Huawei tipped to make it big in 2016

The balance of power among Chinese manufacturers has changed in late 2015. For a number of years now, it was Xiaomi that led the pack of small Chinese upstarts trying to make it big in the global market, and Huawei was viewed as a telecommunications company that sold smartphones on the side. Fast forward to the end of 2015 and looking at 2016 in perspective, Huawei is setting the pace to become the biggest China-based phone maker ever, and the signs are that it will be for a good bit of time.

Huawei has recently put out some impressive numbers for its third quarter finances and sales. It has sold 27.4 million smartphones worldwide for Q3 of 2015, up 63% from the year before. In China, Huawei’s own market and one that is growing by the minute, Huawei’s shipments rose a huge 81%. But perhaps more importantly for the company’s bottom line, Huawei sold a lot more mid-to-high-end products, which boosts better specs, with higher price tags, and thereby got solid margins.

In 2014, Huawei generated over USD$46.5 billion in revenue – due largely to sales of telecommunications and networking equipment, but that is bound to change now as Huawei branches out into better markets, and not primarily of sales in China. Huawei sells about half of its smartphones outside of its home country. They have made strategic marketing investments in high-growth markets like Latin America and the Middle East, but they have also kept up numbers in more mature markets that are important for visibility, like Western Europe, Australia, and the US.

6pfb

In July, it was revealed that Huawei, not Xiaomi, was the world’s third-largest smartphone maker – just behind leaders Samsung and Apple. Samsung’s shipments were down 2.3% year-over-year, but Huawei’s shipments were up 48.1% during the same period. “For Huawei, they have been one of the more impressive smartphone makers this year and I expect they will continue this momentum right into 2016,” says IDC program director and market analyst Ryan Reith. “Huawei will most likely be the first Chinese smartphone maker to surpass 100 million shipments in a year ever. Most people thought this would have been Xiaomi.”

So with rumors coming out that Google seems to have been happy with Huawei enough to give them another shot at the 2016 Nexus phone, the future seems unbelievably bright for Huawei. The Nexus 6P has been well-received and Google seems to have no particular reason to switch manufacturers at this stage. And with Huawei bringing their Honor sub-brand into North America, we can only see good things coming for the Chinese company.

Tags: , , , ,

Must-see talks from 2015’s Chaos Communication Congress hacker conference

def8009f-d22a-494f-b05f-fe54884efbf1.jpg

Image by Thorsten Schroeder

This year’s Chaos Communication Congress (32C3: Gated Communities) featured four days of superb talks and discussions on hacking and politics, and lucky for those who couldn’t attend, the legendary infosec conference already has its talks recorded and ready to view online.

Much ado was made about the talk on train hacking and the passionate panel on Wassenaar. The talk that caught that caught my eye was “New memory corruption attacks” (printbf), which some are seeing as the drop of a “new” attack vector, and likely has a handful of attackers doing a happy dance well into 2016. My favorite talk, though more entertaining than purely technical, was Ryan Lackey’s history of data havens, notably the Haven.co project.

Previous CCC coverage highlights:

There were so many presentations this year, it’s hard to know where to start. Do peruse our shortlist of recommendations below, and definitely look at CCC’s 32C3 talks and videos, which are available to watch here on its media website. Note that the last few talks aren’t edited yet due to a snafu, but watch @32C3streaming for updates (or watch them unedited here).

Talk: New memory corruption attacks: why can’t we have nice things?

If you want to have your mind somewhat blown about this topic, skip to the last ten minutes of this talk:

Memory corruption is an ongoing problem and in past years we have both developed a set of defense mechanisms and novel attacks against those defense mechanisms. Novel defense mechanisms like Control-Flow integrity (CFI) and Code-Pointer integrity (CPI) promise to stop control-flow hijack attacks. We show that, while they make attacks harder, attacks often remain possible. Introducing novel attack mechanisms, like Control-Flow Bending (CFB), we discuss limitations of the current approaches. CFB is a generalization of data-only attacks that allows an attacker to execute code even if a defense mechanism significantly constrains execution.

More info: printbf talk materials See also: Rowhammer.js: Root privileges for web apps?

Talk: How Open Source Software, second hand laptops and hackers helped stop Ebola (and stopped an apocalypse)

This final-day talk is still unedited, but it’s well worth watching the video here on CCC’s “relive” page. Infosec professionals Salton Arthur Massally, Harold Valentine Mac-Saidu, Francis Banguara, and Emerson Tan give an amazing presentation on how local hackers innovated to create an information management system that played a critical part in stopping Ebola in Sierra Leone:

In the face of apocalyptic scenario, a company made up of local hackers took on the unprecedented challenge of building, implementing and running a huge Management Information System and Mobile payments system to keep the health system from collapsing. This talk will show how this was achieved with Open Source Software, second hand laptops, hacked voter registration machines, second hand smartphones and some very smart and determined young people used to achieving great things with none of the resources we take for granted.

Talk: Replication Prohibited

If you’ve worried about people using 3D printers to make copies of keys, then this talk is an all-you-can-eat buffet of bad news. It’s also an early wake-up for organizations who rely on old-fashioned physical security measures to protect IP. Presenter Eric Wustrow writes:

Physical keys and locks are one of the oldest security mechanisms still employed today. In this talk, we will discuss how 3D printing keys enable attacks against many modern lock systems. We will describe projects researchers and hobbyists have done involving 3D printed keys, and present our own research on automating several of these attacks in order to demonstrate how easy they are to do.

Talk: Datahavens from HavenCo to Today

Ever want to have your own island, that was its own country, in order to protect your own damn data? You’re not the only one. This talk is so much fun, and gives previously unseen insight into how powerful data distribution is as a tool for resisting censorship. Ryan Lackey explains:

Datahavens have long been discussed as a solution to user security and Privacy needs. Instinctively, the idea of physical locations where servers for communications, financial Privacy, and other services can work is easily understood and seems appealing. As a founder of the HavenCo datahaven on Sealand in 2000, I saw firsthand the potential and the pitfalls of this approach.

Talk: The Great Train Cyber Robbery

ICS hacking is all the rage: For background, read Nuclear nightmare: Industrial control switches need fixing, now:

For years SCADA StrangeLove team speaks about vulnerabilities in Industrial Control Systems. … Railroads is a complex systems and process automation is used in different areas: to control power, switches, signals and locomotives. At this talk we will analyze threats and vulnerabilities of fundamental rail-road automation systems such as computer based interlocking, automatic train control and automatic train protection.

Talk: Collect It All: Open Source Intelligence (OSINT) for Everyone

Researcher M. C. McGrath has a lot to offer when it comes to putting together profiles, which is either unsettling, instructive for privacy nerds and raising awareness, risk assessment, or just extremely helpful for reporters, detectives, and more. McGrath’s own description says:

Governments post reports and data about their operations. Journalists publish documents from whistleblowers. But there is a third type of open data that is often overlooked- the information people and companies post about themselves. People need jobs. Companies need to hire people. Secret prisons do not build themselves. By making it feasible for anyone to collect public data online in bulk and exploring ways to effectively use this data for concrete objectives, we can build an independent, distributed system of accountability.

Talk: The Perl Jam 2

Hacker Netanel Rubin first describes his talk as “tl;dr EXPLOIT ALL THE PERL. AGAIN.” Further, he explains, “After last year’s Perl crackdown, I decided I have to take the Perl abuse to the next level. This time I focused on Perl’s core, or more specifically, the referencing mechanism, and shattered the security of most Perl CGI projects in the world.”

Further recommendations:

Special thanks to Max Fiestl at the Peerlyst blog for his tips on CCC talks.

Microsoft pledges to inform users of state surveillance, account hacking

Microsoft has pledged to inform users if their online communications are being targeted and monitored by government entities and state actors.

Following the trail blazed by Facebook, Twitter and Google, the Redmond giant says the firm will notify users if any part of their Microsoft account — including Outlook.com email and OneDrive has been “targeted or compromised by an individual or group working on behalf of a nation state.”

Microsoft already tells users when alerts flag up suggesting accounts have been hacked by third parties, but on Wednesday, Microsoft Vice President Scott Charney said the company is willing to take additional steps to protect the personal information of its users.

More security news

The company says the attention of “state sponsored” entities is dangerous as it is likely government or state-based hackers will have access to tools and resources beyond your homegrown hacker.

While quick to point out such attention doesn’t mean that Microsoft’s own security or systems are necessarily compromised when an alert is issued, it does mean that users should take extra precautions if they attract these sorts of characters.

Additional steps to ensure your accounts remain safe can include turning on two-step verification — such as linking your account to your smartphone — changing passwords regularly and keeping an eye out for suspicious activity through the “Recent Activity” page on your Microsoft account.

Another way to keep your personal data and accounts safe is a simple one — be wary of opening suspicious emails and both clicking on links and downloading attachments held within. Known as phishing campaigns, fraudulent emails which deliver malware payloads on to victim machines or direct users to malicious websites are a common tactic used to steal user credentials as well as compromise their systems and overall privacy.

If Microsoft users receive an alert forewarning them of state interest in their account, this doesn’t automatically mean their accounts have been hacked. As explained by Charney:

“If you receive one of these notifications it doesn’t necessarily mean that your account has been compromised, but it does mean we have evidence your account has been targeted, and it’s very important you take additional measures to keep your account secure.

You should also make sure your computer and other devices don’t not have viruses or malware installed, and that all your software is up to date.”

While Microsoft will not reveal the threat actors behind state-sponsored attacks or their methods — as the information may be “sensitive,” — the company will let you know when hacking attempts come from these sources.

The Redmond giant is not the only company to begin warning users of state-sponsored attacks in recent weeks. Earlier this month, Yahoo also joined the cause, pledging to tell account holders when their data is being targeted by state-based threat actors.

Read on: Top picks

Tor Project launches bug bounty program

Anonymizing network Tor has secured the help of sponsors to launch a bug bounty network designed to stamp out vulnerabilities which may risk user privacy.

screen-shot-2015-12-31-at-12-21-57.png

The new bug bounty program is due to start in the new year, launching first as an invite-only scheme before opening up fully to researchers.

The Tor Project is a non-profit organization which operates the Onion network, a relay-and-node system designed to make user tracking online very difficult.

The network is used by activists, researchers, journalists and users attempting to circumvent censorship set in place by governments, and at the same time, is a thorn in the side for law enforcement.

While Tor’s setup makes it very difficult to track down users, no system is completely full-proof. In July, reports surfaced revealing researchers had developed a method to uncloak users called “circuit fingerprinting.” While now fixed, the situation highlighted how important it is for the network to maintain high levels of security — and external eyes can potentially find bugs that Tor’s volunteers cannot.

What’s Hot on ZDNet

Security flaws can not only be exploited by attackers but also sold on for use by governments and intelligence agencies. Exploit broker Zerodium, for example, offers up to $30,000 for previously unreported zero-day vulnerabilities impacting the Tor network.

Bug bounties are a means to draft in additional help from security professionals to patch these problems. Offered by companies ranging from Google to Microsoft, bug bounties offer credit and sometimes financial rewards to researchers for reporting problems rather than selling them on in the underground or publishing them publicly before firms have a chance to fix issues.

See also: Bug bounties: Which companies offer researchers cash?

The Tor Project’s new bug bounty program was announced during the “State of the Onion” talk at the Chaos Communication Congress conference, held in Hamburg, Germany.

As reported by Motherboard, the non-profit said that vulnerabilities “specific to our applications” will be included within the program.

There are no details currently available on the rewards offered to researchers who report Tor flaws — whether it be cash or credit — but the organization does have help in luring external experts to contribute to the surveillance-thwarting network.

The Open Technology Fund (OTF), an institution which issues grants for projects and ideas which “change in the Internet landscape” has signed on as a sponsor to support the bug bounty program.

OTF works with companies which improve access to the Internet, offer tools to circumvent blocks as well as improve security and privacy. As Tor’s full focus is on scrubbing away the digital footprints of users and enhancing individual privacy, it is a candidate for funding by OTF.

Nick Mathewson, co-founder, researcher, and chief architect of the Tor Project told the publication:

“We are grateful to the people who have looked over our code over the years, but the only way to continue to improve is to get more people involved.”

In a recent interview with Tor, former US National Security Agency contractor Edward Snowden called Tor a “critical technology” which resists the surveillance efforts of governments and assists in defending the public’s right to privacy.

“The design of the Tor system is structured in such a way that even if the US government wanted to subvert it, it couldn’t because it’s a decentralized authority,” Snowden said. “It’s a volunteer based network. Nobody’s getting paid to run Tor relays — they’re volunteers worldwide. And because of this, it provides a built-in structural defense against abuses and most types of adversaries.”

Last month, the non-profit launched a fundraising effort in the hopes of securing additional investment to improve and shore up the defenses of the anonymizing onion network as well as launch “educational” projects. Current sponsors of the network include Reddit and the National Science Foundation.

Read on: Top picks