    If you’re the more cautious type, take heed of these warnings:
    Warning 1: It takes a lot of space (temporarily).
    While the operating system itself is about a 1-gigabyte download (which is pretty big), your device needs even more breathing room to perform the update. Reports vary, but on an iPad 3, for example, you need at least 5.8 GB of free space. The update will not happen if you have less than that. On an iPad mini with Retina Display, one warning said 6.9 GB.

    That may mean you’ll have to delete a lot of music, videos, or apps before you can update. If you have a 16 GB device, the winnowing process might make you cry. Hint: Look at your video files first.
    You don’t have to sacrifice all that room for good; it’s just a playground for the installer during the surgery. Once the upgrade is complete, iOS 8 will let you use that space you freed up for your apps and files again.
    Read These 6 Warnings Before You Update Your iPhone or iPad to iOS 8
    One moment while I unload some videos.
    Warning 2: It’s slow to update (for now).
    On iOS 8’s birthday — today — there are millions of people trying to get the update simultaneously. That’s a lot of data coming out of Apple’s servers, and you won’t get the full-speed transfer you might see if you wait until the lines die down. Give the update some time.

    iOS 8 update estimate time of 5 hours
    That’s not good. Eventually I was forced to give up on this (see next screenshot) and got the file in about 40 minutes through my desktop computer.
    If you really can’t wait, you’ll have better luck if you can do the update via iTunes on your Mac or PC, with your device connected to the computer. As of Wednesday, it looks like a 30- to 50-minute download for the update file that way. Downloading the update file over WiFi to your iPhone or iPad generally takes longer. This morning, at the office where I work, the update app was projecting between five and seven hours to download. And then, after two hours, it gave up.
    iOS 8 error screen
    It didn’t even say why.
    Warning 3: Allow time for the installation.
    While you’re downloading the iOS 8 installer, you can keep using your phone or tablet. But after the download, the actual installation can take 30 minutes or more (it took me an hour) — during which time you can’t use your device. Don’t start the upgrade if you’ll need your gadget during that time.

    Warning 4: It might slow down your older device.
    iOS 8 works best on the latest Apple devices, which have much faster components than older ones. Apple says iOS 8 officially works on phone models as old as the iPhone 4s, and iPads as old as the iPad 2. But, in truth, you won’t get the same snappy responsiveness on those older devices, especially with processor-intensive services like Siri.

    Warning 5: Don’t accept the upgrade to iCloud Drive (yet).
    Apple is changing its online storage product. The older iCloud is being phased out, and the newer iCloud Drive is where Apple will now store all your files. It’s a Dropbox-like “online disk,” and it looks like an improvement from iCloud. You’ll be able to put files on it and access them from any Apple phone, tablet, or computer.

    iCloud Drive screenshot
    Just one thing, though: It requires the latest operating system on every device: iOS 8 on mobiles and OS X Yosemite on computers. And Yosemite isn’t out yet. So if you allow your device to upgrade from iCloud to iCloud Drive, your Mac won’t be able to see files saved from iOS, and your iOS device won’t be able to see the older iCloud files from your computer.
    So when given the option to “Upgrade to iCloud Drive,” decline. Once your Mac has the new operating system, go into Settings on your phone or iPad and turn iCloud Drive on at that point.
    iCloud Drive screenshot
    Warning 6: Save your iPhoto projects first.
    Apple is also discontinuing the iPhoto app on iOS devices; its replacement is an expanded version of the Photos app that’s always come on iPhones and iPads.

    If you use only the built-in Photos app, no problem; everything keeps working. But the Photos app doesn’t recognize the photo books and other projects created by the iPhoto app for iOS; you’ll lose that once you upgrade to iOS 8, since iPhoto doesn’t work at all on the new OS.Apple explains here how to make the shift, what you’ll be able to keep, and what you’ll lose.
    iOS 8 Update Completed screen

  • Virtual private networks were conceived to connect computers in different geographic locations as if they were part of one same local network. They rely on encryption, tunnel protocols and masking mechanisms to fulfill their purpose in a reliable and secure fashion. These same attributes which are indispensable to create safe networks through the internet have made VPNs the go to technology for anyone looking to keep their location and online activities private.
    In general, totally free high quality VPN services are few and far between. The current business model being used by some is to offer a free basic application with the option to upgrade to a paid, more feature rich version. However, for users simply looking for some extra privacy or sporadically accessing a geo-restricted website these free versions get the job done.


    CyberGhost installs clean and the interface is very polished. There are no bandwidth limits but whenever you change a setting in the program you get a popup window that offers upgrading to their premiums plans. Speed is slightly higher than the other services we have listed here but they restrict P2P traffic. This doesn’t affect video and audio streaming services but if you want anonymity downloading torrents this one is not for you. They have the widest list of options when it comes to IP selection with virtual locations in Germany, Spain, Romania, Luxembourg, France, Italy, aside from the usual US and UK locales. CyberGhost is available for Windows, Mac, Android, iOS and Linux (with some work). Another plus, you do not need to register.


    TunnelBear is another strong offering in the world of free VPNs. The interface is quite polished and easy to use, installation is clean and quick, and it was able to get us into all the online streaming services we tried – Hulu, BBC iPlayer, and YouTube. Speed was a bit lacking and there is a 500MB per month limit, but you can increase that to 1.5GB with a tweet right from the get go. You can choose virtual locations in the US, UK, Canada, Germany, Japan, Netherlands, and Italy. TunnelBear is available for Windows, Mac, Android and iOS after you register an account.


    SurfEasy is one of the most solid free alternatives out there. Speed is decent, installation is straightforward, encryption is supposedly “bank grade” and they clearly state none of your online activities are logged. You can change regions on the fly with servers in Brazil, US, Singapore, UK, Germany and Canada. The biggest deal breaker is that apparently their IP addresses have been blacklisted by some streaming services. At the time of writing SurfEasy wasn’t able to get us into Hulu or the BBC iPlayer. There's also a monthly data transfer limit of 500MB for free accounts and BitTorrent traffic is not supported -- the company had to choose between keeping user logs or dropping torrent support to avoid being liable of copyright infringement. They chose the latter.
    Although free accounts are capped at 500MB per month of traffic you can extend that limit indefinitely through referrals and several other pretty effortless mechanisms. SurfEasy isavailable for Windows, Mac, Android and iOS after you register for an account.

    Hotspot Shield

    Hotspot Shield is probably the best-known free VPN out there. It does all the basics and while speed is just average, it's good enough for streaming Hulu videos at medium resolution. All communications are encrypted and there is no data transfer limit. However, you'll have to tolerate ads while surfing. Be sure to go with the "advanced installation" option during setup otherwise your browser will end up with a different homepage and default search engine. Finally, you can’t change your virtual location which limits your online selection to U.S based services. Hotspot Shield is available for Windows, Mac, Android and iOS with no registration necessary.


    Spotflux is another free, ad-supported offering with no bandwidth limits. Speed is more or less on par with Hotspot Shield -- which is to say it's not the fastest of the bunch -- but besides encrypting your internet traffic they also promise protection online against malicious ads, cookies and malware. The client is quite simple with virtually no settings to deal with, which might a be a pro or con depending on your preferences. For the average user looking for an install and forget solution Spotflux does the trick. Their IP addresses seem to be U.S. based so it won't get you around blocks for services limited to other countries. It's also worth noting that at the time of writing they have been blacklisted from Hulu but had no issues with YouTube. Spotflux is available for Windows, Mac, Android and iOS. You don’t have to register for an account right away.
    Have you tried any of these programs? Have another one to add? Sound off in the comments.

  • Heartbleed is bad, but you can mitigate its damage, albeit via different approaches for users, admins, and developers

    Let's face it: Heartbleed is a bloody mess. Worse, it's a different kind of mess for everyone who has to clean up after it. Administrators, end-users, and software developers will all be confronted with aspects of Heartbleed that each can only deal with alone.
    Here's what each of them needs to do to mitigate the threats that matter most to them individually.

    In some ways users have it hardest since the only measures they can take are entirely reactive. They can't patch the actual sites they use (unless they've actually built them), but users can still do a great deal on their own.

    1. Check sites you visit for the vulnerability. When news of Heartbleed first broke, the only way to find if a given site was vulnerable was to check against one of a number of manually maintained lists of vulnerable sites or to use a third-party website that tested for the vulnerability. Fortunately, you don't have to do that by hand anymore as both Firefox and Chrome now have add-ons that can manually check the status of a visited site.

    2. Rotate passwords, but only after a site has been patched. This is the tricky part. On the whole, it's a good idea to rotate passwords after any security breach, but only after the breach itself has been closed. Otherwise, it's like changing locks on a door that's never closed anyway. To that end, rotate passwords on affected sites, but only after you're certain Heartbleed is no longer an issue there.
    If you're not already using a password manager, this is as good an excuse as any to get set up with one. And if you're using sites that support two-factor authentication of some kind but haven't bothered with it, this is also a good excuse to make use of it.

    Users of the LastPass password management service get two -- possibly three -- benefits for the price of one. The service not only manages passwords and syncs them across devices, but even lets you know if services are Heartbleed-vulnerable and whether or not it's a good idea to update the password yet (whether or not the site has patched and it's OK to rotate passwords).

    3. Enable certificate revocation checks in your browser. Certificate revocation determines if the SSL/TLS certificates used by your browser have been revoked, which many sites are in the process of doing to avoid reliance on keys that might have been compromised courtesy of Heartbleed. In Google Chrome, this is in Settings: Advanced Settings, under "Check for server certificate revocation." With Firefox, this is enabled by default, so you don't need to do anything. The CloudFlare blog has further notes about the behavior of each browser when dealing with certificate revocation.


    1. Patch affected systems.
    Before you say "duh," the trick is to find out which systems are affected. There may be more of these than you think, since OpenSSL may be employed in ways that aren't exclusively external, client-facing applications. Those are clearly the most important ones, but don't assume the inventory of affected systems ends there. Some Cisco products, for instance, may be vulnerable; ditto for Juniper Networks.

    Another, even trickier, example: Microsoft's implementations of TLS in Windows Server systems do not appear to be affected by Heartbleed, but that doesn't mean all software running on Windows boxes is unaffected. Some of that software may implement OpenSSL in its own way and need to be updated separately from anything else.

    2. Reissue and revoke certificates. Don't flinch. Reissuing and revoking certificate keys is dirty work, but it needs to be done, and even (especially!) big outfits like Akamai have started that difficult job since compromised certificates have to be revoked within 24 hours. Make sure the new certificates are properly credentialed and follow proper guidelines; don't end up like PayPal, which had some of its new certificates issued in the wrong name ("PayPal, Inc.\0a").


    1. Audit your code for the use of OpenSSL.
    Do an audit on all your own projects to determine where or if you are using OpenSSL, then patch or update appropriately. The bigger the project, the more likely it is to contain some dependency on OpenSSL.

    2. Get the changes out there. Make sure any products you've updated can get into the hands of users all the faster. For example, Android 4.1.1 is affected (but not earlier versions of Android), and while Google is distributing patches to its hardware partners, who knows how long it'll take before those patches actually hit affected devices. Don't be like that if you can help it.

    3. Consider alternatives to OpenSSL if it's feasible. OpenSSL is not the only game in town; other libraries exist. This isn't to say they're drop-in replacements or won't manifest problems of their own, but now might be the time to think about where they could be of use.

  • Mobile phones may be treated like playthings these days. However, these flashy gadgets can prove dangerous if not handled with care. Several instances have been reported about the phones blasting off suddenly, the latest victim of which was a 14-year-old child of daily wage workers from Seoni. The blast was so bad that the boy narrowly escaped death and ended up with severe disfigurement to his jaw, nose, mouth and face. TOI tells you the do's and don'ts of handling mobile phones.

    What are the things to be kept in mind while buying mobile phones?
    Buy a branded phone as far as possible. Ensure that the phone has a proper IMEI number, which is a code that identifies each phone. Check that the number on the phone corresponds to that on the box and receipts.
    It is considered wise to check the accessories such as earphones, battery and charger. Make sure the battery description such as voltage value matches with that of the charger to avoid overcharging which sometimes lead to explosion of handset.

    How and why do mobile phone blasts happen?
    The most common reasons for a cell phone to explode are using it while the phone is being charged and 'call bombing'. Charging puts pressure on the motherboard of the phone, using it during charging increases this pressure manifold. This causes the cheap electronic components in some mobiles to explode. Call bombing refers to calls or missed calls received from international numbers. If one receives or calls these numbers back and the call exceeds a certain amount of time, the phone will blast. There is also a malware, or bug, found in some Android-based smartphones, that can also cause explosion by exerting extra pressure on the motherboard during charging.

    What care should be taken to ensure not much pressure is put on the phone?
    Avoid using the phone while the battery is being charged. If you wish to receive a call during this time, disconnect the phone from charger before connecting the call. Ensure it is not over-charged by removing the electric supply when the battery is fully charged. If your battery seems to have swollen, replace it immediately.

    Why is it dangerous to buy cheap phones?
    Most cheap models, like those of Chinese make, use hardware and components that are not branded and often substandard. The quality of vital accessories such as battery and earphones are compromised which can have disastrous outcome. Such components cannot be used continuously for as long as their high-quality substitutes. Their shelf life is also shorter.

    Is it more harmful to surf internet or download anything on mobile phones?
    Yes, because the anti-virus softwares for mobile phones are not as effective. That is why one should avoid downloading anything from a third party vendor, ie directly from the internet browser. Instead use the in-built store or market application provided by the operating system. Malware, which is software that creates a bug in the operating system of the phone, often gets downloaded with third party tools. The sites that you visit using the phone must start with an https (which means they are encrypted or safe sites).

    Avoid using public or unsecured Wi-Fi connections. A hacker could access the mobile device through a port that is not secured. Make sure the Bluetooth connectivity is not switched on in public places as it can be used to send malicious files which corrupt the operating system.

    Are there certain precautions that must be practiced while using a mobile phone?
    While communicating using your cell phone, try to keep the cell phone away from the body as this would reduce the strength of the electromagnetic field of the radiations. Whenever possible, use the speaker-phone mode or a wireless bluetooth headset. For long conversations, use a landline phone.

    Avoid carrying your cell phone on your body at all times. When in pocket, make sure that key pad is positioned toward your body so that the transmitted electromagnetic fields move away from you rather than through you. Do not keep it near your body at night such as under pillow or a bedside table, particularly if pregnant. You can also put it on 'flight' or 'offline' mode, which stops electromagnetic emissions. Avoid using your cell phone when signal is weak or when moving at high speed, such as in car or train.

    How to deal with a wet phone?
    After removing the phone from water, dismantle it by removing battery, SIM and memory cards and switch it off (only SIM card in case of an iPhone). Dry each component thoroughly (but gently) with a towel until the phone is dry to the touch. Then put all components in a bowl of uncooked rice in a way that all components are totally covered. If you have any silica packets (the ones that come with products like new shoes), put them in to the bowl too. Leave it there for 12-24 hours.

    Never use a hair dryer to try to dry the phone quicker. Drying it with a heated hair dryer can cause important parts to melt, while forcing water further into the phone. Drying it will a cold hair dryer will just force water deeper into the phone.

    Why you shouldn't hold your mobile in your mouth?
    Using mobile phones too close to your mouth regularly or holding cell phone in your mouth frequently could lead to malignant salivary gland cancer and tumors in mouth. Regular cell phone users who speak with the phone held too close to the mouth face the problems of sleep disturbance, migraine and headache.