According to findings from Tariff Consultancy, the average cloud computing price for enterprises has dropped by two-thirds since 2014. Tariff found that an average entry-level cloud computing instance is currently valued at 12 cents per hour for Windows users, with cloud services now employed by enterprises across a range of crucial applications.

The cost of the public cloud appears to have stabilized. Amazon Web Services, Google, and Microsoft offer comparable entry-level compute-instance pricing, as do other providers.

Despite such low prices, I still hear complaints from IT about the cost of cloud.

The actual cost of the cloud is not for the services themselves. That’s a small part. The real money goes to the people, tools, time, and risk mitigation. IT shops that look at only the cost of AWS versus Microsoft are missing a huge part of the equation. And they’re the ones that get sticker shock when they see the entire cost of cloud-based migrations, including new development and operations, that have little to do with the cost of compute instances.

I advise that you consider the cost holistically. That means working up a well-thought-out TCO (total cost of ownership) model that considers all aspects of the cost of moving to the cloud, such as people, migration, security, operations, and testing. You need to then balance that cost with the value of agility and time to market, which are typically huge for most enterprises.

That analysis usually shows that moving to the cloud is more cost-effective than leaving the applications and data where they are, in your data center. But using the cloud is not as cheap as it may seem from those compute prices.

Source: InfoWorld

http://www.infoworld.com/article/3023039/cloud-computing/the-cloud-is-a-bargain-but-its-not-cheap.html

Intel announced that its 6th Gen (Skylake) Core vPro processors are now available for purchase. With Skylake, Intel opted to introduce a new security technology called Intel Authenticate to increase the amount of protection provided by vPro processors.

The Intel Authenticate software is still in development, but users are now able able to preview and test the software themselves. The software uses multiple authentication factors in order to determine who is accessing the system and ensure it is the correct person. The system supports up to three hardened factors that can consist of an item you have such as a smartphone or ring, a physical feature such as a retinal scan or fingerprint, or something you need to remember such as a password.

If the software is configured to use three identification factors, then just entering your password or scanning your fingerprint won’t be enough to grant you access to the system. This software uses the vPro hardware in order to enhance the accuracy of these authentication factors, and it is not supported on non-vPro processors. Intel Authenticate is compatible with Windows 7, 8, 8.1 and 10.

Systems using the Skylake vPro processors are now available from several OEMs including Acer, Asus, Dell, Fujitsu, HP, Lenovo, Panasonic and Toshiba.

Source: Tomshardware

http://www.tomshardware.com/news/intel-skylake-vpro-intel-authenticate,31032.html

When it comes to online banking, sub-optimal encryption isn’t our biggest concern

Posted on 06 January 2016 by Martijn Grooten

https://www.virusbtn.com/blog/2016/01_06.xml

Malware authors and scammers won’t attack the crypto.

Under the headline “no zero-day necessary”, Xiphos has published a rather scary blog post on the state of SSL security within the UK’s finance industry. It concludes that more than 50% of UK-owned retail banks have weak SSL implementations on their online banking sites, with 14% of them getting the lowest grade on Qualys‘sSSLLabs service.

This isn’t good. Banking is largely based on trust, and getting IT security right should play an important role in being trusted. But we should be careful not to confuse sub-optimal security with a likelihood of this leading to actual attacks.

Of the vulnerabilities Xiphos mentions, CRIME and POODLE are the most serious. They make it easy for an attacker with a man-in-the-middle position to steal secure session cookies, thus allowing them to hijack a browsing session. This simply should not be possible on a site where people manage their finances.

However, cybercriminals rarely use man-in-the-middle attacks. For them, the fact that they often don’t scale well and can’t be performed remotely, makes such attacks rather uninteresting. Moreover, most banks mitigate session-hijacking attacks by requiring the user to authenticate transactions through a second channel. Hence it isn’t surprising that there have been no known instances of CRIME or POODLE having been used in the wild.

The other weaknesses mentioned, such as the support for RC4, the lack of support for TLS 1.2 and the use of SHA-1 certificates, can only be abused in a purely theoretical setting (in the case of RC4), or not at all.

Interestingly, the blog post doesn’t mention the fact that many banks — including the four main UK retail banks — don’t use HTTPS by default on their main site. Given that this is how many users browse to their online banking service, an attacker with a man-in-the-middle position, or malware running on the user’s system, could trivially modify the link to a site they control. After all, no encryption is infinitely worse than sub-optimal encryption.

Still, this isn’t the thing users should be most concerned about. It would be far better if they concerned themselves with becoming more aware of the various ways in which malware and scams try to steal their money — none of which attack the encryption protocols the bank uses.

It is good to hold banks accountable when it comes to security on their websites. But we have to be realistic about where the actual risks are. They are not in the crypto.

In March, I will give a talk, “How Broken Is Our Crypto Really?“, on this subject at the RSA Conference in San Francisco.

Ask almost any exhausted parent, and he or she will agree that kid-centric video apps are a pretty useful invention. YouTube Kids is an app for iOS and Android that targets the preschool set with a wide selection of free clips of cartoons, educational programs and other generally anodyne content. But it may not be as innocent as it seems, thanks to advertisements that blur the line between content and hawking products.

The Georgetown Law Institute for Public Representation, along with eight children’s advocacy groups, penned a document to the FTC entitled “Request for Investigation into Google’s Unfair and Deceptive Practices in Connection with its YouTube Kids App,” and asking the commission to investigate. The 60-page document alleges that the app mixes actual content and commercials in a way that children cannot meaningfully distinguish, and that such behavior would never fly on broadcast or cable TV.

Google advertises YouTube Kids as an app “designed for curious little minds to dive into a world of discovery, learning and entertainment.” While its content matches its mission statement, Georgetown Law argues that some of the content blurs the line between entertainment and commercial.

For example, many of the videos available on the service are user-created toy and candy “unboxing” videos, which highlight excited consumers getting their hands on a new product for the first time. These reviewers often receive products directly from the companies they review, and do not disclose this information in a way that very young children can understand.

While these videos are not advertisements in the strictest sense, they would probably violate FCC television standards that disallow children’s show hosts from hawking particular products. (Young children, generally speaking, have more trouble differentiating ads from entertainment than their older siblings and parents.)

Branded channels also present something of a challenge. The Lego channel, for example, provides cartoons and webisodes about Lego characters, but also hosts full TV commercials for Lego products. Other companies, like McDonald’s, host a mix of narrative content and straight-up ads as well.

Despite speaking out against commercial content, Georgetown Law takes little issue with the actual ads that YouTube Kids shows in-between videos. They tend to be public service announcements for organizations like the U.S. Forestry Service or Adopt U.S. Kids, which, as advertisements go, are fairly inoffensive — arguably even wholesome.

Source: tomshardware

http://www.tomsguide.com/us/youtube-kids-confuses-audiences,news-20746.html

Let’s Encrypt certificate used in malversiting

We’d better get used to a world where malicious traffic is encrypted too.

According to some people, myself included, Let’s Encrypt was one of the best things that happened to the Internet in 2015. Now that, as of December, the service is in public beta, anyone can register certificates for domains they own, in a process that is both easy and free.

Cybercriminals have noticed this too, and rather unsurprisingly, Trend Micro reports that a certificate issued byLet’s Encrypt was used in an Angler exploit kit-powered malvertising campaign, to make the malicious advertisements harder to detect.

What makes this case particularly interesting is the fact that the domain for which the certificate was issued was the subdomain of a legitimate site, whose DNS was compromised. As domain-based reputation isn’t usually granular enough to distinguish between subdomains, this could have helped them avoid detection even further.

Let’s Encrypt only issues Domain Validation certificates, which don’t do more than validate the domain; hence it doesn’t believe it needs to police the content of the domains for which it issues certificates, although as a possibly temporary compromise, the domains are checked against Google‘s Safe Browsing API before a certificate is issued.

I agree with Let’s Encrypt here. I think our goal should be to encrypt all Internet traffic, and if bad traffic gets encrypted too, then that is a feature of the system, not a bug. Given how easy it is to register certificates, more policing would simply lead to a cat-and-mouse game. And there is also the danger of a slippery slope, where governments and interest groups start to pressure Let’s Encrypt to revoke the certificates of sites they perceive as bad.

We’ll just have to accept that more and more traffic is encrypted and find ways to block malicious activity in an environment where all traffic is encrypted.

Of course, this particular case is a little different: the exploit kit users in this case didn’t “own” the subdomain; they were merely able to point it to their own server. It might be worth Let’s Encrypt considering an automatic way in which domain owners can revoke certificates issued to subdomains. But that may well complicate the whole process and make little impact in practice. After all, for a successful malware campaign, domains only need to be active for a very short period of time.

If you’ve been telling people that the mere presence of a ‘lock icon’ in the address bar is a sign that a site is harmless, now is really the time to stop doing that.

https://www.virusbtn.com/blog/2016/01_08.xml

Posted on 08 January 2016 by Martijn Grooten.

It isn’t often that Microsoft is the company to watch for the new year. But it will be in 2016.

CEO Satya Nadella and his team have shaken things up, surprising customers with better products, a continuing move to the cloud, an embrace of open source, and a willingness to stand up for user privacy in the face of government pressure.

We even have to acknowledge a success that was born in the bad old days of Steve Ballmer: Microsoft’s largely successful do-over on Windows 10. Being rooted in the PC era is problematic, to say the least, but the Surface Book is (surprise) an exciting product that shows that the company is taking an old-school product as far as it can go. It’s even matched — or maybe outdone — Apple with the newest Surface Pro tablet.

There are still major challenges, and if any one area is liable to trip up the Redmonders it’s mobile. The ill-conceived purchase of Nokia cost billions, and even worse is the failure to develop a coherent mobile strategy years after it became a necessity.

But the balance sheet is now definitely tilted in Microsoft’s favor, which couldn’t be said a few years ago. Wall Street makes a lot of bad calls when it comes to technology companies, but it’s revealing that Microsoft’s price-to-earnings ratio, a measure of future expectations, is higher than Apple’s.

Beating the PC makers at their own game

Flawless execution is something few companies achieve, and Microsoft is no exception. Both Windows 10 and the Surface Book have problems that can’t be ignored. But unlike Windows Vista or Windows 8, Windows 10’s problems are fixable, and so are the issues plaguing the Surface Book.

Microsoft entered the hardware space a few years ago when it became clear that none of the PC makers were likely to produce a decent Windows tablet. The original Surface, particularly the weird and nearly useless Surface RT version, wasn’t successful — in fact, it cost the company a $900 million writedown.

Contrast that kludge with the new Surface Pro 4. It’s expensive, but it’s powered by Intel’s new Skylake processor, and Microsoft has reworked the heat distribution system to allow those chips to run at full speed so that they can tear through demanding applications.

Similarly, Microsoft entered the PC space because the PC makers were boring the buying public to death with unimaginative hardware larded with annoying, and sometimes contaminated, bloatware. You can read the reviews yourself, but suffice it to say that the Surface Book is, to quote my colleague Woody Leonhard, “one sexy piece of hardware.” When was the last time you heard someone who is often critical of Microsoft say something like that?

Microsoft won’t bank tons of money selling such an expensive machine, but clearly the company aims to push the PC makers into making better products, an essential step in keeping the Windows franchise afloat. It also wants to push the PC makers into dialing way back on bloatware, which is why the Microsoft Store sells bloatware-free Signature Editions of PCs made by other companies.

From open source to augmented reality

You don’t have to go back many years to find evidence of Microsoft’s arrogant rejection of the open source community. That’s been changing for some time, and as the company struggles to keep developers on its side, open source has become even more important.

There was a key development on that front last month when Microsoft announced plans to open-source its Chakra JavaScript engine. It shows, as my colleague Serdar Yegulalp wrote, “that Microsoft wants to become a player in the JavaScript ecosystem that has ambitions to be a near-universal runtime for every kind of software.”

There isn’t a huge amount of money here, but the Chakra strategy is indicative of a new openness and willingness to work in environments where Microsoft is not in a position to dominate the playing field.

Then there’s HoloLens. Sure, it’s been delayed a few times, but I’m excited to see Microsoft garner buzz — it practically eclipsed Windows at Microsoft’s January 2015 public preview. More important, it shows a willingness to go beyond the corporate comfort zone.

Writing at Ars Technica, Peter Bright put it this way: “With HoloLens I saw virtual objects — Minecraft castles, Skype windows, even the surface of Mars — presented over, and spatially integrated with, the real world.”

Augmented reality has the potential to be more than a cool toy. Companies like Epson have already developed and sold units that help field technicians fix complex devices and warehouse workers pick products from shelves. This field is crowded, and it will take some doing for Microsoft to succeed, but its willingness to risk it speaks volumes.

I don’t mean to minimize Microsoft’s weakness or defend boorish behavior like its annoying campaign to push users to download Windows 10. But having watched Microsoft decline as a relevant tech power over the years, I see a lot of reasons to expect a continued resurgence. Watch it carefully in 2016.

Source: InfoWorld

http://www.infoworld.com/article/3019721/microsoft-windows/microsoft-is-the-company-to-watch-in-2016.html

We know of several new SSD controllers slated for release in 2016, but the Phison PS5007-E7 is one of the most interesting. We first spotted the E7 at Computex, and it was already working well enough to run some performance tests. Phison has been fine-tuning the controller for 2D (1x, 1y, 1z) and next generation 3D NAND flash over the last several months.

This isn’t the first time we’ve spotted a working sample, but as you can see, the Zotac R&D model looks production-ready. This version pairs the Phison PS5007-E7 controller with Toshiba’s 15nm multi-level cell flash. The claimed performance is up to 2500 MB/s sequential read and 1,200 MB/s sequential write.

Zotac told us that this is the first and only model for a product that has yet to receive an official name. The drive just arrived from Hong Kong this morning, so it is a prototype. Upon arrival to Las Vegas, Zotac installed Windows and a few game demos on the drive. The game demos are running from the drive in the suite. This is the first time a public demo on an E7 ran with a real-world workload.

This is also the first time we’ve seen the E7 in a non-M.2 design outside of Phison’s office. All of the other E7 proposed products took the shape of M.2 2280 and 22110 form factors. The Zotac drive is a true AIC (add-in card) like the Intel SSD 750. AIC cards allow the drive to use more PCB surface area to increase NAND flash parallelization and consume more power. This leads to higher performance for end users.

Zotac’s primary business is gaming products. The company started out selling video cards exclusively, but it has expanded to other products like small form factor PCs and now solid-state drives. The future PCIe-based SSD takes on a gamer feel with large branding.

Zotac stated that the new drive could be ready as early as next month, but that contradicts what Phison has stated over the last few days. We don’t expect to see a retail E7-based product until Computex in June or Flash Memory Summit in August.

Source: toms hardware

http://www.tomshardware.com/news/zotac-phison-e7-ssd,30903.html

A Short History of Computer Viruses

There aren’t that many mechanical keyboard switches on the market. Cherry and Kailh switches are by far the most ubiquitous, but there are several others that you’ll bump into, as well. Greetech and TTC are two switch makers that we’ve seen on shipping products recently, and some keyboard OEMs have also begun crafting their own, including Logitech G’s Romer switches, EpicGear’s EG switches and Razer’s Green (and Orange) switches.

Tackling Misconceptions

Of the above, few are as misunderstood as Razer’s Green switches. It’s a common misconception that they’re just rebranded Kailh switches, but that is not the case. It is true that Kailh (Kaihua Electronics) is one of the manufacturers of the Razer Green switch, but Razer has them made to its own specifications.

That is to say, they are not identical to any Kailh switch.

The Razer Green switches even run on different production lines than Kailh switches. Further, Kailh is not the only manufacturer to produce the Razer Green switch. Razer will not divulge who any other manufacturing partners are, but Kaihua Electronics is not the sole supplier.

So, The Switch

Anyone that has mistaken a Razer Green switch for a Cherry MX or Kailh Blue could be forgiven, as they all feel rather similar. In all three, you get a nice, fat tactile bump along with a definitive, loud “click.” There are subtle differences, and they’re worth exploring, but the average user is unlikely to be able to determine which of these three switches are under their fingers without directly comparing them to one another. It is, however, possible that more particular or discerning users would notice.

Partially, this was by design. Razer had used Cherry switches on its keyboards in the past, and so it opted for a backwards-compatible stem and buckle design when creating its own switch.

Personally, I feel like the Razer Green is a little smoother than Cherry or Kailh Blues (although it could partially be an illusion because of the soft-touch Razer key caps), and the bottom portion of the travel (past the tactile bump) feels and sounds a bit like a linear Red switch. That is to say, to me the Razer Green switch comes off as something of a hybrid of two switch types.

It was certainly Razer’s design to create a fast-action switch that also had some tactility — a switch, it says, that was designed from the beginning for gaming. (Razer reps said that when they developed the switch, they enlisted pro esports gamers to try them out in real-life scenarios and were able to tweak the end design from there. This design is the result of that feedback.) Note that in the specification comparison table below that, indeed, the delta between the actuation and reset points (that is, the physical distance between when the switch engages and when it resets so that it can be pressed again) is significantly smaller than the competing Blue switches.

Debunking the myths around secure passwords

Most websites that we use today generally give you feedback on the passwords that you have created when setting up a new account, rating them either weak or strong. They also advise you to use a mix of upper and lower case letters, along with numbers, to ensure a secure password. However good the advice may be, it doesn’t tell you exactly which order the mix should be in.

By sheer coincidence, it appears that all of us tend to put the upper case letters at the start of the passwords with the numbers taking up the final spaces. This was discovered by a group of security experts who work for Eurecom, an investigation institute based in France.

The results of their study, presented at the last ACM Conference on Computer and Communications Security in Denver, has shown that we are confusing what constitutes a secure password, and that this is putting out privacy at risk.

The programs traditionally used by cybercriminals to guess passwords only handled certain combinations until finding the right one.

However, modern methods aren’t based on random guess work. Criminals can now train the software with large lists of passwords – such as the 130 Adobe user passwords that were leaked in 2013 – so as to find the most common combinations. This method allows them to have a greater chance of success in their attacks.

Using this premise as a base, the experts have used a program – similar to the one used by the criminals – to analyze over 10 million passwords. They’ve done this to compile a list of the easiest passwords for criminals to guess.

The result is a “predictability index” that they tested on another 32 million passwords to verify its effectiveness. According to the results, the least common passwords were the most secure. This means that it is important to have a long password that includessymbols as opposed to just upper and lower case letters.

The aim for users from now on should be to create passwords that are not at all predictable, no matter if they include numbers, upper case, or lower case letters. The group behind the study say that passwords should be longer, even adding a few extra words in necessary.

Their investigation should help people to become more aware when creating new login codes which will help to protect their accounts better. Although they can’t guarantee a bulletproof way of creating passwords, they assure us that their method is the safest yet.

On the other hand, the investigators advise that technology companies begin to place less emphasis on passwords as a means of accessing accounts, and that they look at alternative means where possible. There are always new ways of decrypting login details, which makes them ever more ineffective.

BY PANDA SECURITY

NOVEMBER 18, 2015

Original Post