Android Smartphone and Technology: June 2016

Sunday, June 19, 2016

Apple says iPhones still available for sale in China

Apple Inc said its iPhone 6 and 6 Plus were still available for sale in China after Beijing's intellectual property regulators barred their sales saying the designs had infringed a patent held by a Chinese company.

"We appealed an administrative order from a regional patent tribunal in Beijing last month and as a result the order has been stayed pending review by the Beijing IP Court," Apple said in a statement on Friday.

The notice, dated May 19, banning sales of certain iPhone models in Beijing was posted on a Chinese government website.

The Chinese market is vital to Apple, driving more of its sales than any other region outside the United States. But the tech giant has faced greater scrutiny there in recent months, with its online book and film services blocked by Chinese regulators earlier this year.

Apple historically had enjoyed favorable treatment in China, but Beijing’s crackdown on the iPhone 6 and 6 Plus is a reminder that the tech giant is not immune to the scrutiny that other U.S. tech firms have long faced in the country, said analyst Colin Gillis of BGC Partners.

“There’s a variety of risks of having dependence on sales in China to Apple, and government intervention in whatever form is one of them,” he said.

Last month, Apple announced that it would invest $1 billion in Chinese ride-hailing firm Didi Chuxing, a move that was widely viewed as an attempt to shore up relations in China.

Effective IT security habits of highly secure companies

You're far more vulnerable to hackers than you think. Here are the secrets to staying secure

When you get paid to assess computer security practices, you get a lot of visibility into what does and doesn’t work across the corporate spectrum. I’ve been fortunate enough to do exactly that as a security consultant for more than 20 years, analyzing anywhere between 20 to 50 companies of varying sizes each year. If there’s a single conclusion I can draw from that experience, it’s that successful security strategies are not about tools -- it's about teams.

With very good people in the right places, supportive management, and well-executed protective processes, you have the makings of a very secure company, regardless of the tools you use. Companies that have an understanding of the importance and value of computer security as a crucial part of the business, not merely as a necessary evil, are those least likely to suffer catastrophic breaches. Every company thinks they have this culture; few do.

The following is a collection of common practices and strategies of the most highly secure companies I have had the opportunity to work with over the years. Consider it the secret sauce of keeping your company's crown jewels secure.

Focus on the right threats

The average company is facing a truly unprecedented, historic challenge against a myriad of threats. We are threatened by malware, human adversaries, corporate hackers, hacktivists, governments (foreign and domestic), even trusted insiders. We can be hacked over copper wire, using energy waves, radio waves, even light.

Because of this, there are literally thousands of things we are told we need to do well to be “truly secure.” We are asked to install hundreds of patches each year to operating systems, applications, hardware, firmware, computers, tablets, mobile devices, and phones -- yet we can still be hacked and have our most valuable data locked up and held for ransom.

Great companies realize that most security threats are noise that doesn’t matter. They understand that at any given time a few basic threats make up most of their risk, so they focus on those threats. Take the time to identify your company’s top threats, rank those threats, and concentrate the bulk of your efforts on the threats at the top of the list. It’s that simple.

Most companies don’t do this. Instead, they juggle dozens to hundreds of security projects continuously, with most languishing unfinished or fulfilled only against the most minor of threats.

Think about it. Have you ever been hacked using a vector that involved SNMP or an unpatched server management interface card? Have you even read of such an attack in the real world? Then why are you asking me to include them as top priorities in my audit reports (as I was by a customer)? Meanwhile, your environment is compromised on a near daily basis via other, much more common exploits.

To successfully mitigate risk, ascertain which risks need your focus now and which can be left for later.

Know what you have

Sometimes the least sexy stuff helps you win. In computer security, this means establishing an accurate inventory of your organization’s systems, software, data, and devices. Most companies have little clue as to what is really running in their environments. How can you even begin to secure what you don’t know?

Ask yourself how well your team understands all the programs and processes that are running when company PCs first start up. In a world where every additional program presents another attack surface for hackers, is all that stuff needed? How many copies of which programs do you have in your environment and what versions are they? How many mission-critical programs form the backbone of your company, and what dependencies do they have?

The best companies have strict control over what runs where. You cannot begin that process without an extensive, accurate map of your current IT inventory.

Remove, then secure

An unneeded program is an unneeded risk. The most secure companies pore over their IT inventory, removing what they don’t need, then reduce the risk of what’s left.

I recently consulted for a company that had more than 80,000 unpatched Java installations, spread over five versions. The staff never knew it had so much Java. Domain controllers, servers, workstations -- it was everywhere. As far as anyone knew, exactly one mission-critical program required Java, and that ran on only a few dozen application servers.

They queried personnel and immediately reduced their Java footprint to a few hundred computers and three versions, fully patching them across most machines. The few dozen that could not be patched became the real work. They contacted vendors to find out why Java versions could not be updated, changed vendors in a few cases, and implemented offsetting risk mitigations where unpatched Java had to remain.

Imagine the difference in risk profile and overall work effort.

This applies not only to every bit of software and hardware, but to data as well. Eliminate unneeded data first, then secure the rest. Intentional deletion is the strongest data security strategy. Make every new data collector define how long their data needs to be kept. Put an expiration date on it. When the time comes, check with the owner to see whether it can be deleted. Then secure the rest.

Run the latest versions

The best security shops stay up on the latest versions of hardware and software. Yes, every big corporation has old hardware and software hanging around, but most of their inventory is composed of the latest versions or the latest previous version (called N-1 in the industry).

This goes not only for hardware and OSes, but for applications and tool sets as well. Procurement costs include not only purchase price and maintenance but future updated versions. The owners of those assets are responsible for keeping them updated.

You might think, “Why update for update’s sake?” But that’s old, insecure thinking. The latest software and hardware comes with the latest security features built-in, often turned on by default. The biggest threat to the last version was most likely fixed for the current version, leaving older versions that much juicier for hackers looking to make use of known exploits.

Patch at speed

It’s advice so common as to seem cliché: Patch all critical vulnerabilities within a week of the vendor’s patch release. Yet most companies have thousands of unpatched critical vulnerabilities. Still, they’ll tell you they have patching under control.

If your company takes longer than a week to patch, it’s at increased risk of compromise -- not only because you’ve left the door open, but because your most secure competitors will have already locked theirs.

Officially, you should test patches before applying, but testing is hard and wastes time. To be truly secure, apply your patches and apply them quickly. If you need to, wait a few days to see whether any glitches are reported. But after a short wait, apply, apply, apply.

Critics may claim that applying patches “too fast” will lead to operational issues. Yet, the most successfully secure companies tell me they don’t see a lot of issues due to patching. Many say they’ve never had a downtime event due to a patch in their institutional memory.

Educate, educate, educate

Education is paramount. Unfortunately, most companies view user education as a great place to cut costs, or if they educate, their training is woefully out of date, filled with scenarios that no longer apply or are focused on rare attacks.

Good user education focuses on the threats the company is currently facing or is most likely to face. Education is led by professionals, or even better, it involves co-workers themselves. One of the most effective videos I’ve seen warned of social engineering attempts by highlighting how some of the most popular and well-liked employees had been tricked. By sharing real-life stories of their fallibility, these co-workers were able to train others in the steps and techniques to prevent becoming a victim. Such a move makes fellow employees less reluctant to report their own potential mistakes.

Security staff also needs up-to-date security training. Each member, each year. Either bring the training to them or allow your staff to attend external training and conferences. This means training not only on the stuff you buy but on the most current threats and techniques as well.

Keep configurations consistent

The most secure organizations have consistent configurations with little deviation between computers of the same role. Most hackers are more persistent than smart. They simply probe and probe, looking for that one hole in thousands of servers that you forgot to fix.

Here, consistency is your friend. Do the same thing, the same way, every time. Make sure the installed software is the same. Don’t have 10 ways to connect to the server. If an app or a program is installed, make sure the same version and configuration is installed on every other server of the same class. You want the comparison inspections of your computers to bore the reviewer.

None of this is possible without configuration baselines and rigorous change and configuration control. Admins and users should be taught that nothing gets installed or reconfigured without prior documented approval. But beware frustrating your colleagues with full change committees that meet only once a month. That’s corporate paralysis. Find the right mix of control and flexibility, but make sure any change, once ratified, is consistent across computers. And punish those who don’t respect consistency.

Remember, we’re talking baselines, not comprehensive configurations. In fact, you’ll probably get 99 percent of the value out of a dozen or two recommendations. Figure out the settings you really need and forget the rest. But be consistent.

Practice least-privilege access control religiously

“Least privilege” is a security maxim. Yet you’ll be hard-pressed to find companies that implement it everywhere they can.

Least privilege involves giving the bare minimum permissions to those who need them to do an essential task. Most security domains and access control lists are full of overly open permissions and very little auditing. The access control lists grow to the point of being meaningless, and no one wants to talk about it because it’s become part of the company culture.

Take Active Directory forest trusts. Most companies have them, and they can be set either to selective authentication or full authentication trust. Almost every trust I’ve audited in the past 10 years (thousands) have been full authentication. And when I recommend selective authentication for all trusts, all I hear back is whining about how hard they are to implement: “But then I have to touch each object and tell the system explicitly who can access it!” Yes, that’s the point. That’s least privilege.

Access controls, firewalls, trusts -- the most secure companies always deploy least-privilege permissions everywhere. The best have automated processes that ask the resource’s owner to reverify permissions and access on a periodic basis. The owner gets an email stating the resource’s name and who has what access, then is asked to confirm current settings. If the owner fails to respond to follow-up emails, the resource is deleted or moved elsewhere with its previous permissions and access control lists removed.

Every object in your environment -- network, VLAN, VM, computer, file, folder -- should be treated the same way: least privilege with aggressive auditing.

Get as near to zero as you can

To do their worst, the bad guys seek control of high-privileged admin accounts. Once they have control over a root, domain, or enterprise admin account, it’s game over. Most companies are bad at keeping hackers away from these credentials. In response, highly secure companies are going “zero admin” by doing away with these accounts. After all, if your own admin team doesn’t have super accounts or doesn’t use them very often, they are far less likely to be stolen or are easier to detect and stop when they are.

Here, the art of credential hygiene is key. This means using the least amount of permanent superadmin accounts as possible, with a goal of getting to zero or as near to zero as you can. Permanent superadmin accounts should be highly tracked, audited, and confined to a few predefined areas. And you should not use widely available super accounts, especially as service accounts.

But what if someone needs a super credential? Try using delegation instead. This allows you to give only enough permissions to the specific objects that person needs to access. In the real world, very few admins require complete access to all objects. That’s insanity, but it’s how most companies work. Instead, grant rights to modify one object, one attribute, or at most a smaller subset of objects.

This “just enough” approach should be married with “just in time” access, with elevated access limited to a single task or a set period of time. Add in location constraints (for example, domain admins can only be on domain controllers) and you have very strong control indeed.

Note: It doesn’t always take a superadmin account to be all powerful. For example, in Windows, having a single privilege -- like Debug, Act as part of the operating system, or Backup -- is enough for a skilled attacker to be very dangerous. Treat elevated privileges like elevated accounts wherever possible.

Delegation -- just in time, just enough in just the right places -- can also help you smoke out the baddies, as they won’t likely know this policy. If you see a superaccount move around the network or use its privileges in the wrong place, your security team will be all over it.

Institute role-based configurations

Least privilege applies to humans and computers as well, and this means all objects in your environment should have configurations for the role they perform. In a perfect world, they would have access to a particular task only when performing it, and not otherwise.

First, you should survey the various tasks necessary in each application, gather commonly performed tasks into as few job roles as possible, then assign those roles as necessary to user accounts. This will result in every user account and person being assigned only the permissions necessary to perform their allowed tasks.

Role-based access control (RBAC) should be applied to each computer, with every computer with the same role being held to the same security configuration. Without specialized software it’s difficult to practice application-bound RBAC. Operating system and network RBAC-based tasks are easier to accomplish using existing OS tools, but even those can be made easier by using third-party RBAC admin tools.

In the future, all access control will be RBAC. That makes sense because RBAC is the embodiment of least privilege and zero admin. The most highly secure companies are already practicing it where they can.

Separate, separate, separate

Good security domain hygiene is another essential. A security domain is a (logical) separation in which one or more security credentials can access objects within the domain. Theoretically, the same security credential cannot be used to access two security domains without prior agreement or an access control change. A firewall, for example, is the simplest security domain. People on one side cannot easily get to the other side, except via protocols, ports, and so on determined by predefined rules. Most websites are security domains, as are most corporate networks, although they may, and should, contain multiple security domains.

Each security domain should have its own namespace, access control, permissions, privileges, roles, and so on, and these should work only in that namespace. Determining how many security domains you should have can be tricky. Here, the idea of least privilege should be your guide, but having every computer be its own security domain can be a management nightmare. The key is to ask yourself how much damage you can live with if access control falls, allowing an intruder to have total access over a given area. If you don’t want to fall because of some other person’s mistake, consider making your own security domain.

If communication between security domains is necessary (like forest trusts), give the least privilege access possible between domains. “Foreign” accounts should have little to no access to anything beyond the few applications, and role-based tasks within those applications, they need. Everything else in the security domain should be inaccessible.

Emphasize smart monitoring practices and timely response

The vast majority of hacking is actually captured on event logs that no one looks at until after the fact, if ever. The most secure companies monitor aggressively and pervasively for specific anomalies, setting up alerts and responding to them.

The last part is important. Good monitoring environments don’t generate too many alerts. In most environments, event logging, when enabled, generates hundreds of thousands to billions of events a day. Not every event is an alert, but an improperly defined environment will generate hundreds to thousands of potential alerts -- so many that they end up becoming noise everyone ignores. Some of the biggest hacks of the past few years involved alerts that were ignored. That’s the sign of a poorly designed monitoring environment.

The most secure companies create a comparison matrix of all the logging sources they have and what they alert on. They compare this matrix to their threat list, matching tasks of each threat that can be detected by current logs or configurations. Then they tweak their event logging to close as many gaps as possible.

More important, when an alert is generated, they respond. When I am told a team monitors a particular threat (such as password guessing), I try to set off an alert at a later date to see if the alert is generated and anyone responds. Most of the time they don’t. Secure companies have people jumping out of their seats when they get an alert, inquiring to others about what is going on.

Practice accountability and ownership from the get-go

Every object and application should have an owner (or group of owners) who controls its use and is accountable for its existence.

Most objects at your typical company have no owners, and IT can’t point to the person who originally asked for the resource, let alone know if it is still needed. In fact, at most companies, the number of groups that have been created is greater than the number of active user accounts. In other words, IT could assign each individual his or her own personal, custom group and the company would have fewer groups to manage than they currently have.

But then, no one knows whether any given group can be removed. They live in fear of deleting any group. After all, what if that group is needed for a critical action and deleting it inadvertently brings down a mission-dependent feature?

Another common example is when, after a successful breach, a company needs to reset all the passwords in the environment. However, you can’t do this willy-nilly because some are service accounts attached to applications and require the password to be changed both inside the application and for the service account, if it can be changed at all.

But then no one knows if any given application is in use, if it requires a service account, or if the password can be changed because ownership and accountability weren’t established at the outset, and there’s no one to ask. In the end, this means the application is left alone because you’re far more likely to get fired for causing a critical operational interruption than you are letting a hacker stay around.

Prioritize quick decisions

Most companies are stunted by analysis paralysis. A lack of consistency, accountability, and ownership renders everyone afraid to make a change. And the ability to move quickly is essential when it comes to IT security.

The most secure companies establish a strong balance between control and the ability to make quick decisions, which they promote as part of the culture. I’ve even seen specialized, hand-selected project managers put on long-running projects simply to polish off the project. These special PMs were given moderate budgetary controls, the ability to document changes after the fact, and leeway to make mistakes along the way.

That last part is key when it comes to moving quickly. In security, I’m a huge fan of the “make a decision, any decision, we’ll apologize later if we need to” approach.

Contrast that with your typical company, where most problems are deliberated to death, leaving them unresolved when the security consultants who recommended a fix are called in to come back next year.

Have fun

Camaraderie can’t be overlooked. You’d be surprised by how many companies think that doing things right means a lack of freedom -- and fun. For them, hatred from co-workers must be a sign that a security pro is doing good work. Nothing could be further from the truth. When you have an efficient security shop, you don’t get saddled with the stresses of constantly having to rebuild computers and servers. You don’t get stressed wondering when the next successful computer hack comes. You don’t worry as much because you know you have the situation under control.

I’m not saying that working at the most secure companies is a breeze. But in general, they seem to be having more fun and liking each other more than at other companies.

Get to it

The above common traits of highly secure companies may seem commonsense, even long-standing in some places, like fast patching and secure configurations. But don’t be complacent about your knowledge of sound security practices. The difference between companies that are successful at securing the corporate crown jewels and those that suffer breaches is the result of two main traits: concentrating on the right elements, and instilling a pervasive culture of doing the right things, not talking about them. The secret sauce is all here in this article. It’s now up to you to roll up your sleeves and execute.

HPE looks to move data between computers at the speed of light

Hewlett Packard Enterprise shows an optical module that can transfer data at 1.2 terabits per second

Hewlett Packard Enterprise is turning to lights and lasers in thin fiber optics as a way to move data at blazing speeds between computers, replacing thicker and slower copper wires.

A motherboard with an optical module, shown by HPE at its recent Discover show, could transfer data at a staggering 1.2 terabits per second. That's enough for the transfer of a full day's worth of HD video in one second.

The data transfer speed is much quicker than any existing networking and connector technology based on copper wires today. It could replace copper Ethernet cables that are widely used in data centers.

Copper wires are also used in connector cables for ports in laptops and desktops, but this optical technology may not come to PCs anytime soon. But just for comparison's sake, the speed of HPE's optical technology far outpaces USB 3.1, which can transfer data at 10 gigabits per second, and Thunderbolt 3, which tops out at 40Gbps.

HPE calls its photonics chip module X1, and it is still in early testing. In the future, attaching a fiber optic cable to computers will be as easy as attaching Ethernet cables, said Michael McBride, director at HPE's silicon design lab.

Ultimately, the connector technology and cables will be used in The Machine, HPE's new server design that focuses on processing by using storage and memory.

The transfer range of X1 is about 30 to 50 meters. HPE also showed off other silicon photonics technology that can transfer data at distances up to 50 kilometers at 200Gbps (bits per second).

Light is already being used as a long-range data transfer mechanism in large telecommunications networks. Intel is also working on silicon photonics modules and is expected to ship them later this year. It isn't clear if HPE is working with Intel on its technology.

Intel's Thunderbolt connector is available via optical fibers, though it isn't as cheap as copper wires.

The optical cables will solve a bandwidth problem for servers. There is a growing influx of data to servers, which need more bandwidth to communicate. While copper wires are largely meeting the bandwidth requirements today, faster optical cables are the next logical upgrade.

HPE will implement optical technology at the rack levels. In the future, the rack may be one giant server with processing, memory, and storage separated into different boxes. Optical communication is an important driver in the switch to a new server architecture.

The optical fibers are cheaper to implement in data centers than in some other environments, McBride said. One optical cable will replace a whole bunch of copper wires and provide throughput benefits.

The current optical cables use multiple wavelengths of light to transfer data.

Saturday, June 18, 2016

How to Setup Your Wireless Router In 7 Steps

The modern router manufacturers have made home wireless routers easier for non-technical consumers to hook them up. The newer versions comes with different colour codes for ports - making it very easy for home users to connect the necessary cables.

Furthermore, it's simplified with basic setup configuration by default.

So the lights of the wireless routers are on, and you are able to surf the internet. Great, but it isn't fully utilised - you are missing out all the additional security features to protect your home network.

The following are the simplest steps to get it up and running properly - without much effort.

1. Have you bought your router yet?

Besides your home computer, this is the other important element to your home IT equipment - and you will need it.

If you have not bought it, you could read up more on forums or technology websites for wireless router comparison. Depending of the age of your router and its features, you may need to upgrade it immediately. Because some of them only support WEP encryption - and it's no longer secured.

So you received yours from your Internet Service Provider. Good deal, wasn't it? Just a word of caution - majority of routers provided for free aren't really rich in features.

The advanced routers will have features such as automated selection of fastest available frequency bands for each device, and optimization of internet connection.

We urge you to consider purchasing your own router. Two of our highly recommended are Asus RT-AC5300, and Asus RT-AC68U. Their prices may be on the higher side, but it would be a very fine one-time investment. Imagine your family members using the same internet connection without any slowness.

2. Tap into the network

Perfect! Now, you've your router and you are ready to get it hooked up, don't you? Just follow the instructions below:

Turn off your old modem
Remove the Ethernet cable from your computer (the same cable connected to your modem)
Now, plug that cable to the internet port stated on your new router
Turn on your modem, and wait for about two minutes or so
Turn on your new router, and then wait for another two minutes for it to boot up
Get another Ethernet cable and hook it up into your computer's network port
Now, plug in the other end of the same Ethernet cable to the router's LAN port
Power on your computer

By default, almost all wireless routers should be able to perform the setup automatically for you. So if the steps are followed correctly with precision, you should be able to surf Google or any other websites now.

3. Enter the mind of your wireless router

Once the connection is established, and the internet is up and running on your computer - you can finally rub your hands and command your router to do more.

As most routers are managed by any web browser with a default IP address, we suggest that you look up the router's instruction manual to get hold of that crucial information.

Once you have located them, you can proceed with the following steps:

Open your browser - it can be any browser
Key in your router's default IP address into the search bar, and then press Enter
It will prompt you for your administrator's username and password. Don't panic - it's all documented in its manual.
Supply the credentials, and then press Enter.

And there you go - you are inside your wireless router's mind now.

4. Change your router's password

Before you start exploring the different configurations available, the first thing you need to do is to change your wireless router's password.

Although it may be obvious to a few, you will be surprised the number of people who don't do this at all. Look under your instruction manual, it should have a section to show you the sector to change the password.

5. Firmware update

Regardless of the age of the router, it's always a good practice to update its firmware. Because it addresses any issues that the router may have at the current stage.

Again, check your manual for the instruction because this process varies.

6. Managing IP Addresses

DHCP stands for Dynamic Host Configuration Protocol. Never mind the jargon. By default, your wireless router should be set onto this mode.

Basically, DHCP manages the pool of IP addresses on your network. Your wireless router uses the given IP address to find your computer and then route the network traffic accordingly.

If your computer or any other devices doesn't have an IP address, it will trigger a request to the router to provide one. Your wireless router will then pull an IP address from its pool (also known as a Scope), and then hook it to your device.

Your wireless router can also assign a range of fixed IP addresses (Static) to devices, such as your printer. If you prefer to use this method, then follow these steps:

Login to your router's console (as mentioned above)
Search for LAN Setup
Assign a range of IP addresses for your router to use
If you would like to assign 15 IP addresses to your wireless router's scope, and assuming that your router's IP address is 192.168.1.1 - you would set the starting address as 192.168.1.2 and the ending address to 192.168.1.16.

7. Activate your Wi-Fi Connection

Now that you're done with the necessary configuration (and also the hardest part), you can begin to setup your wireless network. It's a simple process and will only take a couple of minutes of your time.

First thing first, hook up your computer to your wireless router. You don't want any lost connection once there's any changes made to the settings.

Okay, good. Let's proceed to the final steps:

Login to your router's console, and search for the section labelled Wireless Setup.
Enable the wireless network (If it hasn't been enabled yet). If you're using a dual-band wireless router, you will see two configuration settings for 5GHz and 2.4 GHz. You will need to configure them separately.
Next, you should be able to see the Channel setting. Ensure that it's configured to Auto.
The SSID (the technical term for a network name). Please change it to something which you prefer, and don't leave it by default. It's up to you, really.
Set the encryption - it's very important that you do so. Go through the list of encryption options, and you would like to choose WPA2-PSK [AES]. Because it offers the tightest level of wireless security.
Once you've selected your option, you will need to assign a Password to it. As a rule of thumb, your password should consist of both lowercase and uppercase letters - with numbers and characters.
Random mix of characters is absolutely the best. For example - ae!%3782@au. Be sure you keep your password somewhere safe.

And there you go! Your wireless router should be now online, and in working condition. You can try to connect some devices to it and do some surfing.

Friday, June 17, 2016

Google Rolls Out Its Gboard Keyboard App for iPhone to More Countries

Google's Gboard keyboard app for iPhone on Thursday began rolling out more widely, reaching Australia and the United Kingdom. The company also plans to launch the app in India soon.

Version v1.0.1 of Gboard is now listed on the App Store, and it features bug fixes and performance improvements. To recall, Gboard was first introduced for iPhone users in the US in May, ahead of Google I/O 2016, only in English US.

Gboard now supports English UK, English AU, English CA, and English IN, and Google said it is planning on adding support for more languages in future versions.

The iPhone keyboard app from Google raised eyebrows across the world when it launched last month, with the app placing the power of Google's search on in the keyboard, allowing users to quickly emplace information, gifs, and emojis without leaving the conversation.

Gboard features a Google search icon on the top left of the keyboard screen. Once the G icon is pressed, users can search for addresses, flights, and even YouTube videos, and link to them in their chat, social, and email conversations.

Users can also search for emojis by typing into the Gboard search bar. The relevant emoji pops up as suggestion, and one can just send it without having to scroll through the numerous emojis to find the perfect one. It even lets you search for GIFs as well.

The keyboard also supports glide typing, letting you type words by sliding your finger from key to key instead of tapping. There is still no word on when the company plans to launch the app for Android users and other iPhone users globally.

Hackers Sell Access to Over 3,400 Servers in India: Kaspersky

Russian-speaking cybercriminals are selling access, password and other details of about 3,488 compromised servers in India for as low as USD 6, a report by cyber-security firm Kaspersky said Thursday.

"Kaspersky Lab researchers have investigated a global forum where cybercriminals can buy and sell access to compromised servers for as little as $6 each," the report said.

The hackers trading platform, xDedic marketplace, said to to be run by a Russian-speaking group and currently lists 70,624 hacked Remote Desktop Protocol (RDP) servers for sale, it added.

"India ranks fourth in hacked servers with 3,488 compromised servers listed on xDedic as of May 2016. Many of the servers host or provide access to popular consumer websites and services and some have software installed for direct mail, financial accounting and Point-of-Sale (PoS) processing," the report said.

The report said that the access by cybercriminals can be used to target the owners' infrastructures or as a launch-pad for wider attacks, while the owners, including government entities, corporations and universities, with the entities left in the lurch.

A European Internet service provider (ISP) alerted Kaspersky Lab to the existence of xDedic and the companies worked together to investigate how the forum operates.

The hackers on xDedic are offering access to wide range of servers including that of government networks, corporations and universities, servers tagged for gaming, betting, dating, online shopping, online banking and payment, cell phone networks and browsers, it said.

Microsoft Becomes the First Big Tech Company to Get Into the Legal Weed Industry

America's burgeoning weed industry just seems to be climbing higher.

Tech giant Microsoft announced Thursday it is partnering with a cannabis industry-focused software company called Kind Financial. The company provides "seed to sale" services for cannabis growers, allowing them to track inventory, navigate laws, and handle transactions all through Kind's software systems. The partnership marks the first major tech company to attach its name to the burgeoning industry of legal marijuana.

While most big tech companies have been shy to get involved, tech startups have been flocking to the up-and-coming pot trade, which is fully legal for both recreational and medical purposes in five states. The weed industry's specific needs for data tracking to optimize plant growth and other logistics, as well as its booming market potential, make it well-suited for tech partnerships. "Nobody has really come out of the closet, if you will," said Matthew Karnes, the founder of marijuana data company Green Wave Advisors, to The New York Times. "It's very telling that a company of this caliber is taking the risk of coming out and engaging with a company that is focused on the cannabis business."

This hesitancy comes from the still murky legal status of marijuana in most of the country. Marijuana is still illegal nationwide, and the risk of crackdowns where federal and state laws contradict have discouraged many banks from working with marijuana businesses. There are also risks in taking a weed business across state lines where it could have a different legal standing. And there's always the danger that a change in government leadership, say with a changing Presidential administration, could result in a backtracking of relaxed weed laws.

Then there are the potentially negative association. "[My company ]has stayed away from investing in the cannabis industry because it's like investing in the porn industry," said Zach Bogue, a venture capital investor. "I'm sure there's a lot of money to be made but it's just not something we want to invest in."

Allen St. Pierre, Executive Director of National Organization for the Reform of Marijuana Laws (NORML), sees marijuana software and Microsoft as a natural pairing. "If you are trying to go big macro strategy at a company like Microsoft, and you want a super diverse portfolio, and you're located largely in a place where you can visibly see the marijuana commerce happening, and of course maybe your employees and others are engaged in that commerce, why wouldn't the company invest in it?" he said.

He adds that he believes that Microsoft association with legal weed will ultimately be helpful in the legalization effort. (Microsoft is based in Redmond, Washington, a state that has legalized marijuana for recreational use.) The legitimacy it lends will make it easier for marijuana producers to go about business, citing growers who see their ad dollars refused by corporations who don't want to be associated with the substance. "Having a brand name like Microsoft will definitely catch people's attentions," he said.

He also thinks the partnership could have an affect on legislation. "Microsoft has a leviathan [lobbying] effort up here in Washington [D.C.]," he said. "One of the things that has been really interesting to see is how the focus is becoming not so much about legalization per say, that's almost become a bugaboo word up on the Hill, but just focusing in on these commerce reforms, for example to allow banks to handle this trade...they lobby hard for that stuff on the Hill right now and to have a Microsoft weigh in saying, we want to be part of that commerce, can can only buoy those efforts."

St. Pierre notes that Kind, which is never directly involved in growing, testing, or selling marijuana, is typical for the kind of companies cropping up around lobbying efforts and gaining financial traction. These ancillary companies that provide services around the actual moving of product are legally much easier to handle.

"The fact that one is engaged in their minds in quite legal commerce, one where lawyers are saying, sure you can set up software to track it, you can set up a web page that shows pretty pictures of marijuana and rate it, or get coupon discounts, etc.," he said. "Compared to the other side of the issue, where you're growing it, transporting it, you're selling it, and you're actually touching it, the lawyering they get is...more schizophrenic." These actual producers, he adds, are the most legally vulnerable.

Still, St. Pierre is thrilled at the partnership. "Ten years ago, twenty years ago, if you were saying, I have a software and I'm hoping to track marijuana sale, you and I would be in a RICO conspiracy. So that speaks to how much has changed, and how today what's heralded in a newswire as a big partnership, years ago would have put you in federal prison," he said.

WatchOS 3 Offers New Hope for Smartwatch Category

Apple finally responded to concerns that were threatening to scuttle its once-promising wearables category. Its introduction of watchOS 3 at this week's WWDC has drawn high praise.

The Apple Watch represented the company's attempt to marry the ultimate Dick Tracy smart gadget with the genius of the iPhone, but it fell short. Instead of a convenience, it was more like an extra iPhone appendage -- and one that was far too slow and complicated for many consumers to navigate.

WatchOS 3 is a "significant and welcome upgrade" of the Apple Watch's previous capabilities, said Jitesh Ubrani, senior research analyst at IDC, who noted that the product was in need of improvements in performance and user interface.

"The notion of a smartwatch is new and somewhat foreign to most consumers," he told the E-Commerce Times. "In watchOS 3, Apple is bringing familiar concepts from iOS -- such as the control center and app dock -- to the small screen, and that will help lower the learning curve while alleviating some concerns of potential Watch owners.

Need for Speed

Among the two biggest concerns Apple Watch users and developers had expressed were difficulty in navigating buttons to get to apps and slow loading. The updated operating system addresses these shortcomings.

During the WWDC event in San Francisco, Kevin Lynch, vice president technology at Apple, demonstrated a professional soccer app, OneFootball, which loaded about seven times faster in the new operating system than in watchOS 2.

Apple has made several key changes to the way native and third-third party apps are stored and navigated in the update. They are easier to find, and they load faster. Favorite apps are kept in memory, supporting background updates with data and regularly refreshing information.

Responding to messages is simpler. Users can reply to incoming messages with a new feature called "Scribble," which allows them to write letters on the watch screen and have them converted into text to create an automated reply.

Customers using the watch to monitor health and fitness can set up five workout metrics, including distance, pace, active calories, heart rate and elapsed time, without the need for an extra swipe of the screen.

Users also can make secure payments within apps using Apple Pay directly from the watch.

OS Errors

Developers consider the latest version of the watchOS update as "watchOS 1.0" -- that is, the first stable, feature-complete Apple Watch operating system, said Tim Anglade, vice president, product at Realm.

Still, there are lingering, significant concerns related to the device hardware, which likely will give developers pause, he told the E-Commerce Times.

Issues such as weak battery life, the continued need to connect through the iPhone, and direct access to communication layers must be addressed before the category can reach its true potential, Anglade said.

It's also weak from a financial perspective, he added, "with no clear monetization path for developers, who spend the extra development cycles making watch apps."

Despite the shortcomings of the earlier OS releases, Apple Watch ended 2015 as the dominant product in the global smartwatch category, according Juniper Research.

Apple Watch owned 52 percent of the smartwatch market share in 2015, even though its initial launch took place in April, the firm reported early this year.

Samsung's Tizen, a well-regarded competitor, was unable to make a major dent in Apple's market share following its fall 2015 release, Juniper found. Overall, Android Wear watches controlled only about 10 percent of the category.

However, the fact that Apple introduced so many significant changes to the smartwatch operating system shows the company understands there is work to do, Ian Fogg, head of mobile analysis at IHS Technology, told the E-Commerce Times. It realizes that developers and consumers have not quite embraced the category to the fullest.

Sun-powered phone charger gives migrants in Greece free electricity

For refugees and migrants stuck in Greece, a smartphone is a lifeline -- as long as its battery lasts.

But access to electricity can be hard to find in overcrowded camps, nor is it always free in cafes where young and old crowd together over a socket, waiting anxiously to phone home.

A team of students from Edinburgh University is hoping to change that, having designed a mobile phone charging station powered only by the sun -- something Greece has plenty of.

They have installed two units in camps, each configured to generate electricity for 12 plugs an hour using solar energy alone, providing free power to as many as 240 people per unit each day.

The idea was borne out of a visit last summer of one of the founders, 20-year-old Alexandros Angelopoulos, to the island of Samos, one of the entry points into Europe for nearly a million people fleeing wars and poverty in the Middle East and beyond.

Hundreds arrived on its shores each day, soaked and exhausted from clinging onto rubber boats from Turkey. Relieved to have made it, they snapped selfies. Others logged on to messaging applications and Google Maps to plan their onward journey to northern Europe.

"People started asking for my phone to call family and to use the internet," Angelopoulos said. Often, they were stranded at the port sharing one plug.

"We just wanted to make a positive contribution to local communities through renewable energy," said co-founder Samuel Kellerhals, 21.

The first two units of Project Elpis -- which means "hope" in Greek -- were designed and built with the help of Greek solar technology company Entec. The pair said they had to overcome red tape along the way.

"Initially it was quite difficult. Everything in Greece is quite bureaucratic," Angelopoulos said.

Now, another three units are in the works with money raised through crowdfunding, a method of generating funds from a large number of people via the internet. Its founders hope to reach as many of the dozens of camps around Greece as possible.

At the Kara Tepe camp on Lesbos where the first unit was installed, authorities and residents are thrilled.

"I told them -- you should've brought it yesterday and not one, but four," said Stavros Miroyannis, who manages the camp for families which is run by the local municipality.

"They've promised me three more and I'm expecting them with great pleasure."

Miroyannis hopes to one day power the entire site using solar energy. Solar panels have already replaced street lamps.

"This is a gift from God," he said, pointing to the blazing sun.

Flaws open Cisco small-business routers, firewalls to hacking

Attackers can take control of the affected devices by sending specifically crafted HTTP requests to them

Three models of Cisco wireless VPN firewalls and routers from the small business RV series contain a critical unpatched vulnerability that attackers can exploit remotely to take control of devices.

The vulnerability is located in the Web-based management interface of the Cisco RV110W Wireless-N VPN Firewall, RV130W Wireless-N Multifunction VPN Router and RV215W Wireless-N VPN Router.

It can be easily exploited if the affected devices are configured for remote management since attackers only need to send an unauthenticated HTTP request with custom user data. This will result in remote code execution as root, the highest privileged account on the system, and can lead to a complete compromise.

Cisco Systems warned about the vulnerability in a security advisory Wednesday, but no patches are yet available. The company plans to release firmware updates that will address this flaw on affected models sometime in the third quarter of 2016.

Worse yet, this is not the only unpatched vulnerability that exists in these three Cisco devices. The company also warned of a medium-severity, cross-site scripting (XSS) flaw and two medium-risk buffer overflows that could result in denial-of-service conditions.

While exploiting the buffer overflows requires attackers to have an authenticated session in the device's Web-based interface, the XSS flaw can be triggered by tricking authenticated users to click on specifically crafted URLs.

"A successful exploit could allow the attacker to execute arbitrary script in the context of the web-based management interface for the device or allow the attacker to access sensitive browser-based information," Cisco said in an advisory.

The XSS flaw makes it difficult for users to find a mitigation strategy in the absence of patches, because it can be combined with the other vulnerabilities. For example, if users disable external management in their devices in order to protect them from the critical vulnerability, the devices will still be exposed through the cross-site scripting flaw.

Facebook Messenger overhaul planned

Facebook Messenger has changed quite significantly since David Marcus took over the lead role two years ago. And more changes are planned.

Marcus said, in an interview with TIME, that Messenger will "look a whole lot different" by the end of the year. The messaging service has two major goals: to serve up useful info at the right time with context, and to make it easier for users to communicate.

He said that the service has embraced voice calls and video calls, but added that the team is intrigued by the next form of real-time communications. All he would give away on this is that we'll find out soon enough. He also noted that the team is looking to make the photo sharing side of Messenger great.

When asked why messaging apps have become the focus for many companies in Silicon Valley, Marcus responded that the capabilities of smart devices and operating systems have evolved significantly of late. He added, "As a result you can build compelling experiences inside messaging apps that solve a lot of the real problems."

Marcus isn't giving away too much just yet about the future of Messenger, but changes are coming. And it seems like we'll hear more about them very soon.

Biometric exit technology testing at Atlanta International Airport

The U.S. Customs and Border Protection (CBP) service kicked off another pilot project today at the Hartsfield-Jackson Atlanta International Airport to see how facial recognition technology can work with existing agency IT systems, according to FCW.

According to the CBP, it will be testing the technology on passengers between 14 and 79 years old, who are leaving the airport on a single daily flight to Japan. The trial will test how well CBP’s systems work with the facial comparison technology needed to process images of travelers leaving the U.S.

Travelers will present their boarding passes while a digital photo is taken. The process should take less than three seconds and not slow down the boarding process.

The digital images of travelers will be compared and held in secure CBP data systems for post-departure analysis. Travelers who travel with a U.S. passport will not have their data retained for the purposes of this test once it is confirmed they are the true document holder. The test data will be deleted after the evaluation of the test. CBP remains committed to protecting the privacy of all travelers.

“As CBP works towards deploying a comprehensive biometric exit system, it is important that we continue to test available technology and our systems capabilities,” said John Wagner, deputy executive assistant commissioner, Office of Field Operations. “Our goal remains to implement a biometric exit system that conforms with existing standard operating procedures so that the incorporation of biometrics has minimal impact to airlines, airports, and the traveling public.”

Apple to extend Apple Pay to the web this fall

Apple is extending its biometrics-enabled payments service to the web this fall, enabling consumers that use the company’s Safari browser to authorize purchases by touching the iPhone’s fingerprint sensor, just as they do in physical stores, according to a report by Finextra.

Craig Federighi, Apple’s senior vice president, made the announcement Monday in a presentation at the Apple Worldwide Developers Conference in San Francisco.

The new feature will pit Apple against online payments competitor PayPal while helping online retailers to lower the high percentage of abandoned shopping carts.

PayPal — which currently has 14 million active merchant accounts and 170 million active consumer accounts — also has a feature that enables users of certain devices to log into their accounts with a fingerprint reader.

Several businesses have already partnered with Apple for the feature, including Target Corp., United Airlines, Lululemon Athletica Inc. and Etsy Inc.

Starting this fall, customers shopping at participating merchant sites through Safari will see a ‘Pay with Apple Pay’ button at checkout.

Once they click on the button, a message will appear on the screen prompting them to authenticate the purchase via Touch ID on their iPhone or Apple watch.

In other Apple news, Apple Pay is launching in France, Switzerland and Hong Kong within the coming weeks.

BioConnect biometric ID solution provides secure access to London data center

BioConnect has successfully deployed its BioConnect Identity Platform and Suprema biometric hardware for access control at Netwise Hosting Ltd’s colocation data center facility in London, UK.

The move comes a couple weeks after Suprema launched the BioConnect Identity Platform.

BioConnect’s platform eliminates the need to manage point-to-point integrations as it combines Suprema biometric readers with over 20 access control system providers.

As Netwise Hosting looks to expand its offering with the development of an additional 11,000 square foot data center in London, it selected BioConnect platform as its access control system because it fulfilled all of its security criteria.

Based on its previous vendor installations, Netwise Hosting decided it required a solution that would allow it to incorporate a greater view of identity with a multi-authentication biometric solution that would seamlessly integrate into Paxton Net2. This provided any possibility of Netwise having duplicate systems and information for access control.

Suprema biometric devices provided and supported by the BioConnect team now cover all high-security ingress and egress locations throughout Netwise’s data center.

The devices provide the highest level of identity verification as well as flexibility in indoor/outdoor placement and multifactor authentication with card and fingerprint support.

As a result, Netwise was able to have its preferred access control system and multi-authentication biometrics in one single interface for the creation, removal and administration of all users and access zones.

“We chose BioConnect for several reasons, primarily the ability to integrate their system seamlessly with Paxton Net2, but closely followed up by their feature set and quality of the readers themselves,” said Matthew Butt, managing director at Netwise Hosting Ltd. “The almost immediate availability of the product – coupled with their excellent support – meant they really did stand out from the competition.”

MICROSOFT BUYS WAND TO IMPROVE CHAT CAPABILITIES

The startup will be put to work on implementing Microsoft's 'conversations as a platform' push

Satya Nadella wasn't kidding when he said earlier this year that he believed in using chat as a platform for computing. Microsoft just bought Wand, a chat app for iOS, to further that vision.

The Wand team will be joining Bing's engineering and platform group, Corporate Vice President David Ku wrote in a post announcing the deal Thursday. The company's team members will be working primarily on Microsoft's push to enable the creation of intelligent chatbots and virtual assistants.

It's a natural fit for Wand, which had been working since 2013 on apps that let users chat with one another and add outside information from sources like Yelp. Users could share music and let other people access their smart home devices using Wand, too.

The company had conducted private trials of its service but hadn't released it broadly to consumers.

Wand's features fit well with Microsoft's overall vision for conversational interaction between humans and computers. At the Microsoft's Build conference earlier this year, company executives showed off a vision of humans interacting with bots representing businesses in order to complete tasks like booking a hotel room.

Ku called out the Wand team's expertise on a variety of topics, including third-party developer integration, semantics, and conversational interfaces, as reasons for the company to join Microsoft.

The Wand service will be shut down, CEO Vishal Sharma, a Google veteran, said in a blog post announcing the company's acquisition. However, the acquisition means it's likely some of the ideas and technology behind Wand will likely be making the transition to Microsoft.

This is Microsoft's second announced acquisition this week, coming on the heels of plans revealed Monday to buy LinkedIn in a deal worth more than US$26 billion. Under Nadella's leadership, Microsoft has made a slew of acquisitions leading to some significant changes. For example, the purchase of Acompli last year translated into a new Outlook app for iOS and Android.