Tuesday, April 30, 2019

Apple suspends another spyware app from App Store

Immediately after spyware-maker Connexxa's infamous app "Assistenza SIM" was caught abusing the iOS enterprise certificate to bypass Apples App Store guidelines, the iPhone-maker revoked its enterprise certificate, making it un-installable on iOS devices


San Francisco: Immediately after spyware-maker Connexxa's infamous app "Assistenza SIM" was caught abusing the iOS enterprise certificate to bypass Apples App Store guidelines, the iPhone-maker revoked its enterprise certificate, making it un-installable on iOS devices.

Security researchers at the US-based IT security company, Lookout, revealed that the app could steal contacts, videos, photos, real-time location data from users' devices and tap their phone calls as well, The Verge reported on Monday.

The iOS enterprise certificate, that is meant "solely for the internal distribution of apps within an organisation" otherwise, allowed the "Assistenza" app to bypass the Apple certification and stay accessible for downloads through phishing sites outside the App Store.

Details on exactly how many users were targeted by the app and how much information was accessed remain undisclosed.

In 2018, the app was discovered on Android with root access to the smartphones of several users.

Before the app was brought into Google's notice and removed from PlayStore, the spyware developers could read Wi-Fi passwords, emails as well as data from apps like Facebook, Gmail, WhatsApp, Viber and WeChat.

All this time, the developers have been disguising the app to pretend to be carrier of helpline apps from Italian and Turkmenistani mobile operators, which could help users get in touch with them.

Raising questions on Apple's pride over its security measures and App Store policies, a bunch illicit apps that use enterprise certificates offer pirated content, porn, gambling and all kinds of materials.

Recently, Facebook gathered Apple's attention when it began paying people to install a "Facebook Research" Virtual Private Network, which collected user's private phone and web data without their consent.

Google was also found to have been running a similar programme and in response, Apple briefly revoked the certificate used by Google and Facebook to push updates on their apps, the report added.

Shopify raises FY forecast on demand for e-commerce tools; shares surge

(Reuters) - Shopify Inc raised its 2019 earnings forecast and posted a surprise quarterly profit on Tuesday on strong demand for its software that helps retailers sell goods online, sending its shares up 7 percent to a record high.
The company has stepped up its spending to stay ahead in a competitive market by launching a new line of point-of-sale hardware and plans to roll out Shopify Pay to rival Alphabet Inc’s Google Pay and Apple Inc’s payments services.
Shopify, founded a little over a decade ago as an online store to sell snowboard equipment, makes its money by charging online merchants a monthly fee for using its technology and helping them run their online businesses.
The company, which counts Kylie cosmetics, Nestle SA and Unilever Plc among its 800,000 customers, also hopes to boost its merchant database under its premium “Shopify Plus” offering.
The Ottawa-based company said it now expects full-year adjusted operating income of $20 million to $30 million, above the $10 million to $20 million it forecast earlier.
Revenue is expected in the range of $1.48 billion to $1.50 billion, also above the $1.46 billion to $1.48 billion it estimated earlier.
However, net loss widened to $24.1 million from $15.9 million a year earlier, as costs surged 50 percent to $216.1 million.
Excluding items, the company earned 9 cents per share, compared with a loss of 5 cents estimated by analysts, according to IBES data from Refinitiv.
Revenue for the quarter rose to $320.5 million, beating estimates of $309.4 million

Microsoft tells IT admins to nix 'obsolete' password reset practice

The company now says forcing users to routinely reset passwords at pre-set time intervals doesn't work as well other security options.


5 password best practices unique passwords authentication

Microsoft last week recommended that organizations no longer force employees to come up with new passwords every 60 days.
The company called the practice - once a cornerstone of enterprise identity management - "ancient and obsolete" as it told IT administrators that other approaches are much more effective in keeping users safe.
"Periodic password expiration is an ancient and obsolete mitigation of very low value, and we don't believe it's worthwhile for our baseline to enforce any specific value," Aaron Margosis, a principal consultant for Microsoft, wrote in a post to a company blog.
In the latest security configuration baseline for Windows 10 - a draft for the not-yet-in-general-release "May 2019 Update," aka 1903 - Microsoft dropped the idea that passwords should be frequently changed. The Windows security configuration baseline is a massive collection of recommended group policies and their settings, accompanied by reports, scripts and analyzers. Previous baselines had advised enterprises and other organizations to mandate a password change every 60 days. (And that was down from an earlier 90 days.)
No longer.
Margosis acknowledged that policies to automatically expire passwords - and other group policies that set security standards - are often misguided. "The small set of ancient password policies enforceable through Windows' security templates is not and cannot be a complete security strategy for user credential management," he said. "Better practices, however, cannot be expressed by a set value in a group policy and coded into a template."
Among those other, better practices, Margosis mentioned multi-factor authentication - also known as two-factor authentication - and banning weak, vulnerable, easily-guessed or frequently revealed passwords.
Microsoft is not the first to doubt the convention.
Two years ago, the National Institute of Standards and Technology (NIST), an arm of the U.S. Department of Commerce, made similar arguments as it downgraded regular password replacement. "Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically)," NIST said in a FAQ that accompanied the June 2017 version of SP 800-63, "Digital Identity Guidelines," using the term "memorized secrets" in place of "passwords."
Then, the institute had explained why mandated password changes were a bad idea this way: "Users tend to choose weaker memorized secrets when they know that they will have to change them in the near future. When those changes do occur, they often select a secret that is similar to their old memorized secret by applying a set of common transformations such as increasing a number in the password."
Both the NIST and Microsoft urged organizations to require password resets when there is evidence that the passwords had been stolen or otherwise compromised. And if they haven't been touched? "If a password is never stolen, there's no need to expire it," Microsoft's Margosis said.
"I agree 100% with Microsoft's logic for enterprises, which are who uses [group policies] anyway," said John Pescatore, the director of emerging security trends at the SANS Institute. "Forcing every employee to change passwords at some arbitrary period almost invariably causes more vulnerabilities to appear in the password reset process (because there are now frequent spikes of users forgetting their passwords) which increases risk more than the forced password reset ever decreases it."
Like Microsoft and NIST, Pescatore thought periodic password resets are the hobgoblins of little minds. "Having [this] as part of the baseline makes it easier for security teams to claim compliance, because auditors are happy," Pescatore said. "Focusing on password reset compliance was a huge part of all the money wasted on Sarbanes-Oxley audits 15 years ago. Great example of how compliance does not*equal security."*
Elsewhere in the Windows 10 1903 draft baseline, Microsoft also dropped policies for the BitLocker drive encryption method and its cipher strength. The prior recommendation was to use the strongest available BitLocker encryption, but that, Microsoft said, was overkill: ("Our crypto experts tell us that there is no known danger of [128-bit encryption] being broken in the foreseeable future," Margosis of Microsoft contended.) And it could easily degrade device performance.
Microsoft also asked for feedback on another proposed change that would dump the forced disabling of Windows' built-in Guest and Administrator accounts. "Removing these settings from the baseline would not mean that we recommend that these accounts be enabled, nor would removing these settings mean that the accounts will be enabled," Margosis said. "Removing the settings from the baselines would simply mean that administrators could now choose to enable these accounts as needed."

A deep learning tool for personalized workout recommendations from fitness tracking data

Computer scientists at the University of California San Diego have developed FitRec, a recommendation tool powered by deep learning, that is able to better estimate runners' heart rates during a workout and predict and recommend routes. The team will present their work at the WWW 19 conference May 13 to 17 in San Francisco.


Researchers trained FitRec on a dataset of more than 250,000 workout records for more than 1,000 runners. This allowed computer scientists to build a model that analyzed past performance to predict speed and heart rate given specific future workout times and routes.
FitRec also is capable of identifying important features that affect workout performance, such as whether a route has hills and the user's level of fitness. The tool can recommend alternate routes for runners who want to achieve a specific target heart rate. It also is capable of making short-term predictions, such as telling runners when to slow down to avoid exceeding their desired maximum heart rate.
The team was able to develop the tool partially because they were among the first to collect and model a massive fitness dataset for academic research. But developing FitRec was no easy feat as the fitness dataset has a huge number of workout records, but only a small number of data points per individual.
"Personalization is crucial in models of fitness data because individuals vary widely in many areas, including heart rate and ability to adapt to different exercises," said Julian McAuley, a professor in the Department of Computer Science and Engineering at UC San Diego.
"The main challenge in building this type of model is that the dynamics of heart rates as people exercise are incredibly complex, requiring sophisticated techniques to model," researchers added.
To build an effective model, computer scientists needed a tool that uses all of the data to learn but at the same time can learn personalized dynamics from a small number of data points per user. Enter a deep learning architecture called long short-term memory networks (or LSTM), which the researchers adapted to capture the individual dynamic behaviors of each user in the dataset.
Researchers fed the networks a subset of a public dataset from endomondo.com, an app and website that function as a workout diary. After cleaning up the data, researchers wound up with more than 100,000 workout records to train the networks.
They validated FitRec's predictions by comparing them with existing workout records that were not part of the training dataset.
In the future, FitRec could be trained to include other data, such as the way users' fitness levels evolve over time, to make its predictions. The tool could also be applied to more complex recommendation routes, for example safety-aware routes.
But in order for the tool to be used in commercial fitness apps, researchers would need to have access to more detailed fitness tracking data and deal with various data quality issues.
Story Source:

Meet the Indian-American couple who stand to make $2 billion from the Syntel-Atos deal



With the couple recently selling Syntel to French technology services major Atos SE for $3.4 billion, their fortunes are going to see a sharp turnaro


Meet the Indian-American couple who stand to make $2 billion from the Syntel-Atos deal
Syntel co-founders, Bharat Desai and his wife Neerja Sethi, have seen their rankings dive on the Forbes Richie Rich lists in the past few years. Desai, who was ranked the richest Indian-American in the World Billionaires list in 2014, came in at No. 1999 in the 2018 rankings. Similarly, Sethi ranked 21st on the magazine's list of America's 60 self-made richest women, down from rank 14 in 2015.
But with the couple recently selling Syntelto French technology services major Atos SE for $3.4 billion, their fortunes are going to see a sharp turnaround. According to The Times of India, they jointly held a 57 per cent stake in the company, which means that they will walk away with nearly $2 billion from the all-cash deal expected to close by the end of this year. That's a pretty impressive way to end a journey that Desai and Sethi embarked on 38 years ago, when they started Syntel from their apartment in Troy, Michigan.
Kenya-born Desai, who grew up in India and graduated from IIT-Bombay, reportedly moved to the US in 1976 as a programmer for Tata Consulting Services. After working there briefly, he went on to pick up an MBA degree from the University of Michigan. It was here that he met Sethi and the duo decided to start an IT company while they were still studying.
At an entrepreneur event in 2013 in Delhi, Desai reportedly said that "I always wanted to run a business of my own. I was a horrible employee and could not live by anybody else's rule. So, the best way was to start my own company. My wife is the toughest board member." He had further stated he knew the IT services industry would grow significantly and with the right moves, "we could outpace overall growth."
The report adds that Syntel, modelled along the lines of TCS in some ways, was set up with an initial investment of just $2,000 in 1980. It went on to post revenues of $30,000 in its first year and got a massive boost when it signed on General Motors as a client. Though it started out as an IT staffing company, it soon evolved into a firm providing IT applications services. In 1992, it opened the first of its multiple India Global Development Centers, and five years on the company not only went public but also managed to grow its turnover to the $100 million milestone. It is currently nine times bigger - Syntel raked in nearly $924 million in 2017.  
In April, after releasing its first quarter results, the 23,000-employee company had said that it expects revenue of $920-960 million in 2018, based on an exchange rate assumption of Rs 65 to the dollar. But if the dollar continues to remain as strong as it is currently, the figures will likely move up.
Yet, despite all this, Syntel failed to soar to heights of tech giants. Consider Infosys for instance. Though it started just a year after Syntel, today it is India's second largest IT services firm with over $10 billion in revenue, 10 times that of Syntel.
Desai and Sethi had a dream run in the years leading up to the dotcom bust - including bagging the 2nd spot in Forbes' "200 Best Small Companies in America" rankings - but then Syntel's share price plunged in 2000-2001.
The company recovered and its share price rallied an impressive 1766 per cent on the NASDAQ between 2001 and 2015, before running into rough weather again. In 2016, the stock plunged from $46 to about $19 per share in just over two months after the company declared a special cash dividend of $15 per share in September 2016.
"The special cash dividend will be funded through dividends to the Company by U.S. subsidiaries, the one-time repatriation of approximately $1.24 billion of cash held by the Company's foreign subsidiaries and a portion of borrowings under a new senior credit facility," the company had said at the time, adding, "In connection with the one-time repatriation, the Company expects to recognize a one-time tax expense of about $264 million (net of foreign tax credits) in the third quarter of 2016."
In the bargain, the company also had to downgrade its earnings per share outlook to a loss, which prompted a massive selloff of the stock, from which it is yet to fully recover. Nonetheless, the share prices have jumped nearly 110 per cent in the past year, which partly explains the price now paid by Atos.
With agency inputs