воскресенье, 29 июля 2012 г.
суббота, 28 июля 2012 г.
MOBILE SECURITY ENGINEERS/HACKERS WANTED (IN A GOOD WAY)
The mobile industry is relatively new, rapidly expanding and ever changing. New platforms and system updates are being rolled-out constantly. Additionally, applications are continually being developed for mobile devices as apps are the primary way to manage both consumer and corporate information. As a result, there is a tremendous need for highly specific and ever advancing security expertise. viaForensics leverages deep mobile expertise to assist companies and agencies protect critical information. Simultaneously, the same proficiency that makes us effective at securing data allows us to assist the law enforcement community with regards to data acquisition needs.
OPPORTUNITY
viaForensics is experiencing tremendous growth in both commercial and government markets. We work in a very exciting environment as the need for mobile security expertise is exploding and our expertise is highly sought after. As a result we are currently looking for a highly motivated, career oriented mobile security and forensics professionals to join the team.The company was founded in 2009 and we have grown without outside investment. We are headquartered in the Chicago, IL area and have employees across the US as well as in the UK. Our current needs require individuals able to work from our headquarters or from the Washington D.C. area.
DESCRIPTION
The successful candidates will work as part of a team in order to:- Understand the strengths and weaknesses of data security related to applications.
- Forensically acquire data stored on mobile devices.
- Examine transmitted and stored data for personally identifiable information (PII) and/or mobile application artifacts.
- Present specific intelligence on the data risk profile of applications when in actual use.
- Utilize white hat hacking techniques and penetration testing to target mobile applications and test their security.
- Upon establishment of vulnerabilities, work to identify key strategies for remediation.
- Create technically sound and actionable reports for customers.
- Continuously monitor the state of the mobile security industry with an eye towards innovation.
- Work with R&D to assure continuous upgrades to existing offerings and the development of new cutting edge mobile security solutions.
- Communicate effectively with customers to make sure all concerns are addressed and projects are delivered flawlessly.
EXPERIENCE REQUIRED/PREFERRED
- Extensive IT security experience
- 2+ years of experience in mobile security and/or secure mobile development
- Government clearances a major plus
- Experience with some or all of the following: Python, C/C++, Java, Objective C, Ruby, PHP, Assembly
- Network, application and/or web pen testing experience a plus
- Reverse engineering, especially mobile, a plus
- Software development fundamentals (follow standards, proper design, source control)
- Strong communication skills and a high level of professionalism
- High integrity, no criminal history or drug use
- Ability to work independently and with a team
- Applicable Certifications include: CISSP, CISM, CFIP, CEH, GCFA, CCE, OSCP and related
Please send resumes to:
Andy Wolkstein
Sr. Director of Business Services
+1 (312) 878-1100
О механизмах блокирования Android-устройств
О механизмах блокирования Android-устройств - I
Большинство существующих инструкций и процедур, предписывают строгое соблюдение правил при расследовании инцидентов в отношении мобильных устройств. Все они варьируются на основе функциональных особенностей таких устройств, связанных архитектурными подходами к управлению потоками данных, а также пользовательскими сценариями. Наиболее популярные пункты таких предписаний обычно гласят, что устройство должно быть переведено в состояние, при котором оно не сможет взаимодействовать с беспроводными сетями или же будет подключено к постоянному источнику питания, (стирание данных с устройства при отсутствии питания считается одной из практик обеспечения защиты информации). Несмотря на это, общие подходы к расследованию инцидентов очень сильно меняются от платформы к платформе, от очередного революционного GUI к другому. Тем более это актуально в условиях набора неизвестного ПО, которое может включать вредоносный код, например, удаляющий данные при отсутствии подключения к серверу управления. Данная статья рассматривает защитные механизмы Android-платформы по блокированию устройств, известные как «Password Lock Protection» и «Pattern Lock Protection», которые могут создавать препятствия при доступе к устройствам, и требуют специального подхода к ведению процесса расследования при соответствии процедурам.
Password Lock Protection
Данный защитный механизм известен давно и представляет собой защиту на основе пароля, введённого пользователем. Подобный механизм может осуществлять как обычную защиту от доступа к устройству, так и расширяться, увеличивая значимость обладания последним. Наиболее известные примеры приведены ниже: • блокирование по истечению определённого (заданного) временного интервала; • удаление данных после определённого (заданного) количества неудачных попыток ввода пароля; • шифрование файловой системы на основе ключей, сгенерированных на основе пароля. Пароли для Android-устройств создаются с применением буквенно-циферного множества символов в отличие от подвида, известного как «PIN Lock Protection», который ориентирован на применение только цифрового множества символов.
Pattern Lock Protection
Этот механизм блокирования устройств известен более высокой степенью адаптации под мобильные устройства (имеются в виду touch или multi-touch устройства, естественно) нежели парольная защита, т.к. ввод спецсимволов в купе с редуцированной клавиатурой понижают скорость разблокировки при частом блокировании экрана, а через некоторое время и само желание его блокировать. Последнее часто приводит, к тому, что пользователи начинают применять более простые пароли, не отвечающие требованиям безопасности (сложности). В данном механизме защиты для разблокирования пользователи «рисуют» шаблон (см. рисунок ниже), созданный ранее, и если он корректен, то процесс разблокировки является успешным
Способы противодействия
Поддержание активности устройства
Для Android-устройств разброс границ типичного временного интервала, по истечению которого устройство блокируется с использованием парольного механизма, обычно варьируется от нескольких секнд до 15 минут. Хоть это и довольно короткий промежуток времени, но его может вполне хватить для получения полного доступа к устройству без необходимости ввода пароля. Поэтому, если устройство находится в этом состоянии, и необходимо получить к нему доступ, то первым делом нужно увеличить временной интервал появления экрана блокировки. Типичное название раздела, где располагается подобная настройка, может иметь название «Display Screen Timeout/Lock». В зависимости от локализации и модели телефона, оно может варьироваться, ровно также как и наличие элемента «Отключить тайм-аут», который может быть заменён на элемент, соответствующий максимальному временному значению. В этом случае, останется только периодически подвергать устройство минимальной активности, однако следует иметь в виду, что данная активность не должна влиять на запуск/остановку процессов и программ, это может привести к изменениям в системе, которые не смогут быть учтены и тем более отражены в протоколах. Учитывая, что последнее является обязательным пунктом, то, даже факт отключения записи времени блокирования, да и, в принципе, любая совершаемая активность должны протоколироваться. Также интересны опциональные настройки «Enable USB debugging» и «Stay awake», первая из которых позволяет получать доступ для извлечения данных, в то время как вторая, не позволит подключенной к зарядному устройству Android-платформе уходить в т.н. «спящим режим», препятствуя, таким образом, появлению экрана блокировки. Также первая настройка тесно связана с консольной утилитой «Android Debug Bridge (ADB)», которая позволяет производить установку и удаление приложений, копирование файлов с/на устройства(-о), а также извлечение дополнительной информации о логах или запущенных процессах.
Легальное блокирование
Около года назад исследователь по информационной безопасности Thomas Cannon [http://goo.gl/skVol], разработал механизм, который легально позволяет блокировать появление экрана блокировки, и основан на использовании стандартного API, доступного для разработчиков. Он же применяется и для отключения возможности блокировки экрана при наступлении таких событий, как входящие или исходящие звонки.
Разблокировка посредством Google-аккаунта
Данный механизм создавался на случай превышения лимита (как правило, 10) неудачных попыток ввода пароля/пина на устройстве. При наступлении такого события появляется диалог, который запрашивает почтовый логин и пароль, с которых было зарегистрировано устройство, с целью сброса текущего способа блокировки. Интересно, что данный механизм не требует подключения к сети, поскольку Android-устройства кэшируют эти данные и, соответственно, сравнивают их с введёнными без обращения в сеть. Разблокировка при наступлении «особого» события Как правило, таким событием может быть постановление суда, обязующее корпорацию Google разблокировать устройство. Несмотря на высокую вероятность данного события, Google требует онлайн-присутствия устройства, что может повлечь за собой определённые риски, стирания или модификации хранимых данных. Здесь правильным с точки зрения методик, принятых в криминалистике, будет использование WiFi канала вместо EDGE/3G. Это позволит технически прибегнуть к протоколированию трафика с применением утилит, типа сниффер, с целью организационно отметить факт происходящих изменений в процессе разблокировки либо последующего изучения полученных данных.
Отпечатки пальцев
Известна научная работа ряда авторов - Adam J. Aviv, Katherine Gibson, Evan Mossop, Matt Blaze, and Jonathan M. Smith - «Smudge Attacks on Smartphone Touch Screens» [http://goo.gl/XvULn], согласно которой были проведены эксперименты по изучению экранов Android-устройств в трёх состояниях: 1. «из коробки»; 2. после некоторого количества использования механизма разблокирования «Pattern Lock Protection»; 3. после попыток удаления следов пользования данным механизмом. Данный эксперимент представляет собой идеализированную модель, т.к. не была оценена степень влияния клавиатуры как неотъемлемого элемента использования устройства. На практике это может привести к неточному извлечению результатов в определении направлений пользовательского рисунка при разблокировании устройства (механизм «Pattern Lock Protection»). Основная модель атаки подразумевает собой вариант фотографирования экрана с повышенной контрастностью. Также работа отмечает, что попытки удаления следов пальцев эффективно противодействуют данной модели атаки.
О механизмах блокирования Android-устройств - II
Предыдущая статья о механизмах блокирования Android-устройств содержала анализ механизмов блокирования, характерных для платформы Android. Механизмы, известные как «Pattern Lock» и «Password Lock» были также рассмотрены в статье Forensics Focus. Оба механизма могут быть использованы в качестве способов обойти защитные механизмы Android-устройств при криминалистическом исследовании.
Механизм блокировки «Pattern Lock» представляет собой множество жестов, которые обладатель устройства может совершить для его разблокировки. Такое множество содержит 895824 комбинаций возможных жестов. Как было сказано в прошлой статье, набор перемещений между 9 точками при создании пароля-жеста, всего лишь представляет числовую комбинацию, но все же лучше, чем 4-значный PIN-механизм. Эта числовая комбинация программно обычно выглядит как строковая комбинация «1→2→3→4→5→6→7» с отсчётом от нуля в шестнадцатеричном (hex) виде, т.е. «0х00→0х01→0х02→0х03→0х04→0х05→0х06». Однако, при хранении этой комбинации используется hash-значение от hex-представления, получаемое при применении алгоритма SHA1, например «0×82 0×79 0x0A 0xD0 0xAD 0xEB 0×07 0xAC 0x2A 0×78 0xAC 0×07 0×03 0x8B 0xC9 0x3A 0×26 0×69 0x1F 0×12». Итоговый результат (хеш-значение) хранится в файле «/data/system/gesture.key».
Механизм блокировки «Password Lock», в отличие от предыдущего, основан на применении пользователем символов, состоящих из набора цифр, букв и специальных символов, количество комбинаций которых на порядки больше, чем предыдущее, поэтому создание словаря может не дать эффективного решения задачи обхода механизма. Здесь подход со стороны платформы к хранению и размещению пользовательского парольного файла ничем не отличается от описанного выше способа хранения: Итоговый результат (хеш-значение), полученный от применения алгоритма SHA1, хранится в файле «/data/system/pc.key».
Так как указанный файл расположен во внутреннем хранилище устройства (не на карте памяти), в папке «data/system», то по умолчанию к нему нет прямого доступа. Чтобы к нему добраться, потребуется утилита ADB, права root на доступ к файловой системе и активированная опция «USB Debugging mode». Получив возможность взаимодействовать с обоими файлами «gesture.key» и «pc.key», можно осуществлять подмену файлов на заранее заготовленный файл с известным паролем или набором жестов, либо же удалить эти файлы, сняв таким образом защиту устройства.
Специалистами Forensic Focus было потрачено всего несколько минут, чтобы получить словарь всех комбинаций для обхода механизма «Pattern Lock» от 1234 до 987654321. Сам словарь можно скачать по ссылке.
Опубликовано [http://advancedmonitoring.ru/article]
GoogleSharing :: A Special Kind Of Proxy
http://www.googlesharing.net/
GoogleSharing is a special kind of anonymizing proxy service, designed for a very specific threat. It ultimately aims to provide a level of anonymity that will prevent Google from tracking your searches, movements, and what websites you visit. GoogleSharing is not a full proxy service designed to anonymize all your traffic, but rather something designed exclusively for your communication with Google. Our system is totally transparent, with no special "alternative" websites to visit. Your normal work flow should be exactly the same.
The Basic Problem
Google thrives where privacy does not. If you're like most internet users, Google knows more about you than you might be comfortable with. Whether you were logged in to a Google account or not, they know everything you've ever searched for, what search results you clicked on, what news you read, and every place you've ever gotten directions to. Most of the time, thanks to things like Google Analytics, they even know which websites you visited that you didn't reach through Google. If you use Gmail, they know the content of every email you've ever sent or received, whether you've deleted it or not.
They know who your friends are, where you live, where you work, and where you spend your free time. They know about your health, your love life, and your political leanings. These days they are even branching out into collecting your realtime GPS location and your DNS lookups. In short, not only do they know a lot about what you're doing, they also have significant insight into what you're thinking.
Where GoogleSharing Comes In
GoogleSharing is a system that mixes the requests of many different users together, such that Google is not capable of telling what is coming from whom. GoogleSharing aims to do a few very specific things:
- Provide a system that will prevent Google from collecting information about you from services which don't require a login.
- Make this system completely transparent to the user. No special websites, no change to your work flow.
- Leave your non-Google traffic completely untouched, unredirected, and unaffected.
The GoogleSharing system consists of a custom proxy and a Firefox Addon. The proxy works by generating a pool of GoogleSharing "identities," each of which contains a cookie issued by Google and an arbitrary User-Agent for one of several popular browsers. The Firefox Addon watches for requests to Google services from your browser, and when enabled will transparently redirect all of them (except for things like Gmail) to a GoogleSharing proxy. There your request is stripped of all identifying information and replaced with the information from a GoogleSharing identity.
This "GoogleShared" request is then forwarded on to Google, and the response is proxied back to you. Your next request will get a different identity, and the one you were using before will be assigned to someone else. By "sharing" these identities, all of our traffic gets mixed together and is very difficult to analyze.
The result is that you can transparently use Google search, images, maps, products, news, etc... without Google being able to track you by IP address, Cookie, or any other identifying HTTP headers. And only your Google traffic is redirected. Everything else from your browser goes directly to its destination.
GoogleSharing Privacy
With all of your Google traffic being redirected to GoogleSharing for anonymization, there is the risk thatwe could become the ones who monitor, record, and track users. While our privacy policy is that we do not record, monitor, or log any user traffic, and while all of the source code for the GoogleSharing addon and proxy are open source, it is no longer necessary to trust that we (or any other GoogleSharing proxy operator) is behaving appropriately.
With Google's introduction of SSL support for search requests (encrypted.google.com), the GoogleSharing system now allows clients to checkout GoogleSharing identities and route encryptedtraffic through GoogleSharing to Google. So while client requests are anonymized by GoogleSharing, the actual traffic that the GoogleSharing proxy sees is encrypted to Google, and hence can not be monitored.
The result is that Google knows what is being searched for, but doesn't know where the requests are coming from. The GoogleSharing proxy can tell where requests are coming from, but can't tell what the content of the requests is. And the user can avail themselves of Google services without having to trust either Google or GoogleSharing.
GoogleSharing Transport
For the services where Google has still failed to provide universal HTTPS support, we have. All requests to a GoogleSharing proxy are sent via HTTPS. These eventually have to be proxied out as HTTP from GoogleSharing to Google, but your traffic is encrypted on the first path.
Running A GoogleSharing Proxy
We've made the proxy code available so that anyone can run a GoogleSharing proxy instance in addition to the one that we're running.
It Works
Just Like That
Why You Shouldn't Train Employees for Security Awareness
If there's one myth in the information security field that just won't die, it's that an organization's security posture can be substantially improved by regularly training employees in how not to infect the company. [Editor's note: See Joe Ferrara's recent article 10 commandments for effective security training.]You can see the reasoning behind it, of course. RSA got hacked from a Word document with an embedded Flash vulnerability. A few days later the entire company's SecureID franchise was at risk of being irrelevant once the attackers had gone off with the private keys that ruled the system.
But do phishing attacks like RSA prove that employee training is a must, or just the opposite? If employees and/or executives at RSA, Google, eBay, Adobe, Facebook, Oak Ridge National Laboratory and other technologically sophisticated organizations can be phished, doesn't that suggest that even knowledgeable and trained people still fall victim to attacks?
One of the best examples ever of the limitations of training is West Point's 2004 phishing experiment called "Carronade." Cadets were sent phishing emails to test their security. Even after undergoing four hours of computer security training, 90 percent of cadets still clicked on the embedded link.
Fundamentally what IT professionals are saying when they ask for a training program for their users is, "It's not our fault." But this is false--a user has no responsibility over the network, and they don't have the ability to recognize or protect against modern information security threats any more than a teller can protect a bank. After all, is an employee really any match against an Operation Shady RAT, Operation Aurora or Night Dragon? Blaming a high infection rate on users is misguided-- particularly given the advanced level of many attacks.
I'll admit, it's hard to find broad statistical evidence that supports this point-of-view--not surprisingly, security firms don't typically share data on how successful or unsuccessful training is to an organizational body, the way West Point did. But I can share a few anecdotes from my company's own consulting work that should shed some light on this problem.The clients we typically consult with are large enterprises in financial services or manufacturing. All of them have sophisticated employee awareness and security training programs in place--and yet even with these programs, they still have an average click-through rate on client-side attacks of at least 5 to 10 percent.
We also frequently conduct social engineering attacks against help desks and other corporate phone banks for customers. While each of the personnel in these security sensitive rolls has extensive training and are warned against social engineering attacks, the only thing that stops our testers are technical measures. In other words, if a help desk employee can technically change your password without getting a valid answer from you about your mother's maiden name, then a company like Immunity will find a way to convince them to do so.
We've also found glaring flaws--like SQL injection, cross-site scripting, authentication, etc.--in the training software used by many clients. This is more humorous than dangerous, but it adds irony to the otherwise large waste of time these applications represent.
Instead of spending time, money and human resources on trying to teach employees to be secure, companies should focus on securing the environment and segmenting the network. It's a much better corporate IT philosophy that employees should be able to click on any link, open any attachment, without risk of harming the organization. Because they're going to do so anyway, so you might as well plan for it. It's the job of the CSO, CISO, or IT security manager to make sure that threats are stopped before reaching an employee--and if these measures fail, that the network is properly segmented to limit the infection's spread.
Here's what organizations should do instead of wasting time on employee training:
Audit Your Periphery -- Websites, back-end databases, servers and networks should be thoroughly audited on a regular basis for vulnerabilities&msdash;both by internal security personnel and external pen-testers. They should be rigorously tested against current and most likely attacks. Had Citigroup's website been tested for basic web application flaws, it could have avoided the June 2011 attack that compromised 200,000 customer accounts. This is both cheap and easy to take off the table.
Perimeter Defense/Monitoring -- Robust perimeter defenses should be in place, and regularly tested. These should be protecting the network from both intrusions and data exfiltration. Data exfiltration monitoring should also be ongoing.
Isolate & Protect Critical Data -- What valuable information does your business store in online databases? Classifying business data should be near the top of the CSO/CISO's to-do list. He or she should thoroughly examine the information stored online and locate critical data offline or behind strict network segmentation.
Segment the Network -- Segment your networks and information so that a successful cyber attack cannot spread laterally across the entire network. Had RSA done this, it might have prevented the theft of its SecurID tokens. If one employee's PC is infected it shouldn't be able to spread laterally through the entire system.
Access Creep --What level of access does each employee have to the network and critical data? How well is this monitored? Limiting unnecessary access is another key element of an effective security posture.
Incident Response -- Proactively examine important boxes for rootkits. You'll be amazed at what you find. And finding is the first step to actually building a defense against "Advanced Persistent Threats."Strong Security Leadership -- For a company to have a CSO/CISO isn't enough. The chief security executive should have meaningful authority too. He or she should have "kill switch" authority over projects that fail to properly account for security, and real say over security's percentage of the budget. A strong security program should have at least the same budget as the marketing department.
There's a lot of money and good feeling in running employee training programs, but organizations will be much better off if the CSO/CISO focuses instead on preventing network threats and limiting their potential range. Employees can't be expected to keep the company safe; in fact it is just the opposite. Security training will lead to confusion more than anything else.
By following an offensive security program, companies can keep their networks, and employees, protected.
Dave Aitel, CEO of Immunity Inc., is a former 'computer scientist' for the National Security Agency. His firm specializes in offensive security and consults for large financial institutions and Fortune/Global 500s. www.immunityinc.com
пятница, 27 июля 2012 г.
The Exploit Magazine!
| ||
|
| Please spread the word about Hakin9. Hakin9 team wish you good reading! en@hakin9.org Hakin9.org Click here to unsubscribe Email marketing by  |
четверг, 26 июля 2012 г.
Security Writer Offer from eForensics Magazine
We are looking for practical articles that will meet the needs of other digital forensics professionals and enthusiasts who are looking for real-life solutions and want to observe the market. That kind of publication is a great chance for self-promotion among digital forensic community. Are you interested in details? Mail me back if so. kacper.bancerz@software.com.pl
Job Offer from SDJ (Software Developer's Journal)
If you would like to cooperate with Software Developer's Journal Magazine we have a special job offer for you:Software Developer's Journal is an online Magazine useful for everyone interested in programming, management, testing, development – both professionals (developers, testers, managers) and hobbyists.To satisfy our readers, we present the latest solutions, as well as older, proven technologies. We understand that the key question is 'how', so all the theoretical issues are illustrated with clear, practical examples and complete projects.We would like to make our Magazine well recognised and to reach as many people as possible so that more and more people know us and read our Magazines.We're looking for those of you who can help us to find people who might be interested in reading our Magazines on the forums, social networks, services and blogs.Would you like to work with us?If you like the challenges and you would like to try your marketing skills and earn money this job offer is for you!For more details contact: Angelika Gucwa angelika.gucwa@software.com.pl
суббота, 21 июля 2012 г.
Anti – Android Network Toolkit and 7″ Tablet make a $99 Pentesting Platform
I just picked up a 7? Polaroid tablet for $99 and was stunned at how good it works. The screen quality, how smooth it ran and how responsive it was. In some functions it works better than my trusty iPad that cost a whole lot more.
Well, I wanted to see how well the Android Tablet could work as a pentesting platform and found “Anti” the Android Network Toolkit by zImperium. I was stunned.
I just used the “Free” version, and within seconds I was looking at a network map of all the machines on my network. Anti runs nmap scans, including an intrusive scan to detect device Operating Systems and vulnerabilities. Once the scan is done, it can take a while, you can click on individual systems and are presented with a tool option menu. These options include:
Attack, DoS, Cracker, Replace Image, Spy, Man in the Middle
Some of the more advanced tools require you to purchase “Anti credits” to run them. But with the free version, you can view available networks, and run scans against them.
I ran it on my wireless network and was able to view a wired system. For a short period of time, I could see a text list of what websites the computer was visiting, and even images from the visited websites. The options even included “View Passwords”, but this did not seem to be enabled in the free version. Obviously it was working in some sort of Man-in-the-Middle mode to be able grab the information off of a wired lan system connected to a switch. Very interesting.
And this was just the free version, the paid versions reportedly includes remote exploit capability.
Anti also includes a reporting feature so you can keep a track of vulnerable systems found during your pentest. Using Anti on a cheap $99 Android tablet really opens up a lot of possibilities for pentesters.
Calling all Security Writers!
Now is your chance!
CyberArms is working with the hyper popular international security magazine “Hakin9” to create a new magazine called “ExploitMag”! This cutting edge security magazine will focus on:
- Metasploit Framework Console Exploits
- LAN Security for PMI
- Security flaws on WSDL, SOAP
- and DoS Attacks
Please e-mail me as soon as possible at cyberarms (at) live.com if you are interested in this ground breaking opportunity.
reblogged from [http://cyberarms.wordpress.com/2012/07/20/calling-all-security-writers/]
четверг, 19 июля 2012 г.
Web browser Forensics
Internet History Examination Tools
Recovering Safari browser history from unallocated
Safari browser cache - examination of Cache.db
Safari History - spotlight webhistory artefacts
Never mind the cookies lets carve the crumbs - Safari Cookie stuff
Safari Internet History round up
Big Brother Forensics: Device Tracking Using Browser-Based Artifacts (Part 1)
Big Brother Forensics: Device Tracking Using Browser-Based Artifacts (Part 2)
Big Brother Forensics: Device Tracking Using Browser-Based Artifacts (Part 3)
Microsoft Office 2013 preview: details, screenshots and impressions
More Info
Overview
Microsoft has made some subtle changes to the UI, and they're all quite important.
Spend enough time in Office 2013 and you'll notice dozens of visual flourishes that serve to give the software that extra bit of spit and polish. Office comes bearing glossy new icons, for one. Different apps like Word and PowerPoint have improved alignment guides, which become visible when you're inserting tables and other objects (we first noticed this while inserting a YouTube clip).
Getting started
Word
When you open Word for the first time, you'll notice some changes to that introductory start page. Now, the left-hand pane shows recent documents, while the area to the right showcases templates, some of them new. Of course, the thing you'll probably want most – a blank document – is still sitting in an easy-to-spot corner, toward the top of the screen.
Sticking with this tablet theme for a moment, Microsoft built in the same well-spaced touchscreen keyboard you'll find in Windows 8. We especially appreciate that the apostrophe is to the right of the "L" key, as it is on a physical keyboard. There's also a visible Ctrl key so that you can press Ctrl + S to save your work. Lastly, we had a good experience with the predictive spelling, which presents suggestions in the form of small, unobtrusive pop-ups.
Excel
PowerPoint
The rest of the new PowerPoint features are a motley bunch. You can merge shapes to create custom ones. In addition to using an eyedropper to select colors, you can also match a color to an accompanying photo. Music playback has also been improved so that you can now play a track in the background across multiple slides or the whole presentation. Additionally, Microsoft has expanded its list of supported media file types to include .MP4 files, meaning you can export to .MP4 as well as play such files natively without having to install QuickTime.
Outlook
In its current incarnation, Outlook still looks like, well, Outlook, but you'll notice that many of the options aren't immediately visible. Much like there's no fixed Start button in Windows 8, the flags in Outlook only appear if you hover next to a message with your mouse. Also new with this version: a weather bar stretching across the top of your calendar. You can manually change the location, but by default, Office shows only one set of weather forecasts at a time. Another, more miscellaneous change: if you've begun to respond to an email, but saved it as a draft, the word "Draft" will appear in red in your inbox, next to the message (yes, just like Gmail).
In news that will matter most to the IT guys reading this, Microsoft has improved the integration between Outlook and SharePoint so that SharePoint groups now have their own mailboxes. From here, you see documents stored on SharePoint without leaving Outlook. (To edit them, of course, you'll need to open the corresponding Office app.) We also appreciate that the reverse is also possible: you can drag and drop attachments into the docs folder for SharePoint and they'll upload to your team's site.
OneNote
Business apps
- Lync: Microsoft's messaging and video chatting client can now show up to five video streams simultaneously (previously, it could only handle multiple voices at once). By default, the active speaker will be promoted to the top. If more than five people are speaking, you can set Lync to prioritize whose video stream is being shown (those not featured will have photo thumbnails instead of a video stream). If you like, of course, you can also cherry pick whose video you're seeing.
- Publisher: With Publisher, you can now import all your pictures to a single canvas, making it easy to experiment with possible images. Microsoft has also added text, shape and picture effects; a Mailings tab in the Ribbon; and the ability to use your own photos as page backgrounds. As with other apps we've talked about, you can share a URL with people where they can view your work in the browser. The new feature for easily adding photos from online sources applies here, too.
- Visio: Office's standalone diagram creator gets updated shapes, as well as easier workflows for creating organizational charts and tweaking diagrams. Microsoft has also revised the app so that if you change shapes, you won't affect the entire diagram layout you've been working on.
Versions and subscription plans
- Office 365 Home Premium: Can be installed on up to five devices; users get an extra 20GB of SkyDrive storage; Word, PowerPoint, Excel, Outlook, OneNote, Access and Publisher are included.
- Office 365 Small Business Preview: Can be issued to up to 10 users, with five installations each; adds "professional mail, shared documents and HD videoconferencing."
- Office 365 ProPlus Preview: Can be issued to up to 25 users, with five installations each; includes Word, PowerPoint, Excel, Outlook, OneNote, Access, Publisher, InfoPath and Lync.
- Office 365 Enterprise Preview: In addition to the above applications, this version includes SharePoint online and Lync Online.
Wrap-up
