Facebook has unveiled a new service that remedies one of the biggest headaches facing online users today—the forgotten password.
Facebook now offers a service that allows users who lose their GitHub login credentials to securely regain access to their accounts. The process takes only seconds and uses a handful of clicks over encrypted HTTPS Web links. To set it up, Facebook users create a GitHub recovery token in advance and save it with their Facebook account. In the event they lose their GitHub login credentials, they can reauthenticate to Facebook and request the token be sent to GitHub with a time-stamped signature. The token is encrypted so Facebook can't read any of the personal information it stores. After the request is sent, the GitHub account is restored. With the exception of Facebook's assertion that the person recovering the GitHub account is the same person who saved the token, Facebook and GitHub don't share any personal information about the user.
The service is designed to eliminate the hassle and significant insecurity found in most account recovery systems that exist now. One common recovery method involves answering security questions. Many of the questions—for instance, "What is your favorite sport?" and "What is your favorite pizza topping?" asked by United Airlines—are easily guessed. That leaves people susceptible to account takeovers. Other methods, such as delivering security tokens by e-mail or SMS text message, lack the kind of end-to-end encryption that's increasingly expected for secure communications.
Unlike a compromised e-mail account—which often can be used to gain access to dozens of online accounts controlled by the owner—the Facebook service can be rate limited. In the event a Facebook account is hijacked, the rate limiting can be used to prevent an attacker from accessing all the third-party accounts at once. That feature could prove useful in the future, should the service be adopted by a large number of other third-party services.
For now, the service is available only for GitHub, but Facebook hopes other third-party sites will also use it eventually.
Sent to us by: Roy W. Nash
On Episode 439 Jeff unveiled a potential hack on Google Now, and scientists are now claiming that not only can Google Now be compromized, but machine learning interfaces like Amazon's Alexa can be easily hacked through bogus voice commands.
We've talked about Alexa buying dollhouses, and joked that we could say something on the show to command your Amazon Echo to order products from our store, but this is no laughing matter.
Researchers say it’s not an unlikely scenario. They say not only can attackers issue mal-audio voice commands to any AI listening device that is in audible range, but they can also do it using hidden voice commands. Those are commands that might not even be noticed by the user.
Nicholas Carlini and Pratyush Mishra of University of California, Berkeley, who wrote a new paper on the subject (PDF), along with some other academics, don’t specifically target or mention Amazon’s Alexa, but they do claim their test attacks work against Google Now’s speech recognition system and that their voice commands are “likely to work with any modern voice recognition system.” That would include smartphones.
“We show that adversaries with significant knowledge of the speech recognition system can construct hidden voice commands,” they write in their paper. And they could be commands “that humans cannot understand at all.”
The voice channel is the vector for attack.
Carlini recently said one big potential problem area could be in the texting of premium SMS numbers. He explains that the command “Okay Google now, text…” followed by a special-rate number could get costly for the interface owner. He said this could become an even bigger near-future problem as AI banking becomes prevalent. An example could be, “Okay Google, pay Sasha $100.”
Carlini says the problem arises not in an individual spoofing the voice recognition, such as a theif walking by and spouting a command. In that case, the device owner simply cancels the command. The problem is in professional hacking cases where sounds are created that seem like noise to the human ear but are speech for a device. The device hears the garbage as a real command, and the device owner isn’t aware of the attack.
Results could be drastic. Posting a user’s location on Twitter, for example, could be performed by the hack. That could conceivably be as serious as the loss of money for some. Opening a web page loaded with malware is another example the researchers use.
If you'd like to hear an audio sample of what this type of attack might sound like, check out The Category5 TV Newsroom Episode 439.
Sent to us by: sr_wences
They're not very pretty, but prototype eyeglasses from University of Utah scientists could make progressive lenses obsolete for older people. Using electronically activated lenses and infrared distance meters, they can focus automatically on whatever you're looking at, whether it's far or close up. Once perfected, the device could eliminate the need for multiple pairs of reading or driving glasses.
Age-related far- or nearsightedness happens when the lenses in your eyes can no longer change focus between objects. As a result, many people between their 40s and 50s have to wear progressive-lens eyeglasses divided into small focal zones depending on object distance. One company called Deep Optics has pursued an auto-focusing solution using see-through liquid-crystal lenses, but is still working on a practical prototype. Google is also working on an auto-focus contact lens with startup Novartis, but recently said that it wouldn't be testing them anytime soon.
To make the lenses adjustable, the University of Utah team placed glycerine -- a thick, clear liquid -- within membranes on the front and back. The chunky frame, meanwhile, holds electronics, a battery and an infrared distance meter. When you look at something, the meter gauges the distance and sends a signal to a mechanical actuator on the rear membrane. Within 14 milliseconds, it switches focus from one object to another, giving you clear vision without the need to look up or down.
Users can upload their prescriptions to the glasses by pairing them with a smartphone over Bluetooth. That means that, in theory, you could keep the same pair of glasses forever, even if your eyesight changes. You'd need to recharge them like a smartphone, but that could be less of a hassle than packing multiple pairs around.
The current prototype debuted at CES earlier this month. The goal now is to make the whole package smaller and lighter via some serious miniaturization. The team has created a startup company to commercialize the smart glasses and, hopefully, get them on the market in as little as three years.
Sent to us by: Jeff Weston
Police in Texas have lost evidence going back eight years in a ransomware attack.
Cockrell Hill, Texas has a population of just over 4,000 and their police force has lost eight years of evidence when a departmental server was compromised by ransomware.
In a public statement, the department said the malware had been introduced to the department's systems through email. Specifically, it arrived "from a cloned email address imitating a department issued email address" and after taking root, requested 4 Bitcoin in ransom, worth about $3,600 today, or "nearly $4,000" as the department put it.
It was at this point that their backup procedures were tested and found to have failed to account for the mischief. When recovery was attempted, they realised they had only managed to back up the encrypted files.
The police then spoke to the FBI "and upon consultation with them it was determined there were no guarantees that the decryption file would actually be provided, therefore the decision was made to not go forward with the Bitcoin transfer and to simply isolate and wipe the virus from the servers".
Sent to us by: Roy W. Nash
The makers of the Blackphone 2 warned would-be customers to stay away from eBay. Silent Circle, the company behind the privacy-focused smartphone with encrypted voice services, issued an alert about purchasing devices from unauthorized resellers. Now that alert has turned into action with the latest update to Silent OS, the Android-based operating system built for the Blackphone. Silent OS 3.0.8 will disable phones that were not purchased through Silent Circle’s approved channels.
Silent Circle claims the phones to be counterfeit. These knock-offs could be manufactured by the company’s contract manufacturer beyond Silent Circle’s production runs or by another manufacturer who has “cloned” the device.
Numerous sellers on eBay are offering “new” and “real” Blackphone 2 devices for far less than Silent Circle’s authorized sellers—in some cases, the difference in price is over $100. These phones are sold without a license to use the services embedded in Silent OS.
While Silent Circle sells its phones directly in North America, it sells through partners in Europe, the Middle East, Africa and Asia.
In a statement, Silent Circle said, "It’s imperative for consumers and companies to work directly with authorized sales partners when purchasing the Blackphone 2. We invite people to check with us prior to purchasing, so we can help them be sure they’re securing an authorized phone to ensure they get the software and services that come with it."
Sent to us by: Roy W. Nash