After entering a password, your regular computer keyboard might appear to look the same as always, but a new approach harvesting thermal energy can illuminate the recently pressed keys, revealing that keyboard-based password entry is even less secure than previously thought.
Thermal image of “passw0rd” 20 seconds after entry
Computer Science Ph.D. students Tyler Kaczmarek and Ercan Ozturk from UC Irvine’s Donald Bren School of Information and Computer Sciences (ICS), working with Chancellor’s Professor of Computer Science Gene Tsudik, have exploited thermal residue from human fingertips to introduce a new insider attack — the Thermanator.
“It’s a new attack that allows someone with a mid-range thermal camera to capture keys pressed on a normal keyboard, up to one minute after the victim enters them,” describes Tsudik. “If you type your password and walk or step away, someone can learn a lot about it after-the-fact.”
Their paper, “Thermanator: Thermal Residue-Based Post Factum Attacks On Keyboard Password Entry,” outlines the rigorous two-stage user study they conducted, collecting thermal residues from 30 users entering 10 unique passwords (both weak and strong) on four popular commodity keyboards.
Source: New insider attack steals passwords by reading thermal energy from keyboards – Help Net Security
The near 40-year quest for an AIDS vaccine received a hopeful boost Saturday when scientists announced that a trial drug triggered an immune response in humans and shielded monkeys from infection.
Shown to be safe in humans, the candidate vaccine has now advanced to the next phase of the pre-approval trial process, and will be tested in 2,600 women in southern Africa to see whether it prevents HIV infection.
While the results so far have been encouraging, the research team and outside experts warn there are no guarantees it will actually work in the next trial phase dubbed HVTN705 or “Imbokodo” — the isiZulu word for “rock”.
“Although these data are promising, we need to remain cautious,” study leader Dan Barouch, a Harvard Medical School professor, told AFP.
Just because it protected two-thirds of monkeys in a lab trial doesn’t mean the drug will protect humans, “and thus we need to await the results of the… study before we know whether or not this vaccine will protect humans against HIV infection,” he said.
Source: Candidate AIDS vaccine passes key early test
Among the many problems that exist in the venerable Network Time Protocol is its vulnerability to timing attacks: turning servers into time-travellers can play all kinds of havoc with important systems.
Complicating the problem is that timing attacks are enabled by the protocol itself, which makes it hard to change.
Now a group of researchers from Marvell Semiconductor and the Hebrew University of Jerusalem have followed up on a February 2018 conference presentation with an Internet-Draft proposal they hope can block timing attacks.
Their argument, put in depth in this paper, (PDF) presented to the 2018 Network and Distributed Systems Security (NDSS) Symposium, is that timing attacks can affect “TLS certificates, DNS and DNSSEC, RPKI, Kerberos, BitCoin, and beyond”. The authors also note that time-shifting attacks are possible “even if all NTP communications are encrypted and authenticated” – so a fix is well overdue.
Source: Boffins want to stop Network Time Protocol’s time-travelling exploits
In another example of political correctness gone awry, the American Library Association decided to drop Laura Ingalls Wilder’s name from a prestigious children’s literature award. According to the statement, the author, as represented by her “Little House” series, “reflect dated cultural attitudes towards indigenous people and people of color that contradict modern acceptance, celebration and understanding of diverse communities.”
Oh, please. If we are to go by that criteria, we might as well toss out an entire canon of classics including Mark Twain’s Huckleberry Finn — though I notice no one is renaming “The Mark Twain Prize for Humor” given annually to celebrities and rarely to actual writers.
Laura Ingalls Wilder started publishing her series of Little House books in 1932. Her first, Little House in the Big Woods, was followed with six more into the 1940s. The series told the saga of the family struggles as they pioneered the woodlands and prairies of America during the 1870s and 1880s, from Wisconsin to Minnesota to South Dakota to Iowa. The narration is from the perspective of a child named Laura, from the time she is five to seventeen.
Imagine their journey, the infernal deprivation and hard work, crops ruined by storms and grasshoppers. Or the long winter, with temperatures below zero, twisting hay into kindling before sitting to a scanty meal of potatoes and bread. Not all settlers could take it. Nor, I venture, could you or I. Instead, Pa played the fiddle, singing “Where There’s a Will There’s a Way.”
Source: The Savaging of Laura Ingalls Wilder
A Chinese firm wants to arm the country’s police forces with a whole new kind of weapon for the battlefield: an assault rifle that fires lasers and can burn your clothes and skin from up to 800m away. Oh, and those lasers are silent, invisible, and can pass through glass windows too.
The rifle (not pictured above, that’s just a concept illustration) has been developed by ZKZM Laser, which is part of the Xi’an Institute of Optics and Precision Mechanics at the Chinese Academy of Sciences. The idea is to support police in hostage situations, allowing them to take kidnappers down a notch. It could also find use in covert military operations, reports the South China Morning Post.
“The pain will be beyond endurance,” said a researcher who worked on the ZKZM-500 rifle. At the same time, the weapon is said to be “non-lethal,” likely because it doesn’t kill on impact.
At three kilos (6.6lb), it’s roughly the same weight as an AK-47; the rifle is said to use a lithium battery to fire more than 1,000 “shots” that last for two seconds each.
ZKZM is believed to be in search of a manufacturing partner, so it can begin producing these weapons for $15,000 apiece.
Source: Chinese firm claims its laser rifle burns clothes and skin up to 800m away
All it took was a three-fingered salute and some autoexec.bat action
On-Call Welcome once more to On-Call, The Register’s attempt to make Fridays tolerable by bringing you fellow readers’ tales of terrifying tech support jobs they somehow survived.
This week, meet “Guy”, who told On-Call he grew up in the golden age of the microcomputer, meaning that by the time he joined his local Army National Guard unit he was familiar with machines like the TRS-80, Ti-99/4A, C-64 and Apple II.
One day National Guard HQ delivered a new PC to Guy’s unit. His prior experience meant he was given the job of making it work.
His problems started immediately because Guy’s superior “explained that the guys from HQ had set everything up, but had forgotten to give them the password to get into the system.”
The PC in question was a Zenith Data Systems 286 that Guy powered up after “throwing the big toggle switch on the side, waiting a while for a lovely green screen with a menu would pop up.”
Source: Sysadmin cracked military PC’s security by reading the manual
Google has tried to get into the social networking and instant messaging space many, many times. But the company hasn’t been able to do more than trending on the internet for a few days. Their last attempt, Allo, couldn’t make a dent in the success of Facebook-owned WhatsApp and Messenger.
Still being optimistic, Google has updated the Android Messages app to give new life to our good-old SMS and also added support for RCS-based text messages. RCS stands for Rich Communication Services which facilitates multimedia content like images, videos, GIFs, etc.
Google recently rolled out a useful Android Messages feature that lets you send text messages from your PC through the web. In this article, we have detailed the method to use Android Messages web interface and use your computer to send SMS.
How to send SMS from your PC using Android Messages?
Using Android Messages to send texts is quite simple. You need an Android smartphone and web browser running on a computer (Windows, MacOS, or Linux). Follow the steps mentioned below:
- Download and install the Android Messages app from Google Play.
Usually, this is required for smartphones that don’t run stock Android. The default SMS app on such devices (like the ones from Samsung, Xiaomi, Sony, OnePlus) is often made by the manufacturer itself.
- On your PC, open any web browser and go to messages.android.com.
- Now, on your phone, open Android Messages.
- Tap the overflow menu button (three dots menu) and tap on Messages for web.
- On the Messages for web screen, tap on Scan QR Code button.
- Now, point your smartphone’s rear camera on the QR code displayed on the computer.
After this, wait for the code to be scanned and within a few moments, all of your messages will populate on the computer screen. The experience is quite similar to what we see in the case of WhatsApp Web and Messenger.com.
Source: How To Send SMS From Your PC Using Android Messages?