NEWS


Computing Now Exclusive Content — June 2010

News Archive

July 2012

Gig.U Project Aims for an Ultrafast US Internet

June 2012

Bringing Location and Navigation Technology Indoors

May 2012

Plans Under Way for Roaming between Cellular and Wi-Fi Networks

Encryption System Flaw Threatens Internet Security

April 2012

For Business Intelligence, the Trend Is Location, Location, Location

Corpus Linguistics Keep Up-to-Date with Language

March 2012

Are Tomorrow's Firewalls Finally Here Today?

February 2012

Spatial Humanities Brings History to Life

December 2011

Could Hackers Take Your Car for a Ride?

November 2011

What to Do about Supercookies?

October 2011

Lights, Camera, Virtual Moviemaking

September 2011

Revolutionizing Wall Street with News Analytics

August 2011

Growing Network-Encryption Use Puts Systems at Risk

New Project Could Promote Semantic Web

July 2011

FBI Employs New Botnet Eradication Tactics

Google and Twitter "Like" Social Indexing

June 2011

Computing Commodities Market in the Cloud

May 2011

Intel Chips Step up to 3D

Apple Programming Error Raises Privacy Concerns

Thunderbolt Promises Lightning Speed

April 2011

Industrial Control Systems Face More Security Challenges

Microsoft Effort Takes Down Massive Botnet

March 2011

IP Addresses Getting Security Upgrade

February 2011

Studios Agree on DRM Infrastructure

January 2011

New Web Protocol Promises to Reduce Browser Latency

To Be or NAT to Be?

December 2010

Intel Gets inside the Helmet

Tuning Body-to-Body Networks with RF Modeling

November 2010

New Wi-Fi Spec Simplifies Connectivity

Expanded Top-Level Domains Could Spur Internet Real Estate Boom

October 2010

New Weapon in War on Botnets

September 2010

Content-Centered Internet Architecture Gets a Boost

Gesturing Going Mainstream

August 2010

Is Context-Aware Computing Ready for the Limelight?

Flexible Routing in the Cloud

Signal Congestion Rejuvenates Interest in Cell Paging-Channel Protocol

July 2010

New Protocol Improves Interaction among Networked Devices and Applications

Security for Domain Name System Takes a Big Step Forward

The ROADM to Smarter Optical Networking

Distributed Cache Goes Mainstream

June 2010

New Application Protects Mobile-Phone Passwords

WiGig Alliance Reveals Ultrafast Wireless Specification

Cognitive Radio Adds Intelligence to Wireless Technology

May 2010

New Product Uses Light Connections in Blade Server

April 2010

Browser Fingerprints Threaten Privacy

New Animation Technique Uses Motion Frequencies to Shake Trees

March 2010

Researchers Take Promising Approach to Chemical Computing

Screen-Capture Programming: What You See is What You Script

Research Project Sends Data Wirelessly at High Speeds via Light

February 2010

Faster Testing for Complex Software Systems

IEEE 802.1Qbg/h to Simplify Data Center Virtual LAN Management

Distributed Data-Analysis Approach Gains Popularity

Twitter Tweak Helps Haiti Relief Effort

January 2010

2010 Rings in Some Y2K-like Problems

Infrastructure Sensors Improve Home Monitoring

Internet Search Takes a Semantic Turn

December 2009

Phase-Change Memory Technology Moves toward Mass Production

IBM Crowdsources Translation Software

Digital Ants Promise New Security Paradigm

November 2009

Program Uses Mobile Technology to Help with Crises

More Cores Keep Power Down

White-Space Networking Goes Live

Mobile Web 2.0 Experiences Growing Pains

October 2009

More Spectrum Sought for Body Sensor Networks

Optics for Universal I/O and Speed

High-Performance Computing Adds Virtualization to the Mix

ICANN Accountability Goes Multinational

RFID Tags Chat Their Way to Energy Efficiency

September 2009

Delay-Tolerant Networks in Your Pocket

Flash Cookies Stir Privacy Concerns

Addressing the Challenge of Cloud-Computing Interoperability

Ephemeralizing the Web

August 2009

Bluetooth Speeds Up

Grids Get Closer

DCN Gets Ready for Production

The Sims Meet Science

Sexy Space Threat Comes to Mobile Phones

July 2009

WiGig Alliance Makes Push for HD Specification

New Dilemnas, Same Principles:
Changing Landscape Requires IT Ethics to Go Mainstream

Synthetic DNS Stirs Controversy:
Why Breaking Is a Good Thing

New Approach Fights Microchip Piracy

Technique Makes Strong Encryption Easier to Use

New Adobe Flash Streams Internet Directly to TVs

June 2009

Aging Satellites Spark GPS Concerns

The Changing World of Outsourcing

North American CS Enrollment Rises for First Time in Seven Years

Materials Breakthrough Could Eliminate Bootups

April 2009

Trusted Computing Shapes Self-Encrypting Drives

March 2009

Google, Publishers to Try New Advertising Methods

Siftables Offer New Interaction Model for Serious Games

Hulu Boxed In by Media Conglomerates

February 2009

Chips on Verge of Reaching 32 nm Nodes

Hathaway to Lead Cybersecurity Review

A Match Made in Heaven: Gaming Enters the Cloud

January 2009

Government Support Could Spell Big Year for Open Source

25 Reasons For Better Programming

Web Guide Turns Playstation 3 Consoles into Supercomputing Cluster

Flagbearers for Technology: Contemporary Techniques Showcase US Artifact and European Treasures

December 2008

.Tel TLD Debuts As New Way to Network

Science Exchange

November 2008

The Future is Reconfigurable

New Application Protects Mobile-Phone Passwords

by George Lawton

A German research institute is selling new mobile-phone password-protection technology. The Fraunhofer Institute for Secure Information Technology developed MobileSitter, a password-vault application that makes it more difficult for an attacker to unlock any secret data stored on the phone. Consumers can use the application to securely store hundreds of passwords that remain encrypted in a database until it's unlocked using the master password. This lets users choose very secure password for each service but have to remember only a single master password.

The application uses a novel technique to confuse a thief. When a wrong master password is entered, MobileSitter returns a fake password that matches the format for a given account. For example, if a bank ATM PIN consists of five digits, MobileSitter returns a five-digit fake password. This makes it harder for thieves to determine whether they have, in fact, guessed the master password correctly.

"Right now, users are very much exposed if their handset is stolen, unless they're using a Blackberry, which can be remotely wiped," said Avivah Litan, a research director at Gartner Group. "I don't think people realize how vulnerable they are. We put everything on those phones."

Password-vault applications like MobileSitter are becoming more important as consumers turn to their mobile devices to track passwords for a growing number of accounts, such as email and Web services, as well as physical devices, such as door-lock key codes and ATMs. In Germany, the number of passwords is also increasing with PIN requirements for ID and medical-benefits cards, said Ruben Wolf, one of MobileSitter's lead developers at Fraunhofer.

The application runs directly on any Java-enabled cell phone. The institute is selling the application directly to consumers and also to institutions such as banks in branded versions for promotional giveaways.

The Password Conundrum

Password complexity has increased over the past several years, along with increases in the number of online services and Internet financial transactions. Many users face a dilemma in trying to balance security and convenience. At one extreme, many settle on weak passwords or reusing the same password across several different services. Hackers that guess this one password can theoretically access the user's email, bank account, or stock-trading services.

"Given the security and privacy problems with many major websites, it's more and more important for users to follow good security practices," said Ellen Craw, general manager of Ilium Software, which makes the eWallet. In an analysis of 32 million Facebook passwords earlier this year by Imperva, a security software vendor, 30 percent of all passwords were six characters or less, and nearly half had easily guessable names. The most common password was "123456."

Users who create multiple, more-secure passwords must remember unique codes for each service or site. Internet browsers that remember a user's login credentials and allow automatic connection in the future mitigate this problem somewhat. Another tactic is to make a clear-text list of passwords and store it on your phone.

In both cases, if your phone is stolen, the thief has easy access to your accounts. This puts you in a race to deactivate or change all your login credentials before your money is stolen or your account settings are changed to lock you out of the services.

Enter the Password Manager

Several password-management applications have emerged to provide security that improves on storing passwords in the clear. These tools let users store many individual, highly complex passwords in an encrypted database that can be unlocked with a master password. Many of these applications were initially developed for personal computers and subsequently ported to mobile-phone devices. They include the Ilium eWallet, RoboForm Mobile, SplashID, and the open source applications KeePassMobile and Password Safe.

With these tools, users can consolidate password management and store it in one place for multiple devices to share. Applications like RoboForm Online even make it possible to share passwords via an online service. With all these applications, anyone who enters a wrong password gets an error message in return.

As a result of security concerns, the password-management field has flourished. Password vaults now have tens of millions of users, noted Bill Carey, vice president of marketing at Siber Systems, which makes RoboForm.

Building a Better Vault

However, Fraunhofer's Wolf said that sophisticated thieves can crack the master passwords by using brute-force attacks that test millions of passwords until they find a valid one.

In some cases, password managers have weaknesses that require no specialized software to run such attacks. For example, the Fraunhofer Institute has successfully attacked Code Memo, the password manager installed by default on most Sony-Ericsson phones, using standard tools not intended for hacking (www.mobilesitter.de/downloads/security-codememo.pdf). But there are also hacker tools specialized for the job. They include Firemaster for Firefox, OphCrack, and Cain & Able, and others found at Elcomsoft, Objectif Sécurité, and OpenWall Password Recovery Resources.

Some password-manager developers have taken countermeasures. By introducing time-consuming calculations into each master-password test, they've slowed down force attacks on the device itself. However, some hacking tools let attackers offload the data to a PC, where they can execute the attack much faster.

Because MobileSitter will return a seemingly valid password, attackers gain no advantage in trying to crack the password vault. They would still have to attack each password individually. Eventually, the online service or ATM would lock them out.

One limitation of MobileSitter's current implementation is that it encrypts only passwords. Other password vaults encrypt the account names as well, noted Christoph Sperle, one of KeePassMobile’s developers. "An attacker that knows MobileSitter is aware that the decrypted passwords are fakes," he explained, "but may be interested in the rest of the information the database provides, such as the account number of the user's bank, his Visa card number, Gmail account name, or the chat sites he uses and nicknames at the site."

At the moment, no one is certain of the extent to which existing password vaults have been compromised, Wolf said. Fraud reports often don't account for how the attackers succeeded, and compromises could come from network wiretaps, malware, broken password vaults, or personal engineering such as pretexting to trick the information out of an employee. "But what is clear," Wolf concluded, "is that the sheer existence of so many tools and Web services for recovering lost passwords points to evidence that existing password vaults can be hacked."

George Lawton is a freelance journalist based in Guerneville, CA. He can be reached via his website at http://glawton.com.