Researchers at Newcastle University have recently revealed that malicious websites and apps can spy on users simply by using information from the motion sensors found in their smartphones. This way, hackers are able to decipher and steal PINs and passwords from unsuspecting people.

According to a new research, by analyzing the movement of the device we use to type in information, hackers can crack four-digit PINs with high accuracy on the first guess – 70% – and even higher accuracy on the fifth guess – a staggering 100%. They’re able to do his simply by using the data collected through the phone’s internal sensors.

So how do these sensors (GPS, camera, microphone, rotation sensors, accelerometer and many others) track our movements? Apparently, through pretty much everything we do on a phone – clicking, scrolling, tapping, holding, etc. All of these movements generate a unique orientation and motion trace that can be used by criminals.

Although many companies in the industry are aware what the majority of the usual twenty-five sensors available on smartphones can do – in other words, although they’re aware of this serious problem – no one has been able to find a solution, at least not yet.

According to researchers, here’s how you can better protect yourself:

Change your PINs and passwords regularly

Close the background apps once you’re done with them

Keep your phone’s OS and apps up to date

Install apps only from approved app stores

Thoroughly inspect the permissions that apps require before you install them

Source:

Newcastle University via ScienceDaily (https://www.sciencedaily.com/releases/2017/04/170411085825.htm)

The Onion Router -or more famously Tor – the free software that enables anonymous communication and offers extra privacy online, has announced a new, unique service that will enable any website to have a presence on its network.

Previously, hosting a website on the Tow network meant that developers and site owners had to make many changes to both site itself and infrastructure. Now, any website can join the network without making any costly redevelopment.

As Dan Benton, owner of Dogsbody Technology explains, there’s a lot of companies that would like to add their websites to the Tor network, however, having to make expensive changes to their sites makes site owners reluctant to do so. Now, with proxy between the public web and Tor network specifically built for that purpose, those changes are no longer necessary.

By adding their website to the Tor network, companies will give a number of advantages to their visitors, including extra privacy, freedom from network surveillance and enhanced communication integrity. Particularly important are support organizations here, as they’ll be able to provide help and support to victims of abuse without the risk of discovery.

Source:

Dogsbody Technology (https://www.dogsbodytechnology.com/blog/your-website-on-the-tor-network/)

Digital Trends (http://www.digitaltrends.com/web/startup-to-network-thwart-snooping/)

Most of us know that if we want to protect our privacy we need to choose complex passwords, not reuse them over and over again, and of course, we need to change them often. However, according to the FTC (Federal Trade Commission), this last part could be doing more harm than good.

If this left you feeling confused, here’s a bit of an explanation: the reason why changing passwords is important is because the longer a password stays the same, the easier it is for a hacker to discover it. The problem arises when people start changing their passwords with predictable patterns – which is often the case with users who regularly change their passwords.

For example, instead of choosing long and complex passwords each time they change them, users often make very predictable changes. Usually, they end up capitalizing one letter in a password, advancing to the next letter with each change, e.g.: “Icecream90!”, iCecream90!”, icEcream90!”, and so on. Or, they keep increasing a digit with each change: “Icecream1!”, Icecream2!”, Icecream3!”, etc.

It’s no surprise really, as frequent (and sometimes mandated) password changes either bore or frustrate people so much that they end up creating detectable passwords.

When users make this kind of predictable changes, it’s pretty easy to detect their patterns and crack their accounts. So, to keep your cyber space safe and sound, do make sure to change your passwords but not too often, and when you do, choose long and complex ones instead of rehashing the old ones each time you want to change them.

Reference:

Digital Trends (http://www.digitaltrends.com/computing/federal-trade-commission-ftc-computer-password-changing-bad-idea/)

Today, most websites entail a database query. This serves many purposes; for example, it’s used to look up airline flights or to find the quickest driving route between two destinations. Although obviously useful, online database queries can also be used for unwanted user profiling. Also, some travel sites have been known to use them for price gouging on flights whose routes are drawing a high volume of queries. To prevent the misuse of database queries, researchers from MIT’s Computer Science and Artificial Intelligence Laboratory and Stanford University have developed a new system that uses a tehcnique called function secret sharing to disguise database queries during web-service transactions.

To disguise users’ database queries, the system splits up a query and distributes it across copies of the same database on different servers. For this reason, it is called Splinter.

What this splitting up of queries does, is make servers return results that make sense only when recombined according to a procedure that only the user knows. So, the result is a secret query that nobody but the user alone can understand.

Splinter also uses function secret sharing, which enables it to convert a database query into a set of complementary mathematical functions, each of which is sent to a different database server.

With an increasing number of people wanting private web-surfing, including private queries, this system is a welcome addition to other privacy-protecting methods and techniques.

Source:

Massachusetts Institute of Technology via ScienceDaily (https://www.sciencedaily.com/releases/2017/03/170323152437.htm)

Version 52 awaits Firefox browser for desktop, and with it, better internet security for its users. The new version adds a few new features, including a warning for non-secure websites, Strict Secure Cookies specification, and support for WebAssembly.

Mozilla’s new warning for Firefox brings a message “This connection is not secure” to its users. This will be displayed when a user clicks on a username and password text field on websites that are not using the now common Hypertext Transfer Protocol Secure, or for short HTTPS.

Previously, whenever users clicked on password/username field on non-secure websites, Firefox displayed a red-stricken gray lock icon in the address bar. Now, Mozilla is trying to go a step further in protecting its users by providing a visual indication for non-secure websites.

As for other security measures, there is Strict Secure Cookies specification, through which Firefox will prevent non-secure websites from creating cookies with the “secure” attribute. Then there’s WebAssembly, which is a new programming language for executing applications within the browser, but on the user’s side. This language is supposedly better than JavaScript: it creates “near-native” performance to apps, games and software libraries.

So, if you haven’t already, do update your Firefox browser.

Source:

Digital Trends (http://www.digitaltrends.com/web/mozilla-firefox-52-browser-secure-webassembly/)

Researchers from the Hong Kong Baptist University (HKBU) have invented a new, more secure method for authentication – “lip motion password”. This technology uses a person’s lip movement to create a password, making it a valuable addition to various security systems.

Professor Cheung Yiu-ming from the Department of Computer Science, HKBU, and his team of researchers invented the new technology that creates a password using a person’s lip motions and then verifies their identity by simultaneously matching the password content with the underlying behavioral characteristics of lip movement. Since nobody can mimic someone else’s lip movement when uttering a password, and since the password can be changed at any time, this makes the new technology superbly valuable and useful.

The team used a computational learning model to extract the visual features of lip shape, texture and of course movement to characterize lip sequence. To train the models, samples of lip sequence were collected and analyzed.

The potential applications of this now patented technology are vast, but one of the more obvious applications include financial transaction authentication, so anything from electronic payment using mobile devices and transactions at ATM machines to credit card user passwords. In addition, lip passwords can be used together with other biometrics to enhance the security level of various systems.

Source:

Hong Kong Baptist University via ScienceDaily (https://www.sciencedaily.com/releases/2017/03/170313110742.htm)

When it comes to technology, our future is bright: personalized medical devices, superfast computers, robots assistants, and of course quantum computers are just some of the things that what await us. However, with more progress comes more responsibility, and we need to be prepared for potential dangers that the new technology could bring.

Take quantum computers for example: they operate on the subatomic level and can provide processing power that is millions of times faster than that of silicon-based computers. While certainly amazing, this also means that a hacker equipped with a next-gen quantum computer could encrypt any internet communication that was sent today.

For this reason, we need an online security system that is prepared for what the future brings. Nathan Hamlin, instructor and director of the WSU Math Learning Center, is one of the people helping the creation of safe online communications and transactions.

Hamlin developed a newly written code called the Generalized Knapsack Code that could thwart hackers that use quantum computers. “The Generalized Knapsack Code expands upon the binary representations today’s computers use to operate by using a variety of representations other than 0s and 1,” he explains. “This lets it block a greater array of cyberattacks, including those using basis reduction, one of the decoding methods used to break the original knapsack code.”

The newly written code is a step toward safer quantum computing, so researchers are now thinking of adapting it for commercial use.

Reference:

Washington State University via ScienceDaily (https://www.sciencedaily.com/releases/2017/02/170228185341.htm)

When hackers target power infrastructures, they usually focus on the mechanisms that control it so they can cause power outages, blackouts, and economic losses. To improve the system’s security and reliability, it’s crucial to first understand its vulnerabilities, which are both physical and intangible.

Lead author of the new study that focuses on the physical and cyber security of the power grids, Chee-Wooi Ten, explains that ten years ago, cybersecurity didn’t even exist. Now, without strong and reliable cybersecurity, hackers can cause large power outages and blackouts.

For this reason, Ten believes that the solution to the problem involves both physical equipment and intangible software.

To assess system’s vulnerabilities, Ten and his team use a framework that constantly assesses the bottleneck of a power grid as well as its interconnection with their neighboring grids. “You know your health is at risk because we monitor systolic and diastolic numbers, so perhaps you work out more or eat healthier,” says Ten. “The grid needs established metrics for health too, a number to gauge if we are ready for this security challenge.”

Essentially, Ten explains that improving regulations with specifics to match actual infrastructure needs along with providing cybersecurity insurance is the best way to protect power grids from hackers.

Reference:

Michigan Technological University(http://www.mtu.edu/news/stories/2017/february/protecting-bulk-power-systems-hackers.html)

You can never be too secure, but the researchers at the Binghamton University have gone a step further by developing a new way to protect personal electronic health records – using heart’s electrical pattern as an encryption key.

The researchers explain that the traditional encryption solutions are complex and expensive, making them impractical for telemedicine and mobile healthcare. The team wanted to find a simple and cost-effective solution that would protect sensitive health data, so they decided to use unique electrocardiograph (ECG) as the key to lock and unlock files.

ECG is essentially a process of measuring the electrical activity of the heart which is done by a biosensor attached to the skin. Since each person has a different heartbeat, this could be used as a unique and secure key. “While ECG signals are collected for clinical diagnosis and transmitted through networks to electronic health records, we strategically reused the ECG signals for the data encryption. Through this strategy, the security and privacy can be enhanced while minimum cost will be added,” explained Zhanpeng Jin, one of the researchers.

Essentially, each patient has their own password which is his/her own heartbeat. This ingenious solution will be very helpful for the next-gen personalized healthcare.

Reference:

Binghamton University via ScienceDaily (https://www.sciencedaily.com/releases/2017/01/170118125240.htm)

According to cybersecurity researcher Troy Hunt, HTTPS (Hypertext Transfer Protocol Secure) has finally reached the “moment of critical mass”: its usage has grown so much that it’s becoming the norm, rather than the exception.

HTTPS is a protocol for secure communication over Internet. It consists of communication over HTTP within connection encrypted by TLS. Basically, it’s a more secure version of its predecessor, HTTP.

On his blog, Hunt announced that we’ve already passed the halfway mark for requests served over HTTPS. In other words, more than 50% of page loads are now encrypted with HTTPS. This is great news, as having more security and protection while browsing is important.

However, as Hunt explains, this doesn’t mean that most sites now use HTTPS; this figure (more than 50%) comes from traffic from a small number of big sites (Facebook, Twitter, Gmail,etc.). Still, from August 2015 to August 2016, the number of sites using HTTPS has doubled. This rate of growth is astonishing, and it’s clear it will only go higher.

Another evidence that HTTPS is becoming the norm is the fact that browsers now hold websites accountable for not implementing better security. For example, Chrome and Firefox now warn their users when they’re accessing sites that are not using HTTPS. This too should drive the trend toward HTTPS even further.

Reference:

Troy Hunt (https://www.troyhunt.com/https-adoption-has-reached-the-tipping-point/)

Digital Trends (http://www.digitaltrends.com/computing/https-use-reaches-critical-mass/)