Dropbox tests two-factor authentication

Dropbox-Logo-BGh-online: Cloud backup provider Dropbox says it has begun a public test of two-factor authentication for its service. Dropbox had announced it would start offering the security measure after the service experienced a data leak at the beginning of the month.

Users who activate two factor authentication will have to enter a security code after logging in with their username and password. The security code can only be used once and is sent to the user’s mobile phone in a text message. To generate security codes, users can also use a variety of smartphone applications such as Google Authenticator. Details of the process are given on the two-step verification help page.

Two-factor authentication protects a user’s account even when an attacker gains access to the account password. The second factor, in this case the user’s mobile phone which receives or generates the security code, is needed to take over the account. When activating two-factor authentication on Dropbox, the user also receives a 16-character emergency code that can be used if the user loses their mobile phone or runs into problems with the code generator. The emergency code should be kept in a safe place, out of the reach of hackers. It would be prudent not to store it in the same place as the Dropbox account password. Web sites that have been using two-factor authentication for a while include Google and Facebook.

Users who want to take part in the test of two-factor authentication, have to explicitly activate the security feature for their Dropbox account and install the experimental version 1.5.12 of the Dropbox client. The current versions of the Dropbox smartphone applications for Android and iOS are already usable with the experimental feature.

http://h-online.com/-1676276

Firefox 17 to make add-ons more secure

logo-onlyh-Online: As suggested by some of its developers back in 2010, the Firefox browser will introduce enhanced separation between add-ons and the rest of the browser. With the change, which is planned to take effect with the release of Firefox 17, scripts on web pages will only be able to access the data belonging to add-ons if they are included in a whitelist.

The beta version of Firefox 15 already logs warning messages in the browser’s Error Console when a page that is not on the whitelist tries to access data from add-ons. This behavior has been included to make add-on developers aware of the new policy and to give them time to fix their add-on’s behavior before the release of Firefox 17.

In the current versions of Firefox, entire add-on objects can be shared by adding them tocontentWindow.wrappedJSObject which allows scripts on web sites to access all data belonging to these objects through the window.sharedObject variable. With Firefox 17, add-on developers are required to explicitly mark attributes with the __exposedProps__property which acts as a whitelist for objects that Firefox will share. Possible values for this property allow read-only access, write-only access and read and write access.

Web site code will not have to be modified. The change also does not affect add-ons that are passing numbers, booleans or strings from the add-on to the web page; only actual add-on objects are affected.

Mozilla recommends that add-on developers thoroughly test their code in the Firefox 15 beta, keeping an eye out for errors in the Error Console. Afterwards, they should test with a nightly release version of Firefox 17 and see whether their add-ons break. Add-ons developed with Firefox’s Add-on SDK should be automatically compatible after updating to the latest release of the SDK, but Mozilla recommends that developers test them after updating nonetheless.

http://h-online.com/-1672626

Get ready for exciting changes coming to Firefox 13, 14 and 15

Firefox-Nightly-300x300Cross-posted from BetaNews: Following on from the release of Firefox 12 FINAL, Mozilla has updated its developmental branches to versions 13 (Beta), 14 (Aurora) and 15 (Nightly/UX), respectively. Those looking for major changes in version 12 will may be disappointed, but future builds promise a number of radical new features, including redesigned Home and New Tab pages, plus panel downloads manager and inline preferences screen.

Get a head’s up on what’s coming and discover which build is best for your personal needs with our essential guide to what’s coming up in the near future for Mozilla’s open-source, cross-platform browser.

Firefox 12.0 FINAL
This is the recommended release for most users, being the latest, stable build available. That said, version 12 will not go down in the annals of Mozilla folklore as a notable release, with a minor refresh of the HTML5 controls and the move to silent updates on Windows machines being the only two changes of note. Ordinarily we’d caution against moving rapidly on to the next version, but read on to discover why you may not be able to resist taking the plunge and moving to the beta channel.

Firefox 13.0b1 Beta

Last August, Mozilla unveiled a presentation of how it sees the Firefox user interface changing in the months ahead. A few minor tweaks have already landed in Firefox, but version 13 sees two noticeable new features making their first appearance: a new Home page, and a New Tab page.

Firefox’s new Home page (type about:home into the Address bar) provides users with a customized page that includes shortcuts to bookmarks, downloads, add-ons, history, sync, settings and an option for restoring the previous session. This latter feature is another new addition to Firefox’s feature set, and restores all open tabs from a previous browsing session.

The home page, which can be pinned permanently as an app tab for easy access, is fully functional already, but will evolve further in time; Mozilla plans to use it as a portal to the upcoming Apps Market, for example.

Firefox 13 also introduces a redesigned New Tab page that will be familiar to Chrome and Opera users: thumbnail previews of frequently visited sites. On first visit these will appear blank, but as time goes on and you visit said sites, they should start to populate themselves with thumbnail images of the site itself.

Sites can be permanently removed (click X), pinned to the list and even dragged and dropped into a new order, and those who hate the new feature will find a small button in the top right-hand corner that toggles between this new view and the traditional blank tab page.

There’s one other major change in version 13: smooth scrolling is now enabled by default, despite the acknowledgement of one bug that may cause issues on certain web pages. Meanwhile, Android users will be pleased to learn that support for Flash is finally being enabled in version 13 of the mobile app, but only if you’re running Android 2.x or 4.x.

Firefox 14.0a2 Aurora

Aurora is an “alpha” build of Firefox, which means it’s undergone minimum testing only. As such it’s not suitable for everyday use, which is why Firefox Aurora is installed as a separate build alongside the stable or beta build, allowing you to test its features without affecting your day-to-day browsing. Settings are shared between Firefox Aurora and your other builds, however, so again caution should be exercised before installing it.

After all the excitement of Firefox 13 Beta, you’d think the Mozilla developers would rein things in for v14, but none of it. The most exciting features planned are currently listed as in definition, design or development, which means there’s no guarantee they’ll appear in Firefox 14. These include a version of Firefox that runs in Windows 8’s new Metro interface, support for desktop apps (which can be installed and used independently of Firefox, even when offline), and the panel-based download manager that’s been a staple of the UX build for a long time.

One other tweak in development is an extension to the silent updates feature introduced in Firefox 12, and that’s the ability of Firefox to update itself in the background, so the user will never have to worry about manually updating again. This is slated for version 14, but may yet slip to version 15 due to a current slew of issues undergoing fixes.

The inline autocomplete function remains stubbornly part of Aurora, where it has been since version 12’s release. This is designed to anticipate what URL is being typed into the Address Bar, pre-loading the web page in the background before the URL has been entered.

Other “landed” features are minor, and behind-the-scenes tweaks. These include incremental garbage collection, hang detector and reporter, and cycle collector performance improvements, some of which were slated for Firefox 13 Beta and may yet be implemented in this version.

As things stand, there’s nothing visible to get excited about in Firefox Aurora, which makes us think it’s probably best to wait until it gets to Beta before seeing if any of the more exciting new features mentioned above are ready for their move to primetime.

Firefox-Aurora

Firefox 15.0a1 Nightly/Firefox 15.0a1 UX

Firefox’s two Nightly channels give users access to code hot off the press, but while you’re looking at the latest bleeding-edge version of Firefox, you’re also venturing into uncharted waters because much of this new code has had no testing at all. Nightly builds update regularly, so once installed you’ll find your build updating on a much more frequent basis than other unstable releases.

After the excitement of features being developed in versions 13 and 14, Firefox 15 looks like being a more minor release at this early stage in its development. At the present time only three new improvements are in the pipeline: two performance-related (faster start-up times for Windows users, and tweaks to session restore so it doesn’t slow down the browser restart process) and one that’s being developed by students at Michigan State University.

This latter feature, “in-content preferences”, will see Firefox’s Options dialogue box removed and the program’s preferences moved into a browser window, similar to how Chrome’s preferences currently work. This is currently accessible in Firefox 15.0a1 UX, the parallel nightly build of Firefox where interface improvements such as the panel-based downloads manager and New Tab pages first made their appearance.

When selecting Options, you’ll see the old pop-up window is replaced by a new tab with a series of buttons to choose from. Click one to access that section’s settings — at present this feels a little clunky, but we suspect it’ll evolve into something sleeker in time.

Windows and Linux 64-bit users may be interested in trying Firefox 15.0a1 Nightly 64-bit and Firefox 15.0a1 UX 64-bit. We’d recommend all but developers and serious, knowledgeable enthusiasts avoid the Nightly builds of Firefox.

So, to Summarize…

Which version of Firefox should you try? Stick to the most stable version you feel comfortable with, although the temptation to sneek a peek ahead is actually quite compelling with these latest developmental builds.

That said, it’s hard not to recommend people check out Firefox 13 Beta — the new features will make a difference to the way you use your browser going forward, and it’s a shame one or other couldn’t have been made ready to provide version 12 with a little more pizzazz.

If you do plan to take a look into the future of Firefox, back up if you plan before installing Beta or Aurora builds of Firefox. And If you do decide to give the Nightly or UX builds a try, consider using a non-critical machine or virtual setup (try VirtualBox) instead of your main computer, just in case…

Security improvements in Opera 12 beta

Opera-logo-new200The H-Online: A beta of version 12 of the Opera web browser has been released with privacy and security-focused improvements. Code-named “Wahoo”, the Opera 12.00 beta now runs plugins out-of-process and includes optimizations for better SSL handling. Running plugins in their own process not only improves the smoothness and stability of the browser but can limit the damage some plugin exploits can do. Privacy is enhanced with support for the “Do Not Track” (DNT) header, which is used to tell web sites that the browser user wishes to opt-out of online behavioral tracking.

Opera_12_BetaThe DNT header is designed to help users retain their privacy when faced with online advertising networks that use cookies and other web technologies to recognize them and serve them tailored advertising. Users can enable the header, which is currently disabled by default, in the preferences dialog by selecting Preferences –> Advanced –> Security –> “Ask websites not to track me”. “Do Not Track” requires web sites and services to acknowledge the header, but a number of advertising companies have said they will adopt it and Yahoo plans to roll out support across its sites. The Whitehouse has also proposed wider use of “Do Not Track” and the US Federal Trade Commission has called for its use. To make it easier for users to see the privacy and security settings on sites they visit, the security badges that appear in the Opera address bar have been redesigned and color coded.

Non-security related changes in the Opera 12 beta include 64-bit support on Windows and Mac OS X, faster startup times and page loading, new themes, and experimental hardware acceleration and WebGL support (off by default). Support for several other web standards, such as CSS3 Animations and Transitions, HTML5 Drag and Drop, and Web Real Time Communication (WebRTC) have also been added.

Some features found in previous versions of Opera are being discontinued in the new version. These include the Opera Unite personal cloud media platform and Opera Widgets, which are removed by default for new users. Support for the built-in speech recognition and text-to-speech technologies is also being phased out.

More details about the beta version of Opera 12, including download links, can be found on the company’s Opera Next web site. The current stable release is Opera 11.62, a security update from late March.

Panda Cloud Antivirus makes firewall social

BetaNews.com: Panda Security has released Panda Cloud Antivirus 1.9.1 Beta, a preview of its forthcoming 2.0 release. The beta sees Panda’s lightweight free cloud-based antivirus tool add firewall protection for the first time.

The new firewall is community based, which means it’s capable of detecting known processes and settings appropriate levels of protection for them without bothering the end user with a pop-up alert. The new firewall is visible from a new tab on the Panda Cloud Antivirus interface.

Panda Cloud Antivirus, which uses cloud-based community feedback to augment its virus signatures to provide protection against unknown and malicious files, is renowned for its lightweight footprint, making it especially suitable for low-powered machines such as netbooks and PCs running 1GB or less of RAM.

The new firewall provides a set of application and system rules to provide two-way protection against both threats originating from the Internet and those already present on the computer. The firewall is capable of automatically granting outbound access to connections deemed secure or a low risk, but will prompt the user for riskier connections. Inbound connections are treated in the same way, except the approach is much tighter to prevent unknown risks slipping through the net. The user can review, and edit, what settings have been applied by clicking the Program control button on the main interface.

Version 1.9.1 Beta also includes a number of improvements and bug fixes to the antivirus portion of the program, including an “improved cache” where previously scanned items are held to speed up future scans by skipping known trusted files. The Behavioural Analysis engine has also been optimised for both on-demand scanning and real-time protection as triggered when files are accessed.

Panda Cloud Antivirus 1.9.1 Beta is available as a freeware download for testing purposes now, and requires a PC running Windows XP or later to run. The current stable version – Panda Cloud Antivirus 1.5.1 — is also available for download.

Start of Avira 12 Betatest!

Start of AV 12 Betatest!
It starts from today and ends on 29th of September 2011.

Finally after a long time Avira started Betatest of Avira AntiVir 12.
If you would like to test this build and feature beta releases, you can register in Avira BetaCenter: http://betacenter.avira.com

More Info: http://techblog.avira.com/2011/09/08/avira-products-version-2012-for-windows-now-available-for-beta-testing/en/

Microsoft To Improve File Management Processes In Windows 8

Windows 8 News Blog: The recently created Building Windows 8 blog seems to be up in full swing, with new articles about the upcoming operating system being released regularly. Steven Sinofsky revealed in “Improving our file management basics: copy, move, rename, and delete” that Microsoft intents to improve file management processes under Windows 8.

According to Steven, Microsoft had three goals to improve the copy experience:

  • One place to manage all copy jobs: Create one unified experience for managing and monitoring ongoing copy operations.
  • Clear and concise: Remove distractions and give people the key information they need.
  • User in control: Put people in control of their copy operations.

Consolidating the copy experience is a great idea. This means that you won’t have to deal with multiple copying windows when you run multiple copy or move operations in the operating system. All copy jobs are now consolidated in one screen.

Microsoft furthermore added the ability to pause copy processes, which goes along with a new real-time throughput graph that users can display on the system.

The copy conflicts screen gets an overhaul as well. The screen, which is very confusing and with to much text has been replaced with an easier to access conflicts window that is giving the user more control over the process.

Here are all screenshots of the new features that have been posted by Microsoft:

The consolidating of copy jobs, pausing copy jobs and a better conflict experience are all features that will be well received by users of the new operating system. Sometimes it is the little things that make more of an impact than larger changes.

And here is a video with the announcement:

You can read the full announcement over at the Building Windows 8 website.

Mozilla Plans To Hide Firefox Version

gHacks: One “by-product” of the rapid release cycle of the Firefox web browser is the version number increase that goes along with every new release of the web browser. Firefox this year jumped from Firefox 3 all the way to the latest version Firefox 8, and we are not even at the end of the year.

Mozilla interestingly enough plans to hide the version number in the Firefox web browser. Asa Dotzler added an entry to Bugzilla to remove the version of the browser from the about Window dialog in the browser.

Firefox users who currently want to know which version of the browser they are running can click on Firefox > Help > About Firefox to find out.

The original idea by Asa is to remove the version information in the about window and replace it with the more general information that the user is running the latest version of the browser.

When a user opens the About window for Firefox, the window should say something like “Firefox checked for updates 20 minutes ago, you are running the latest release.”

Experienced Firefox users, or at least those who know where to look, can still access the version information on the about:support page.

What is Mozilla hoping to achieve with the removal of the version number listed in the about window? No information is posted on Bugzilla, it is however likely that Mozilla wants to reduce the impact a version number change has on the global community, and especially on the update ratio of users.

Removing the version number does not change the fact that Firefox is reaching what is generally perceived as major versions more frequently, and most tech news sites will still use the version number when they write about those changes. The idea is to make versions less important.

Then again, we would not have that discussion if Mozilla had made the decision to use “minor” version increases for the rapid release cycle. Instead of having to deal with Firefox 4, 5, 6, 7 and 8, we would have then had to deal with Firefox 4.1, 4.2., 4.3, Firefox 5 and Firefox 5.1.

Mozilla is basically trying to use the argument that opponents of the major version increase had when they were first announced:

The opponents said that versions do not mean anything if the browser does not deliver, and that it does not make sense to increase the browser version if the changes are only minor.

Mozilla now says that versions do not mean anything, and that users simply should not look at them anymore.

Hiding the browser versions, and the supposed change is nothing more than that, does not resolve the underlying issue. Especially not so if the update screen still displays the new version the browser will get updated to.

Windows 8: The death of malware? The death of anti-malware?

BetaNews: There is a lot of buzz about a recent set of tests by NSS Labs that show the Smartscreen reputation system in Internet Explorer 9 head and shoulders and most of the rest of the body above the competition in blocking malware on the web.

I think the results of the test are even more important than they seem, considering previous reports that Microsoft plans to make Smartscreen a base part of Windows 8. This would extend parts of the protection to any executable hitting the file system. This would be big news.

Smartscreen in IE9 has 2 components: A URL reputation system and a file reputation system. The URL reputation system is similar in concept to the Google Safe Browsing API, used by Chrome, Firefox and Safari, but vastly superior in results. It picked up 92 percent of malware-serving sites. Safe Browsing never reached 30 percent in the tests and generally settled much lower.

For the 8 percent of sites that Smartscreen doesn’t block, there’s backup protection. Smartscreen tracks downloaded files (presumably by some hash like SHA-1) and a reputation for them. If the file is known to be good, it goes through. If it’s known to be bad, it’s blocked. If the system doesn’t recognize it, the file throws up a warning:

This warning could be a bit clearer at the cost of brevity, but I think it’s worth it: “Microsoft has not yet encountered this file. If you know this file is new and unusual and know that it is safe, you may proceed. If it doesn’t make sense that Microsoft has not yet seen this file, you may wish not to execute it in the interests of your own safety.” I hope Microsoft submits such files to VirusTotal or some such service in order to share them with the rest of the AV community.

So back to Windows 8: At least some betas have included indications that this version of Windows will apply Smartscreen to any file, or at least any executable, that hits the file system. This would address one misplaced criticism in Smartscreen in IE9, that it only protects against the web vector. Of course, the web is how the vast majority of malware is distributed these days, but fix that route and attackers will move elsewhere, so Microsoft has to think ahead.

I’ve argued that Microsoft should open up Smartscreen to other apps the way Google opened up the Safe Browsing API; Firefox was using it long before there was a Google Chrome. But putting the system into Windows itself may make that less advantageous.

Another thing that Smartscreen doesn’t do is protect against application vulnerabilities. If a site is not blocked and it exploits some browser vulnerability, Smartscreen doesn’t block it. Of course if you’re Microsoft you should patch the browser, and there are plenty of other defense-in-depth techniques, like ASLR and DEP, to limit the damage of vulnerabilities. I’d argue that Smartscreen plus timely patching is really good protection, even without an AV product.

We’re always hearing about the coming obsolescence of antivirus software. Could this be it? A Win8 Smartscreen as I see it doesn’t cover everything an anti-malware product should. For instance, if you’re offline and copy a file in via a USB drive would you be at all protected? I don’t know. It’s getting there though.

Chrome OS Beta Channel Update

google-chrome-logoThe Chrome OS Beta channel has been updated to R10 release 0.10.156.46 including the new Chrome 10 Beta, new trackpad and several stability and functional improvements over the previous release. This release contains the following security fixes:

  • Scratchpad application security vulnerability fix

In addition to all Chrome 10 new features (see Chrome 10 blogpost), there are several Chrome OS great improvements including:

  • 3G modem activation fixes
  • 3G connection to the carrier fixes
  • Wi-Fi connectivity/Out of the Box fixes
  • New trackpad and sensitivity setting adjusted
  • Auto update engine and debugging improvements
  • Power optimizations
  • GTalk video/chat optimizations
  • Audio CPU utilization improvements
  • Improved on screen indicators: brightness, network status, update icon

    There is one known issue:

    • [Bug 12085] Audio does not pick up until browser refresh upon lid re-open

    You can find full list of fixes that are in Chrome OS R10 in the chromium-os bug tracker . If you find new issues, please let them know by visiting their help site or filing a bug.