The DNS system that forms the backbone of the Internet, resolving those names into the numbers that correspond to the actual websites we visit, has a critical flaw that effects nearly all DNS servers. That is, any server that runs Linux and relies on the GNU C standard library. A flaw in that library could case a buffer overflow, which might allow an attacker to take full control over someone's PC.
The flaw itself is actually from 2008, where it was discovered that overly long DNS names being replied to requests from those servers could result in a tragic buffer overflow in the victims browser, potentially letting an attacker execute code remotely. It's even possible to perform a full-blow man-in-the-middle attack, taking over a machine completely. It can be triggered by already malicious DNS servers.
Thankfully a fix is already ready fro most distributions of Linux, which requires only a quick update to fix. If your server distro isn't running one, then you can configure your firewall to drop long DNS responses altogether, so no overflows happen. So the majority of the Internet is largely safe, but it still might effect smaller connected and embedded devices that have Glibc that likely won't see any updates with the patched version. Routers, DVR's, some TV's and even NAS devices might still and continue to be at risk.
Synaptics has a new fingerprint sensor that could make it that much more useful and widespread. They've been able to shrink the dimensions so much that it can be placed on side-mounted buttons or any tiny area on any device. And it's accurate too.
The minuscule Natural ID FS4304 touch-based fingerprint sensor is a scant 3.5mm wide allowing it to be placed on nearly anything. Imagine a more natural interaction with your phone, putting your fingers where they naturally lay, such as on the side of the device, and being able to unlock it more convenient. That might seem silly, but it leads to making biometrics something that can secure anything.
It also has the potential to make fingerprint readers more discreet, drawing attention away from attempting to spoof and bypass them, which is possible with enough resources (though not always successful unless under the right conditions). As we've explained here before, as part of a multi-factor authentication scheme, using your fingerprint as a biometric is one of the better and more convenient options. Unfortunately facial recognition and iris scanning isn't commonplace enough yet.
Passwords are quickly becoming an archaic creation in the minds of many a security researcher. There're definitely better, more secure and easier to use ways to authenticate yourself and login to your favorite sites. The World Wide Web Consortium (W3C) wants to change with a new open standard to help make the Internet just a little bit more secure. And not too terribly more complicated either.
The password itself is usually the weakest link in any secure system. Most people don't want to put int the required effort to create a properly complex password, or they don't follow proper password etiquette and change them, substantially enough, at regular intervals. And really, who wants to have a super long password anyway. Sometimes even strong passwords get exposed and added to rainbow tables, rendering them absolutely useless anyway. So what does one do?
Make multi-factor authentication a thing, and a common, easy to use thing at that. That's what the W3C intends to do with their FIDO 2.0 based authentication standard. They want to make an API easy for web developers to implement that can allow for many different types of authentication.
A scammer has stolen $15 million worth of Bitcoins from one of the internet's most 'un-loved' celebrities, pharmaceutical man Martin Shkreli. Contacting Shkreli and pretending to be part of Kanye West's entourage, a scammer promised an early release of West's new album 'Life of Pablo' to Shkreli personally, setting the price at a hefty 37,000 Bitcoin.
Taking to Twitter in order to voice his frustrations over getting scammed, Shkreli claims to now have "quit rap," stating that "This is the worst day of my life. My mom said don't deal with these kinds of people. Nothing good comes from rap music."
Seemingly having some friends in high places, Shkreli told all of his followers that they are 'idiots' and he has "gotten in touch with Sitoshi (Bitcoin's creator) and he's agreed to help me get my money back. I always win." He ended his Tweet tirade by announcing that "And second of all I can make the money back faster than anyone so the joke is on YOU if you think I even care."
Believed to be 'ROR[RG]', this hacker has been named by Anonymous as a person to successfully infiltrate Turkish national police servers, stealing private information that includes a multitude of database files.
The files have been explained as related to MySQL by International Business Times, known to be so as they are mostly presented in .myd, .myi and .frm file extensions. Available as a 2GB torrent file online, once extracted the data becomes a large 17.8GB cache of illegally-gathered information.
This breach was announced by 'TheCthulhu', further using its official Twitter account to announce "Hey #Turkey, I have something to show you tomorrow. See, if you fight your citizens, they will bite back. #standby." This isn't ROR[RG]'s first operation, being known as the hacker to infiltrate Adult Friend Finder back in 2015, releasing personal information regarding four million members.
RFID is a cheap and convenient way to communicate information between devices. The problem is that it's also incredible insecure, and easily hacked by a number of ways. But researchers from Texas Instruments and MIT have come together to make a chip that won't be so easy to steal information from.
The implications for such a development are tremendous, with the idea that the public will finally start to trust the technology for more applications. Specifically they're being designed to be nearly impervious to a common attack on RFID devices, the side-channel attack. Those work by analyzing actual power fluctuations or memory access patterns in order to determine what the cryptographic key is, to break in and steal your precious information.
The new chip doesn't prevent the reading of those physical properties, because that would mean it doesn't work at all, but instead uses a a special ferroelectric crystal material that can self-power the chip to keep them small and to prevent people from cutting the power right before a cryptographic key exchange, which can reveal that key if done properly. They'll also incorporate a random number generator on-board to use a new secret key for each transaction, meaning that each one is completely unique, and thus far safer and more secure than ever before.
If you get infected with Malware today, it's a very serious issue that could potentially compromise and complicate your life. Back in the day before the rise of botnets and ransomeware, viruses were quite cheeky and sometimes very bizarre. The Internet Archive is letting you explore what those antiquated infections could do, without the danger of course.
The collection is a whimsical exploration of virii from the 1980's and 1990's that was curated by Jason Scott from Internet Archive and Mikko Hypponen, a chief researcher from F-Secure. Click on any of the examples and you'll be greeted with the animations and messages that tended to be the end result. They're safely contained within a DOS box emulator, but are without their destructive powers anymore anyway.
Despite the cute messages and animations, these did have nasty effects on your PC back in the day. They corrupted files, slowed your system and ended up wreaking havoc. At least the cutsey messages could brighten your day. Kind of.
Biometrics are something we've been using to uniquely identify other humans since the 13th Century, but the current methods are flawed and can be spoofed with enough creativity and time. So now researchers have found another novel way to uniquely identify people: With "Brainprints".
A brainprint is the unique way in which your neurons fire when reading, or doing anything. It's a distinct and consistent way to identify people. New research by the Basque Center for Cognition and Binghamton University into the brainprint has been able to show just how unique our thought patterns actually are. They were able to identify people with 97% accuracy just based on them thinking about a particular word that flashed on a monitor in front of them for a half of a second.
That's good news for the coming robot revolution, because until brain thought patterns can be faked, we'll at least be able to know whose who, and not human. But in more practical terms it could be another piece to the puzzle of authentication. As a means to make a password it's horrible, but in a multi-factor authentication scheme, it could be used to identify that you're actually who you say you are and present at the time of entering your pin or password.
The darknet, or dark web, is a conglomeration of hidden services and websites that are accessible only through the Tor network. And as it would turn out, recently published research shows that over 57% of those hidden websites also happen to have some kind of illegal content on them.
The researchers, Daniel Moore and Thomas Rid from King's College London, created a custom script that parsed through some 5,025 live .onion based websites and found that 1,547 hosted some kind of material that's criminal in nature. The leading activity seems to surround drugs, with financial related criminal enterprises taking in a close second.
It's not necessarily a surprising finding, given that the idea of privacy and security tend to attract the unsavory types by their very nature. But the researchers do note that it doesn't have to be that way. And that perhaps removing hidden services from Tor could help, somehow.
The OpenSSL project has found, and patched, an issue that was fairly serious though it likely didn't effect very many people, or businesses for that matter.
The problem seems to have stemmed around how the open-source implementation of SSL and TLS reuses prime numbers while the Diffie-Hellman key-exchange protocol is used, making it far easier for a would-be attacker to decrypt your information. The good news is that in order for that to happen, a particular setting has to physically be set on, because it's not on by default.
Even better is that in order to have enough information to actually crack the encryption, there the attacker would have to connect (and reconnect via separate handshakes) several times. So it's not something that's of too much concern, certainly not at the same level of the Heartbleed vulnerability of 2014.