6 C
London
Wednesday, November 22, 2017
Home Tags FileVault

Tag: FileVault

Defendant to ask Supreme Court if compelled decryption is a 5th Amendment breach.
“Our client has now been in custody for almost 18 months,” defense attorney says.
He’s not charged with a crime. Judge demands he help prosecutors build their case.
Without the macOS update released this week, Apple’s disk encryption can be easily defeated by connecting a specially crafted device to a locked Macbook. The attack is possible because devices connected over Thunderbolt can access the computer’s RAM directly before the OS is started through the direct memory access (DMA) feature. The DMA mechanism is typically used by disk drive controllers, graphics cards, network cards, and sound cards because accessing the memory through the CPU would otherwise keep the processor busy and unavailable for other tasks. Apple’s macOS has DMA protections, but they only kick in when the OS is running. However, the EFI (Extensible Firmware Interface)—the modern BIOS—initializes Thunderbolt devices at an early stage in the boot process and this enables them to use DMA before the OS is started, security researcher Ulf Frisk said in a blog post. The second problem is that the password for Apple’s FileVault 2 disk encryption is stored in memory in plain text if the disk has been unlocked once.

This means that when a Mac has its screen locked or returns from a sleep state, the password will still be in memory. Furthermore, the password doesn’t get scrubbed from memory on reboot and is only shifted around to a different location within a fixed memory range, according to Frisk.

The only time the password is removed from memory is when the Mac is shut down because that’s when RAM contents are completely cleared. The researcher created a hardware device running his custom software that he dubbed PCILeech.

The device is capable of extracting FileVault passwords via DMA. “This makes it easy to just plug in the DMA attack hardware and reboot the Mac,” Frisk said. “Once the Mac is rebooted the DMA protections that macOS previously enabled are dropped.

The memory contents, including the password, is still there, though.

There is a time window of a few seconds before the memory containing the password is overwritten with new content.” Frisk presented DMA-based attacks against the Linux, Windows, and OS X kernel at the DEF CON security conference in August, but he discovered the implications for Apple’s disk encryption after his presentation. He kept his findings secret until now at Apple’s request. The researcher confirmed that the macOS Sierra 10.12.2 update released this week fixes the security issue, at least on his MacBook Air. “The solution Apple decided upon and rolled out is a complete one,” Frisk said. “At least to the extent that I have been able to confirm.
It is no longer possible to access memory prior to macOS boot.

The mac is now one of the most secure platforms with regards to this specific attack vector.”
Luckily, there's a security fix Until earlier this week, Apple's FileVault 2 disk encryption could be defeated in the time it takes to reboot a Mac, given a few hundred dollars in hardware and physical access to the computer. Apple on its website claims that FileVault 2 uses "XTS-AES-128 encryption with a 256-bit key to help prevent unauthorized access to the information on your startup disk." However, Ulf Frisk, a security researcher based in Sweden, found that he could plug an assembled device running software called PCILeech into a Mac and obtain the FileVault 2 encryption password using a direct memory access (DMA) attack during the reboot process. Apple's flawed encryption scheme, fixed in the Tuesday release of the macOS 10.12.2 update, lacked protection from DMA attacks launched prior to the the loading of macOS. When running its Extensible Firmware Interface (EFI) during the early stages of the boot process, Mac hardware allowed devices connected by Thunderbolt 2 (USB-C has not been tested) to read and write memory in the Mac. The ability to write to memory alone allows an attacker to subvert a system.

But creating an exploit by overwriting memory wasn't necessary because FileVault passwords were stored in cleartext and were not evicted from memory once the disk was unlocked. Obtaining the disk password was simply a matter of connecting the PCILeech device to a Mac and rebooting it, Frisk explains. "Once the Mac is rebooted, the DMA protections that macOS previously enabled are dropped," said Frisk in a blog post on Thursday. "The memory contents, including the password, [are] still there though.

There is a time window of a few seconds before the memory containing the password is overwritten with new content." Frisk discovered the vulnerability in July and presented details in August at Def Con 24.

The presentation also described attacks on Linux and Window systems. Youtube Video Apple was subsequently notified and requested that Frisk delay public disclosure until it could deal with the issue, which it has done through its software update. Frisk says it is no longer possible to access memory prior to the boot process on an updated Mac, making it one of the most secure platforms against this specific type of attack, at least with regard to publicly disclosed vulnerabilities. ® Sponsored: Want to know more about PAM? Visit The Register's hub
Enlarge / Unfortunately, it's easier to stick a lock on the Brooklyn Bridge than it is to secure your data. We can at least try to help, though.Andrew Cunningham reader comments 47 Share this story With Thanksgiving behind us, the holiday season in the US is officially underway.
If you're reading Ars, that can only mean one thing: you'll be answering technical questions that your relatives have been saving since the last time you visited home. This year in addition to doing the regular hardware upgrades, virus scans, and printer troubleshooting, consider trying to advise the people in your life about better safeguarding their security and privacy. Keeping your data safe from attackers is one of the most important things you can do, and keeping your communications and browsing habits private can keep that data from being used to track your activities. This is not a comprehensive guide to security, nor should it be considered good enough for professional activists or people who suspect they may be under targeted surveillance.

This is for people who use their phones and computers for work and in their personal lives every single day and who want to reduce the chances that those devices and the accounts used by those devices will be compromised.

And while security often comes at some cost to usability, we've also done our best not to impact the fundamental utility and convenience of your devices. These recommendations simply don't represent the absolute best in security and privacy—the Electronic Frontier Foundation (EFF) has excellent, more in-depth guides on security for activists and protesters that you can read if you want to get even further out into the weeds.

But these are all good, basic best practices you can use if, like so many of us, you want to protect yourself against security breaches and trolls.

Feel free to share it directly with those in your life who insist on doing the computer work themselves. Protecting your devices Install updates, especially for your operating system and your browser This ought to be self-evident, but: install updates for your phones, tablets, and computers as soon as you can when they’re made available.

The most important kinds of software updates are those for the operating system itself and for your browser, since Chrome, Firefox, Safari, Edge, and the rest are common points of entry for attackers. Updates for password managers and other apps on your system are also important, though, so don't ignore those update prompts when you see them. Waiting a day or two to make sure these updates don’t break anything major is fine, but don’t ignore update prompts for days or weeks at a time.

By the time an update exists for a security flaw, it is often already being used in attacks, which is why it’s important to install updates as quickly as possible. On this note, also be careful about using Android phones, which often run out-of-date software without current security patches.

Google’s Nexus and Pixel phones, which get software updates promptly and directly from Google, are the best way to make sure you’re up to date; while Samsung’s newer smartphones are also patched relatively promptly, everything else in the Android ecosystem is hit or miss. Use strong passwords and passcodes Having your accounts hacked is what you should be the most worried about—more on this later—but it’s also important to secure the devices you’re using to access those accounts. It goes without saying that you should use a good, strong password to protect every single user account on any PCs or Macs. On smartphones, you should use as strong a PIN or password as you reasonably can.
If your phone uses a fingerprint reader, take advantage of that added convenience by locking your phone with a strong alphanumeric password.

Target a 12- to 14-character minimum, since shorter passwords are more susceptible to brute force attacks. Encrypt your phones and computers If you need an oversimplified but easily understood way to explain "encryption" to someone, think of it as a massively complex decoder ring; when data is encrypted, it can only be accessed and read by a person or device that has the “key” needed to translate it back into its original form.
It’s important to encrypt your communications, and it’s also important to encrypt the devices you use to access any sensitive data since that data can be stored on them locally whether you realize it or not. The basic encryption guide we ran last year is still current; I’ll cover basic guidelines here, but refer to that for fuller details. iPhones and iPads are encrypted by default. Use a strong passcode and you’ll generally be fine. Macs are not encrypted by default, but FileVault disk encryption is fairly easy to enable in the Security section of the System Preferences. Some newer Android phones are encrypted by default, but go to the Settings and check under Security to confirm (this may differ depending on the phone you use).
If the phone isn’t encrypted, it’s fairly easy to turn it on in the Security settings; protect the phone with a strong passcode afterward. Older phones and tablets may suffer a performance hit, but anything made in the last two or so years should have no major problems. Windows PCs tend not to be encrypted by default, and it’s only easy to enable encryption on newer PCs with the more expensive “Pro” versions of Windows. Windows can be encrypted by default, but only by supporting an esoteric list of requirements that few PCs meet. Protecting your accounts Two-factor authentication The most significant thing you can do to protect your e-mail, bank, Apple, Facebook, Twitter, Google, Amazon, Dropbox, and other accounts is still to enable two-factor authentication (sometimes called two-step authentication or 2FA).

This means using a combination of multiple credentials to get into your account, usually a password and a six-digit code sent to your phone or generated by an authenticator app. There are three primary types of authentication: something you know (i.e. a password), something you have (i.e. your phone or a secure key), or something you are (i.e. your fingerprint or face).

To be considered “true” two-factor authentication, each factor needs to be from a different one of those three categories.
So, for instance, something that requires a password plus your phone is two-factor authentication.
Something that just asks you for two passwords is not, since they’re both something you know. SMS texts sent to your phone are relatively easy to hijack for determined attackers, so you should definitely use an authenticator app whenever possible.
I prefer Authy, but Google Authenticator is also widely used. When you enable two-factor authentication on an account, the first time you log in to an account on a new phone or computer, you’ll generally be asked to enter a special code after you enter your password.

Anyone who has your password but doesn’t have the code can’t get into your accounts. You may also need to sign back in on all of your other devices before you can use them with your account again. Here are instructions for setting up two-factor authentication for a variety of services; if you can’t find yours on this list, Google is your friend; twofactorauth.org is also a helpful resource. Apple Google Microsoft Twitter Facebook Dropbox Slack Amazon Paypal Venmo Stripe Using a password manager (and good password practices) Two-factor authentication is great, but it’s only extra protection on top of good, strong passwords and password practices.
Security researcher Brian Krebs has a good primer on password security here, but the most important things to remember are: Don’t use the same password for multiple sites/services, especially if you use those sites/services to store personal data. Change your password regularly, and change it immediately if you suspect that the service has been hacked or that someone else has tried to use your account. Use the strongest passwords you can. Using various characters (capital and lowercase letters, numbers, punctuation) is important, but password length is also important.

Consider a 12-to-14-character password to be a useful minimum, depending on the site’s password policies. Remembering passwords is annoying, especially if you’re changing them all the time. One solution to this problem is to use a password manager.

These are apps that generate long, random, complex passwords and store them for you in encrypted form either on your device or in the cloud. You have to set and remember one strong master password (we recommend perhaps writing this down and putting it in a safe and secure place), but the app does the rest. There are lots of password managers available, but 1Password is probably the best known and best supported.
It costs $2.99 a month for one person and $4.99 a month for a family of up to five people, and there’s a 30-day free trial available as well. LastPass is also an OK free alternative, though this sort of protection is worth the cost.
It’s also generally a good idea to support companies that do security- and privacy-related work going forward. Protecting your communications and Internet use Enlarge / WhatsApp is one messaging service that features end-to-end encryption, though it's no longer your best option. Andrew Cunningham Using Signal for SMS and voice calls Protecting your communications from being intercepted and read is one of the most important things you can do, but it’s also more difficult than other security measures we've discussed so far. Using an encrypted messaging service is the best way to protect your texts from prying eyes.
If you’re using Apple’s iMessage service (i.e. blue bubbles), you’re already using an encrypted service, but the downside is that it only works between two Apple devices and that Apple may still be able to hand out your data if asked. For communications between an iPhone and an Android phone or between two Android phones, your best option is Signal, a secure SMS app by Open Whisper Systems that provides encryption for both texting and voice calls.

Both you and your recipient will need to have Signal installed for it to work, but the app makes it easy to send out download links to your recipients and it’s easy to set up and use.

The EFF has detailed installation instructions for iOS and for Android. Another encrypted messaging service you may have heard of is WhatsApp, but the company’s acquisition by Facebook in early 2014 has given rise to some concerns among security and privacy advocates.
Still, depending on what the people you know already use, it could be better than just plain SMS or other chat services. Using VPNs, especially on public Wi-Fi You know those unsecured public networks that you log into when you’re at the cafe or coffee shop? Not only can anyone also get on that network and potentially exploit it, but attackers with relatively simple, inexpensive tools can see all of the data that travels between your phone or laptop and the wireless router.

Even networks with passwords (like those you’d use at work or in a hotel, for instance) can expose your data to other people who have the network password. The answer here is to use a Virtual Private Network, or VPN.
If you think of the streams of data going between a router and everything connected to it as an actual stream, then a VPN is a sort of straw or tube that keeps your stream separate from everyone else’s.
VPN services can also hide your browsing data from your Internet service provider, and they can give you some degree of protection from trackers used by websites and ad networks. (Again, like most measures, this is not a guaranteed way to achieve perfect security.) Subscribing to a VPN does cost money, but there are many options that will run $10 or less per month. Private Internet Access offers support for Windows, macOS, iOS, Android, and Linux; will let you use the service on up to five devices simultaneously; and costs a relatively inexpensive $6.95 a month or $39.95 a year (which breaks down to $3.33 a month).
If you use public wireless networks with any frequency at all, a VPN is a must-have and well worth the cost. VPNs aren't cure-alls, since some public networks are set up to keep them from working—sometimes on purpose so they can show you ads, sometimes by accident because they want to keep the networks from being used for anything other than basic Internet. Using a Mi-Fi hotspot or your phone's tethering features when you're in public can be expensive, but it can also provide some peace of mind when you're having trouble getting your VPN to work on a public network. E-mail security (is hard to do) E-mail security is difficult, and both of our security experts on staff have described it to me as a "lost cause" and "fundamentally broken." The primary problem is that even if you take precautions to protect your end of the conversation, you can do little to secure the servers and clients in between and on the receiving end.
Some services like Gmail offer enabled-by-default encryption between your computer and their servers, but sending a message from one server to another is still often unencrypted. Paid services like ProtonMail are promising—it promises enhanced security and privacy and they won't read your messages or scrape data from them so they can sell ads to you—but it hasn't been thoroughly audited, and it only really works as intended when sending mail between ProtonMail accounts. And longstanding e-mail encryption tools like PGP ("Pretty Good Privacy") are notoriously difficult to set up and use. You should definitely do what you can to secure your e-mail from casual snooping, and you should protect your account with the tools we've already mentioned—using an account from a major provider like Google, Microsoft, or Yahoo with a strong password and two-factor authentication enabled is a good way to start.

But for truly sensitive communications that you want to keep private, using Signal or WhatsApp or even Facebook Messenger's "Secret Conversations" feature is a better way to do it. Deleting old e-mails Another mitigating factor for the e-mail problem is message retention—someone with ten years' worth of data to dig through is naturally going to reveal more about themselves than someone who only has six months of messages. Even free e-mail providers often give you so much storage space that it can be tempting to be a digital packrat and just keep everything, both for nostalgic reasons and just in case you ever need it for something.

But the more communications you store, the more information that companies, law enforcement, and hackers have to track your wheelings and dealings. Consider how important or sensitive your communications are, and consider how often you actually need old e-mails.

Consider deleting e-mails at regular intervals—deleting things after one year or even six months can be a good way to start if this is something you’re worried about, and think about deleting unimportant messages even more frequently. Next steps If you’ve done all of these things and you’re looking to do more, the EFF’s Surveillance Self-Defense page is a good resource.
It has more in-depth technical explanations for many of the concepts discussed here, as well as further recommendations.

The EFF also offers Chrome and Firefox plugins like Privacy Badger and HTTPS Everywhere, which (respectively) attempt to keep ads from tracking you across multiple sties and load content over an encrypted HTTPS connection rather than a standard HTTP connection whenever HTTPS is available. You could also look into things like the Tor project, which goes to greater lengths to obstruct surveillance and ensure privacy.
If you step away from your computer, an attacker could quickly insert a USB stick and take control using a series of vulnerabilities. The device costs only $5. While most people know not to leave their computer alone in a public space, locking the system with a password gives many users a feeling of security.A new hacking tool released this week has shown how illusory that feeling is, demonstrating the danger of leaving any system unsupervised. The tool, known as PoisonTap, can be loaded onto a $5 Raspberry Pi barebones computer and will take over the internet connection of any system to which it is connected. Once plugged in, the program will steal the victim’s cookies for the top 1 million Web sites, expose internal routers to the Internet, and allow remote access to the system.The hacker behind the program, Samy Kamkar, a security researcher best known for creating the MySpace worm in 2005, announced the tool on Nov. 16.“When plugged into a locked or password-protected computer, it takes over all internet traffic momentarily,” Kamkar said in a video explaining the attack. “The back door and remote access persists even after the device is removed and you walk away.” The attack is a bold demonstration that leaving a computer unattended is never a good idea. When PoisonTap is plugged into a computer the device masquerades as an Ethernet device. The computer immediately sends a request to PoisonTap for an IP address, even if it is locked or password-protected. The address that PoisonTap returns makes it seem that “almost all IP addresses on the Internet are part of PoisonTap’s LAN,” Kamkar said.The result is that the targeted computer will send all its Internet traffic through PoisonTap.PoisonTap will intercept any requests to the Web and steal cookies to the top 1 million Web sites. The cookies could then be used by an attacker to automatically log into sites without needing a username and password, although the effectiveness of such an attack depends on the site’s security requirements.The program can also poison the browser cache and redirect requests for certain Web sites to go to an attacker-owned site, essentially giving control of the browser to the attacker, Kamkar said.“Whenever the Web socket is open, the attacker can remotely send command to the victim and force their browser to execute JavaScript code,” he said. “This allows that attacker to make requests as the user, with the user cookies and view the responses, with no visibility to the user.”There is very little a consumer can do to secure against the attack, he said.“To protect a client machine, I suggest adding cement to all you USB ports,” he said. The program will not run on computers that have file system encryption, such as FileVault, because the browser does not run in the background.Web sites can protect against parts of the attack by requiring all traffic to use HTTPS. While that seems to be a basic precaution, only 21 percent of the top–100 non-Google sites require HTTPS by default, according to a 2016 analysis by Google.Overall, the attack is able to avoid a laundry list of security protections, including password protected lock screens, same-origin policies in the browser, two-factor authentication and DNS pinning.

It can redirect any unencrypted Internet traffic using only some code and a $5 Raspberry Pi Zero.

A sleeping Mac or PC, even if it's password protected, is no match for the Internet-hijacking PoisonTap.

Polish security blogger Samy Kamkar created the Raspberry Pi-based device, which hackers could theoretically plug into the USB port of a sleeping computer, intercept all unencrypted Web traffic, and send the data to his or her own server.

The technique relies on a browser loophole: even if your computer is asleep, Kamkar explains, any open browser window displaying a non-secure HTTP Web page will continue to send and receive data.

"As long as a Web browser is running the background, it is likely one of the open pages will perform an HTTP request in the background (for example to load a new ad, send data to an analytics platform, or simply continue to track your web movements)," Kamkar writes in a blog post.

A $5 Raspberry Pi Zero loaded with PoisonTap then tricks the computer into recognizing PoisonTap as a new Ethernet connection, allowing it to route all traffic to the hacker's server.

The major caveat, of course, is encryption. PoisonTap only works if the site isn't using HTTPS, the Internet's standard encryption protocol. Many mainstream commercial websites have adopted HTTPS.

Even Netflix, which accounts for more than 30 percent of all North American Internet traffic, figured out a way to encrypt its video streams without affecting their quality.

So Kamkar's PoisonTap is simply the latest reason why the entire Internet should be encrypted—indeed, Google's Chrome browser will soon display warnings when you visit any site that isn't. Kamkar notes that turning on whole-disk encryption, such as Apple's FileVault, can also thwart PoisonTap.

"Going into an encrypted sleep mode where a key is required to decrypt memory (e.g., FileVault2 + deep sleep) solves most of the issues as your browser will no longer make requests, even if woken up," he writes.


Christiaan ColenFederal prosecutors urged a federal appeals court late Monday to keep a child-porn suspect behind bars—where he already has been for seven months—until he unlocks two hard drives that the government claims contains kid smut. The suspect, a Philadelphia police sergeant relieved of his duties, has refused to unlock two hard drives and has been in jail ever since a judge ordered him to do so seven months ago—and after finding him in contempt of court.

The defendant can remain locked up until a judge lifts the contempt order. The government said Monday he should remain jailed indefinitely until he complies.

The authorities also said that it's not a violation of the man's Fifth Amendment right against compelled self incrimination because it's a "foregone conclusion" that illegal porn is on the drives, and that he is only being asked to unlock the drives, not divulge their passcodes. "This is not a fishing expedition on the part of the government," federal prosecutors told the 3rd US Circuit Court of Appeals of Philadelphia. The suspect has not been charged with any child-porn related crimes. Yet he is imprisoned in Philadelphia's Federal Detention Center for refusing to decrypt two drives encrypted with Apple's FileVault software in a case that highlights the federal government's war on encryption.

A federal magistrate has ordered him imprisoned "until such time that he fully complies" with the decryption order.

The man's attorney, Federal Public Defender Keith Donoghue, is demanding that the appeals court immediately release his client from prison because he is being "held without charges." (PDF) Investigators say they know child porn is on the drives. His sister saw some of it and the suspect is said to have shown his family an illicit video, too. The drives, the government said, (PDF) were connected to a Mac Pro. A subsequent forensic exam of his Mac Pro computer revealed that Doe had installed a virtual machine (software that emulates a separate computer within his computer). Within the virtual machine the examiner found one image of what appeared to be a 14-year-old child wearing a bathing suit and posed in a sexually suggestive position.

There were also log files that indicated that Doe had visited groups titled: “toddler_cp,” “lolicam,” “hussy,” “child models – girls,” “pedomom,” “tor- childporn,” and “pthc,” terms that are commonly used in child exploitation. The exam also found that Freenet, the peer-to-peer file sharing program used by Doe to obtain child pornography from other users, had been installed within the virtual machine.

The exam showed that Doe accessed or attempted to access more than 20,000 files with file names consistent with obvious child pornography...and that he used the external hard drives seized by Delaware County detectives to access and store the images. The defendant, who is referred to as "John Doe" in court papers, claims he forgot the passwords.

The suspect's identity is Francis Rawls, according to trial court papers. The government, however, countered. In fact, Doe had multiple layers of password protection on his devices, and he always entered his passcodes for all of his devices from memory.

Doe never had any trouble remembering his passcodes (other than when compelled to do so by the federal court), never hesitated when entering the passcodes, and never failed to gain entry on his first attempt. In winning the contempt-of-court order, the authorities cited a 1789 law known as the All Writs Act to compel (PDF) the suspect to decrypt.

The All Writs Act was the same law the Justice Department asserted in its legal battle with Apple, in which a magistrate ordered Apple to produce code to enable the FBI decrypt the an iPhone used by one of two shooters who killed 14 people at a San Bernardino County government building in December.

The case was dropped when the authorities paid a reported $1 million for a hack. The Supreme Court has never addressed the compelled decryption issue. However, in 2012, a federal appeals court ruled that a financial fraud suspect must decrypt her laptop.

The ruling wasn't enforced as the authorities got the password from a co-defendant. A child-porn investigation centered on Rawls in 2015 when Pennsylvania prosecutors were monitoring the online network Freenet, got a search warrant, and executed it at Rawls home, the authorities said. The court may rule on Rawls' plight at any time, or schedule oral arguments in a process that could take months or more.
No. 1-selling software for running Windows applications on a Mac becomes an even easier choice for millions of consumers and IT professionals worldwide with this most powerful version of the software to dateLONDON, UK - August 20, 2014 - Parallels® today launched Parallels Desktop® 10 for Mac (www.parallels.com/uk/upgradepd10) and Parallels Desktop 10 for Mac Enterprise Edition, the industry-leading software for running Windows applications on Macs. New built-in intelligence and support for Apple's latest operating systems - including OS X Yosemite[1] - greatly improves ease-of-use for both business users and consumers, allowing them to forget about the operating system and focus on the task at hand. Starting Aug. 20th, current users can upgrade to Parallels Desktop 10 for Mac at www.parallels.com/uk/upgradepd10. For new customers, Parallels Desktop 10 will be available for purchase at retail and online stores worldwide and via the Parallels website starting Aug. 26th."Millions of Parallels Desktop for Mac customers have come to expect ingenuity, ease of use and speed from Parallels and they will not be disappointed with Parallels Desktop 10," said Parallels President Jack Zubarev. "With Parallels Desktop 10 customers can enjoy new levels of productivity without having to worry about whether the app they need is available on a specific operating system — Parallels creates a world of compatibility at home, work and on the road." Parallels Desktop 10 will bring many of the announced features of Mac OS X Yosemite[1] to Windows and Windows applications, supporting iCloud Drive, iMessages and SMS text sharing from Windows, and control of virtual machines from Spotlight preview and Finder QuickLook. New ease-of-use improvements include Wizards that guide users through optimising their experience, improved performance and battery life, and improved usability between operating systems so that people can complete tasks more quickly. Parallels Desktop 10 gets out of the way so customers can think less about the tools being used and more about what's important. It also offers the choice and freedom to use whatever operating system fits your needs - including OS X Yosemite, OS X Mavericks, Mac OS X Mountain Lion, Windows 8, Windows 7, Chrome OS, Android and a number of Linux operating systems - all on one computer."Today we are seeing a shift in consumer behaviour. Users' expectations are that they should be able to simply run any application they need regardless of operating system," said Laura DiDio, ITIC Consulting. "Parallels Desktop 10 for Mac is helping customers realise this goal by offering best-in-class virtualisation software and cross-platform access tools for consumer, SMB and enterprise users."Parallels Desktop for Mac Enterprise EditionParallels is also updating Parallels Desktop® for Mac Enterprise Edition — the best way to provide Windows applications on Macs in a corporate environment. Now IT managers can support Windows applications for Mac users with a configurable, policy-compliant solution that easily fits into existing IT business processes. New features allow administrators to select and enforce a USB device policy, install OS X guests using a NetBoot image from a server on the corporate network, encrypt OS X virtual machines with the help of the FileVault encryption feature built into OS X, and check the status of licenses and reclaim seats directly. Built upon the world's best-selling Mac desktop virtualisation solution, it adds centralised administration and management capabilities as well as enhanced security to keep IT in control of virtual machines.New Features and ImprovementsRegardless of whether it's ease-of-use, increased productivity, or better performance, Parallels Desktop 10 for Mac offers improvements across all fronts:Performance and Optimisation:Users can now open Windows documents up to 48 percent fasterBattery life is extended by up to 30 percent giving people additional work time when they need it mostVirtual machines use up-to 10 percent less Mac memoryNew virtual machines with default settings launch Office 2013 applications up to 50 percent fasterVirtual machine only takes as much disk space on the Mac hard drive as it needs. Real-time optimisation automatically compacts virtual disk eliminating the need for periodic manual compacts. Free Disk Space Wizard allows users to review and clean up space used by Parallels Desktop and Virtual MachinesEasy to get started:Now with one click users can select from a number of choices to optimise their virtual machine based on what their primary usage is: productivity, games, design or development The new Parallels Control Centre is a one-stop-shop for managing Parallels Desktop; it allows users to manage all their virtual machines and configuration settings from a single placeWindows installation has been streamlined, with new ways to configure virtual machinesRegional settings from the Mac are now set by default in Windows virtual machinesSeamless integration for best user experience: Users can share files, text or web pages from Windows using Internet accounts configured on their Mac such as Twitter, Facebook, Vimeo, Flickr; or send them via email, AirDrop and Messages. When users install a new Windows application, its icon will automatically be added to the OS X LaunchpadThe unread email indicator on Outlook lets users see at a glance the number of unread emails in Outlook, just like with Apple MailUsers can drag and drop files to the virtual machine icon in the Dock to open in WindowsUsers also have the ability to easily restore any setting to its default value by clicking the Restore Defaults button in the Virtual Machine Configuration windowUsers can drag and drop files to Mac OS X virtual machinesWhat Customers are Saying About Parallels Desktop 10 for Mac"Parallels Desktop 10 is - quite simply - remarkable. I've been a user of Parallels Desktop since version six," said Steven Z."I installed OS X Yosemite Developer Preview as a virtual machine (VM) within Parallels Desktop 10. It works like a dream. I like the idea and ability to configure before launching a VM. I love the Parallels Desktop Control Centre - it looks elegant. I especially like the option to use compact or expanded views. Installation and integration is seamless. I installed Windows 7 and this worked flawlessly within Parallels Desktop," said Mike B."Parallels Desktop 10 running Windows 7 Ultimate is running great! I love the smooth interface between Windows on Parallels Desktop and going to my Mac OS," said Roland S.Availability and PricingParallels Desktop 10 for Mac is available beginning Aug. 20th, as an upgrade for current Parallels Desktop for Mac users. The full version will be available to new customers on www.parallels.com/products/desktop starting Aug. 26th. Packaged software will also be available worldwide starting on Aug. 26th. The standard retail price (SRP) of Parallels Desktop 10 for Mac is £64.99, and the Student Edition is available for £32.95. Upgrades for existing Parallels Desktop 8 or 9 for Mac customers are £34.99. Parallels Desktop 10 for Mac customers receive a complimentary three-month subscription to the Parallels Access app (www.parallels.com/products/access) for up to 5 Macs and PCs and an unlimited number of iOS and Android mobile devices.Parallels Desktop for Mac Enterprise Edition software is available via www.parallels.com/products/business. Parallels Mac Management (http://www.parallels.com/products/mac-management) plugin for Microsoft System Centre Configuration Manager (SCCM) extends your existing SCCM infrastructure to discover, enrol and manage Macs just like you do PCs, through a single pane of glass. From deploying Mac OS X images to managing virtual machines running in Parallels Desktop for Mac Enterprise Edition, it's everything you need to be a Mac management expert.About ParallelsParallels is a global leader in hosting and cloud services enablement and cross platform solutions. Parallels began operations in 2000 and is a fast-growing company with more than 900 employees in North America, Europe, Australia and Asia. Visit http://www.parallels.com/ for more information.Stay connected with Parallels and our online communities: Like us on Facebook at www.facebook.com/parallelsdesktop, follow us on Twitter at www.twitter.com/parallelsmac, and visit our blog at http://blogs.parallels.com/consumertech. Media Contacts:John Uppendahl, Vice President of Communications, juppendahl@parallels.com, 425.282.1734Keely Hopkins, Bite Communications for Parallels, keely.hopkins@bitecommunications.com, 415.365.0361[1] Parallels Desktop 10 for Mac and Parallels Desktop 10 for Mac Enterprise Edition has experimental support for many of the features of OS X Yosemite Developer Preview, bringing them to Windows and Windows applications. However, we do not provide technical support for it at this time. Parallels plans to fully support OS X Yosemite in Parallels Desktop 10 when Yosemite becomes commercially available.Parallels and the Parallels logo are registered trademarks of Parallels IP Holdings GmbH in the United States and/or other countries. All other trademarks are the property of their respective owners.Source: RealWire
Heartbleed Detector, a Chrome browser plug-in and an Android mobile app, are accessible in the Chrome Web Store and Google Play app store. Security specialist Trend Micro announced the release of two free Heartbleed scanners for computers and mobile devices designed to verify whether they are communicating with servers that have been compromised by the Heartbleed bug. The solutions, Heartbleed Detector, a Chrome browser plug-in and an Android mobile app, are accessible in the Chrome Web Store and Google Play app store. The Heartbleed security bug was found in the open-source OpenSSL cryptography library, which is widely used to implement the Internet's Transport Layer Security (TLS) protocol. A fixed version of OpenSSL was released on April 7, at the same time as Heartbleed was publicly disclosed, however, several security experts have cautioned against users changing passwords until more information about the nature and extent of the breach becomes available to consumers. At that time, some 17 percent (around half a million) of the Internet's secure Web servers certified by trusted authorities were believed to be vulnerable to the attack, allowing theft of the servers' private keys and users' session cookies and passwords. "Trend Micro has responded to the Heartbleed threat by offering tools to all Internet users as a solution to protect their personal data," Raimund Genes, chief technology officer at Trend Micro, said in a statement. "With in-app purchases and financial transactions on mobile devices becoming the norm, Trend Micro felt it was vital to offer users a solution designed to enable them to continue operating their devices without worry." Available for Mac and Windows-based computer users, the Trend Micro Heartbleed Detector is a multi-platform plug-in for Chrome that enables users to check for vulnerable URLs and installs with a single click. Trend Micro researchers have also discovered that mobile apps are just as vulnerable to the Heartbleed bug as Websites. To mitigate this threat, Trend Micro has developed the Heartbleed Detector to check apps on a user’s device and the servers they communicate with, to determine if installed apps are vulnerable to the OpenSSL bug. If vulnerable apps are found, the detector then prompts the user with the option to uninstall the app. "Heartbleed is a problem that may never entirely go away, but we are committed to providing and updating our solutions to best protect the data of our customers, and provide essential security on each device they use," Genes said. Earlier this week Trend Micro announced major upgrades to its Complete User Protection solution, which spans PC and mobile endpoints, email and collaboration, and Web security to enable integrated visibility and threat response. Refreshed vulnerability protection capabilities proactively protect against exploits directed at operating system and application vulnerabilities until patches can be deployed, while improved endpoint encryption includes preboot authentication and management for Windows Bitlocker and MacOS FileVault native disk encryption.
Self-encrypting drives as well as Windows BitLocker and Mac FileVault encrypted devices can now all be managed from the cloud. Simply having an encrypted device is not enough to satisfy regulatory compliance requirements, enterprises need to also be able to manage encrypted devices. It's a challenge that encryption management vendor Wave Systems is tackling with its Wave Cloud solution. Wave Systems this week launched its Wave Cloud 2014 solution enabling enterprises to manage self-encrypting drives (SED) as well as Windows BitLocker and Mac FileVault devices. Most companies are deploying encryption to meet compliance requirements, and that requires proof that a given device is in fact encrypted, Wave Systems CEO Steven Sprague told eWEEK. "An enormous advantage of using a cloud service like ours to manage machines is that you can prove to the regulators that a device was encrypted when it was lost," Sprague said. "Because once a device is lost, you no longer have the device." Enterprises should think of Wave Cloud as an access control solution for encryption rather than thinking about it as a solution that manages encryption keys, Sprague said. "The keys never actually leave your local device," Sprague said. "In BitLocker and FileVault, the keys are held within the operating system, and with SEDs they are held within the drive controller silicon." What Wave Cloud is managing then are the credentials to gain access to a given machine or SED and then have that machine properly mount its own encryption keys. As such, with an SED for example, Wave Cloud controls the list of authorized users that can unlock the device. The other key capability that Wave Cloud provides is for lost passwords "What happens when you fire an employee at 5 o'clock, then at 6 o'clock, you realize you need to unlock his laptop," Sprague said. "Some mechanism for a recovery key is important." One feature that Wave Cloud does not provide is the ability to remotely wipe a device when lost. In Sprague's view, remote wipe is not an effective solution to the problem of lost or stolen encrypted devices. "If you lose your machine and the entire operating system is encrypted, the only time you would have the opportunity to wipe the machine is if a really dumb thief guesses your password and puts your machine on the Internet," Sprague said. "What's more important than remote wipe is the ability to remotely change a user's password." Sprague noted that if an administrator changes a user's password by mistake, they can roll back the change. Rolling back a device-wipe is not as easy. NSA Impact Recent revelations about the U.S. National Security Agency (NSA) being able to intercept and read encrypted data are actually increasing demand for Wave System's solutions, according to Sprague. "In Europe, the use of encryption will rise, since the effectiveness of network security is going down," Sprague said. Sprague argued that the NSA has done an effective job of network monitoring, which is why encryption is more important than ever before.

He added that the big question for many will be about where a given cloud is hosted.

The NSA could potentially get a court order to view material hosted by a U.S. cloud provider. What Sprague sees happening is individual enterprises and large corporations running their own managed encryption services. It's a model for which Wave Systems is also prepared. "Our service already supports the concept that an enterprise can get started quickly in the cloud and then can migrate to an on-premises enterprise solution," Sprague said. That said, while there are some concerns about government snooping, Sprague argued that's not the primary driver for encryption overall. "For the vast majority of users, it's not about encryption for the purposes of protecting data from a nation-state," Sprague said. "It's about being able to prove that a device was encrypted when lost." Sprague added, "So when a machine is lost, you can assert that all the records that were on the device were actually encrypted." Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.