Recently, a security researcher Chris Evans released a well-written exploit that uses rather unusual methods to exploit memory corruption vulnerability in Gstreamer.

There are two security protections built into Linux – address space layout randomization (ASLR) and data execution protection (DEP). The second one is meant to block an exploit’s ability to load into memory (No-Execute), while the first one is meant to randomize where code loads into memory and consequently limit exploit’s impact on a system to a crash rather than compromise.

The exploit in question was written specifically for Linux distribution Fedora version 24 to attack ASLR and DEP. To be more specific, it was written to exploit the Gstreamer framework by bypassing the protections with carefully written code that is arranged in such a way as to essentially disable ASLR and DEP.

The exploit was released as a FLAC file and it exploits the GStreamer vulnerability and also attacks Rhythmbox and Totem media players. But, since it was written only for Fedora, it would threaten only the small number of users who play media on the platform. In other words, it wouldn’t pose a threat to any other Linux distribution.

Still, an exploit like this demonstrated how it’s entirely possible to work around pretty much any vulnerability, and will, therefore, move the state of Linux security forward.

Source:

Digital Trends (http://www.digitaltrends.com/computing/linux-researcher-releases-linux-exploit-attacks-fedora/)

Security (https://scarybeastsecurity.blogspot.rs/2016/11/0day-exploit-advancing-exploitation.html)

New research shows that reusing similar passwords across multiple online accounts may make you more vulnerable to hackers’ guessing. In other words, it appears that online password guessing is severely underestimated.

Targeted online guessing is when cyber criminals guess a specific victim’s password for an account. How can they just guess someone’s password, you ask? By abusing knowledge of their victim’s personal information – anything from their birthday, name and other personally identifiable information to passwords that the target uses on other online accounts.

Now, security experts in UK and China reveal that a huge number of passwords for online accounts – from social media to banking – are vulnerable to targeted online guessing. This is because many people reuse passwords across many web-based services and also use their personal information within their passwords.

“We are finding that targeted online guessing threats are increasingly more damaging and realistic. This is a serious security concern as there are large amounts of personally identifiable information, and leaked passwords readily available to criminals due to lots of million-sized data breaches like Yahoo, Myspace, Linkedin, Dropbox and VK.com,” explains Professor Ping Wang, co-author of the new study.

The takeaway message? Do not reuse similar passwords.

Source:

Lancaster University(http://www.lancaster.ac.uk/news/articles/2016/online-password-guessing-threat-underestimated/)

A new research conducted by the internet monitoring firm StatCounter reveals that for the first time, mobile devices have surpassed computers when it comes to internet usage.

The research showed that the combined traffic from smartphones and tablet devices tipped the balance at 51.2%, vs. 48.7% for desktop access. While this might not come as a huge shocker, it’s a seriously important moment for the web overall, as this is the first time this has happened since StatCounter began tracking stats for internet usage.

Now businesses that haven’t yet decided to focus on a mobile-first approach to their internet services know that they really should. And considering the fact that mobile technology is increasingly becoming more affordable, this trend will not only stay but will probably increase.

“Mobile compatibility is increasingly important not just because of growing traffic but because Google favors mobile friendly websites for its mobile search results,” explained Aodhan Cullen, CEO of  StatCounter.

Now that the tipping point has been achieved, it’s time that we all stop favoring the desktop and start focusing on the mobile web more, as it clearly is the future.

Source:

TechCrunch (https://techcrunch.com/2016/11/01/mobile-internet-use-passes-desktop-for-the-first-time-study-finds/)

StatCounter GlobalStats (http://gs.statcounter.com/press/mobile-and-tablet-internet-usage-exceeds-desktop-for-first-time-worldwide)

As we all unfortunately know, malicious websites that promote scams and distribute malware pervade the web. To make matters worse, blocking or blacklisting those websites doesn’t help much. This is because criminals who create malicious websites can easily set up new domain names to support their activities after they’ve been blocked or blacklisted. The good news is that a research team from the Princeton University has developed a new system to make it more difficult to register new domains for bad purposes.

The new system is called PREDATOR, which stands for Proactive Recognition and Elimination of Domain Abuse at Time-Of-Registration. This tool is able to distinguish between legitimate and malicious purchasers of new websites, and in doing so, it provides important insights into how those two groups behave differently online. Even more importantly, PREDATOR is able to provide these insights before the malicious users have done anything obviously harmful.

PREDATOR relies on the assumption that malicious users exhibit registration behavior that differs from those of normal users. Things like buying and registering lots of domains at once to take advantage of bulk discounts, so that they can immediately and cheaply adapt when their sites are noticed and blacklisted, or registering multiple sites using slight variations on names, are some of the behaviors that separate normal from malicious users.

In the study, PREDATOR was able to detect 70% of malicious websites based only on information known at the time those domains were first registered. Additionally, the rate of legitimate sites that were incorrectly identified as malicious was only 0.35%.

Source:

Princeton University (http://www.princeton.edu/main/news/archive/S47/74/26M01/index.xml)

Dishonestly posting online comments, tweets or reviews might not be illegal but is certainly ethically-questionable. Now, researchers from the University of Texas at San Antonio describe a new method for detecting online dishonesty, or “astroturfing”.

Astroturfing has existed since the dawn of social media. It can be used for any number of reason: businesses can use it to manipulate online shoppers and social media users or to sabotage competing companies; it can be used to espouse opinions on certain subjects by creating an illusion of a consensus; even politicians can use it to encourage support.

The new method is a statistical one that analyzes multiple writing samples. With it, the researchers were able to find that it’s difficult for authors to completely hide their writing style, which means that they often slip up while pretending to be someone else. So, based on context, word choice, and punctuation, this method was able to detect whether one or multiple individuals were responsible for the samples.

Now that the researchers have the capability to detect astroturfing, further applications are possible. “In addition to raising public awareness of the problem, we hope to develop tools to detect astroturfers so that social media users can make informed choices and resist online social manipulation and propaganda,” says Kim-Kwang Raymond Choo, who led the research.

Source:

University of Texas at San Antonio(https://www.utsa.edu/today/2016/10/astroturfing.html)

A new study suggests that typing on your keyboard while participating in a Skype call could make you vulnerable to electronic eavesdropping and therefore compromise your privacy.

Researchers at the University of California, Irvine and in Italy explain that keystroke sounds can be recorded during a Skype video or voice call, and later analyzed and reassembled as text. “We have shown that during a Skype video or audio conference, your keystrokes are subject to recording and analysis by your call partners. They can learn exactly what you type, including confidential information such as passwords and other very personal stuff,” says co-author of the study, Gene Tsudik.

Various brands of keyboards, from Apple to Logitech, emit specific and distinct sounds. The researchers explain that for example, the T on a MacBook Pro emits a different sound from the same letter on another manufacturer’s product. This, along with some knowledge of a user’s typing style, can be enough for an attacker to re-create whole conversations in the form of text.

The study showed that if a spy has some knowledge of the typist’s style and their keyboard, they have an alarming 91.7% rate of accuracy in guessing a key pressed by the victim. Even more disturbingly, when a spy doesn’t have such information, they still have a 41.89% chance of identifying which keys are being struck.

Luckily, these attacks are not possible with touch-screen or holographic keyboards and keypads. The study does, however, show how dangerous traditional physical keyboards can be.

Source:

University of California, Irvine(https://news.uci.edu/research/typing-while-skyping-could-compromise-privacy/)

It’s no secret that millions of phishing emails make their way to people’s inboxes every year. We expect that our email client’s spam filter will catch them, but a lot of them make it uncaught. Of those, many simply slide past our own judgment and are clicked and opened. A recent study has revealed what our ability to spot phishing emails is like and how likely we are to take the bait.

This Carnegie Mellon University study involved participants that were asked to evaluate 38 different emails, half of which were legitimate and half of which were phishing. On average, they were able to accurately identify just over half of the phishing emails presented to them.

“Despite the fact that people were generally cautious, their ability to detect phishing emails was poor enough to jeopardize computer systems,” explains Casey Canfield from Carnegie Mellon’s Department of Engineering and Public Policy.

Based on the results of the study, the researchers suggest interventions such as providing users with feedback on their abilities to spot phishing emails and emphasizing the consequences of phishing attacks. One of the training methods that use is called embedded training and it involves sending out fake phishing emails and teaching users about phishing emails if they open the email. Although it’s possible that methods like these don’t actually make people better at telling the difference, it’s certain that they can make them more cautious, which is really the point.

Source:

Carnegie Mellon University, College of Engineering(http://engineering.cmu.edu/media/feature/2016/10_06_gone_phishin.html)

VTT Technical Research Centre of Finland’s new encryption method combines safety, privacy protection, and usability to enable safer, easier-to-use, and more reliable user authentication.

The traditional authentication that is based on passwords is actually pretty weak protection system. This is because users mostly select easy passwords so hackers often succeed in stealing large password databases.

The new encryption method protects, for example, user’s biometric data. This is great news as this data is extremely sensitive and important. In biometric authentication, there is a risk of a leak of person’s permanent biometric identifiers. But VTT’s new method stores data in the database in an encrypted form and all comparisons between measuring results and the database are sent using encrypted messages which means that there is no need to open any biometric data at this stage of the process.

VTT also combines new encryption methods, such as homomorphic cryptography and secure exchange of cryptographic keys, to measuring methods of typing styles. This means VTT’s method also protects the user’s typing style.

Right now, the team is looking for a partner for further processing and then commercialization of this method, which according to them, could become available to consumers within one or two years.

Source:

VTT Technical Research Centre of Finland via Phys.org (http://phys.org/news/2016-09-encryption-method-authentication.html)

Nowadays, since people life starts to rely their life on computers and internet, significance of encryption has been rise with it. Andy Greenberg, the author of the article “Meet Moxie Marlinspike, the anarchist bring encryption to all of us”, brought up with great achievement that has been never showed up in human history, which was unbreakable algorithm. Main character for this unbelievable invention, almost can be considered as a fairytale, was Moxie Marlinspike.

To introduce about Moxie Marlinespike, he is computer security engineer, who is widely known for Open whisper systems, Whisper Systems, Convergence (SSL), and Double Ratchet Algorithm. For his career, his focus point of his research paper was primarily on techniques for intercepting communication infrastructure against interception. He is also known as member of the Institute for Disruptive Studies, former head of the security team at Twitter, founder of Open Whisper system, and a fellow at the Shuttleworth Foundation. With such those outstanding career, however, his “Crypto Protocol, Signal” makes him much more remarkable.

To explain about his exceptional algorithm, it can be break down into 4 steps.

First, when Alice installs an app that uses Marlinspike’s “Crypto Protocol”, it will generates pairs of numeric sequences, which is known as keys. With each pair, one sequence, known as public key, will be sent to the app’s server and shared with her contacts. The other, known as private key, is stored on Alice’s phone and is never shared with anyone. The first pair of keys serves as an identity for Alice and never changes. Subsequent pairs will be generated with each message or voice call, and these temporary keys won’t be saved.

Then, when Alice contacts her Friend Bob, the app combines their public and private keys – both their identity keys and the temporary ones generated for a new message or voice call – to create a secret shared key. The shared key is then used to encrypt and decrypt their message or calls.
Next, the secret shared key changes with each message or call, and old shared keys aren’t stored. That means an eavesdropper who is recording their messages can’t decrypt their older communications even if that spy hacks one of their devices. (Alice and Bob should also periodically delete their message history.)

Lastly, in order to make sure that she is communicating with Bob and not an imposter, Alice can check Bob’s fingerprint, a shortened version of his public identity key. If that key changes either because someone is impersonating Bob in a so-called man in-the-middle attack or simply because he reinstalled the app, Alice’s app will display a warning.

With such creative and effective software, people around the World now can feel safe using Social Network Service’s messaging system. Furthermore, since those invention of amazing defensive system has been known to netizens, a lot of SNS programs, such as Facebook, Twitter, or Instagram start to use it.

Terabit data speeds in fiber optics are nothing new – they have been here for years – but they haven’t been really practical until now. This is because fiber optic systems are complex and costly, so making them for commercial use is quite difficult.

However, recently the Technical University of Munich, Nokia Bell Labs, and Deutsche Telekom have conducted a field trial involving real conditions, such as traffic levels and varying channel conditions, in which they showed 1 Tbps data speed.

The reason for their success is a new modulation technique called Probabilistic Constellation Shaping. Unlike the typical fiber, this technique doesn’t use all the networking’s constellation points equally – it prefers those with lower amplitudes, or those that are less susceptible to noise. This is what helped transmissions reach up to 30% further. In fact, this approach is so effective that the researchers got close to the theoretical peak data speeds possible for fiber connection.

Still, we won’t be seeing these terabit fiber lines in regular use yet, as it will take time to make commercially available lines, but this is definitely a significant development.

Source: Engadget (https://www.engadget.com/2016/09/18/nokia-terabit-fiber-optic-speeds/)