Chinese researchers have found a way to identify a person’s heartbeat in an instant and use it as a password.

Researchers have created a security system where a person’s heartbeat is their password – offering hope of electronic devices that people can simply pick up to unlock them.

Human heartbeats never quite repeat themselves, and each person’s heartbeat is unique.

Chinese researchers have found a way to identify a person’s beat in an instant and use it as a password.

“Because electrocardiogram signals vary from person to person, they can be used as a new tool for biometric recognition,” say the researchers at the National Chung Hsing University in Taichung, Taiwan.

Lead researcher Chun-Liang Lin used two ECG readings from people’s palms to determine the unique mathematical properties of their heartbeats. They found that the number could be used as a password, and that the system was highly secure.

Previous biometric security systems using fingerprints can sometimes be tricked using photographs.

Lin’s system takes the user’s ECG reading from each palm once, and a key based on that reading is stored and used for all later decryptions.

Lin says the goal is to build the system into devices that can be decrypted and encrypted simply by touching them, New Scientist reports. – Daily Mail

Google bypassed the privacy settings of an Apple web browser in order to survey millions of users, the Wall Street Journal has reported.

New York - Google and other online advertisers bypassed the privacy settings of an Apple web browser on iPhones and computers in order to survey millions of users, the Wall Street Journal reported on Friday.

The Journal said the companies used a special code that tricks Apple's Safari software into letting them monitor the browsing habits of many users.

Safari - the most widely used browser on mobile devices and the default browser on iPhones and Mac laptops - is designed to block such tracking by default, the Journal said.

The Journal said Google disabled the code after the newspaper contacted it and that Google removed a message on its website saying users could rely on Safari to prevent the search giant from tracking them.

It quoted Google as saying the Journal “mischaracterizes what happened and why.”

“We used known Safari functionality to provide features that signed-in Google users had enabled. It's important to stress that these advertising cookies do not collect personal information.”

The Journal quoted an Apple official as saying the company was “working to put a stop” to the circumvention of the privacy settings.

The code was first spotted by Stanford researcher Jonathan Mayer and independently confirmed by Ashkan Soltani, a technical adviser to the Journal.

Google and Apple could not immediately be reached for comment. - Sapa-AFP

While the threat is nowhere near as dire as anti-virus vendors claim, cyber criminals are increasingly targeting mobile devices.

Be afraid. Be very afraid. As you read this, your cellphone or tablet computer could be falling under the control of one of thousands of viruses specially designed to root out sensitive data like e-mail addresses and internet banking passwords, and beam them over the web to cyber criminals on the other side of the world.

That, at least, is what the makers of anti-virus software for mobile devices will have you believe.

Is this irresponsible scaremongering, or should you really install anti-virus software on all your mobile devices without delay?

Makers of anti-virus products are notorious for exaggerating the threat. Just last week one of them, Symantec, sheepishly admitted that it had been wrong to accuse several Android applications of being wolves in sheep’s clothing whose real purpose was not to entertain or inform, but sneak malicious software on to mobile devices.

But even if you disregard their alarmist hype and occasional outright fibs, it’s becoming increasingly clear that you should invest in some form of anti-virus protection.

While the threat is nowhere near as dire as anti-virus vendors claim, cyber criminals are increasingly targeting mobile devices – hardly surprising, given that many of us now use these powerful, internet-connected mini computers for online shopping, banking and games purchases – to name just a few.

Gadgets running Apple’s mobile operating system are generally safer than others, thanks to the company’s obsession with only allowing you to install programmes it has vetted, so you could probably get away without anti-virus protection on your iPhone or iPad.

If you’ve got another brand of mobile device, though, particularly one powered by Google’s Android operating system, you should definitely install anti-virus software. Why single out Android? There are several reasons.

First, there are now more Android smartphones around than any other kind, so creators of viruses are naturally seeking to cash in on their popularity. Then there’s the added advantage, from the cyber crook’s point of view, that – unlike Apple devices – it’s easy for Android phone and tablet users to install apps that haven’t been vetted by Google.

For many, the appeal of Android is this freedom to install third-party software without the restrictions of “walled garden” app stores like Apple’s. But with this freedom comes risk.

So what brand of anti-virus software should you get? There’s not enough space to list them all here, but most experts agree you should probably go for one of the premium, paid-for programmes rather than a free app. Many of the supposedly free options turn out merely to be trial versions of the paid apps anyway.

Most good anti-virus apps will also offer the ability to track your mobile device if it is lost or stolen, via WiFi, GPS and its cellular signal. They’ll also let you remotely lock it, making it useless to the thief; sound an ear-piercing alarm; and even wipe its contents clean, essential if the device contains sensitive work or personal data.

Buying anti-virus software for your phone or tablet can seem like a grudge purchase. But most are very reasonably priced for the peace of mind they provide, especially when you factor in extra features like anti-theft and tracking.

Be warned, though, even if you do have anti-virus software, it may not pick up a virus or worm hidden in an app if the malware’s too new to have made it on to a virus watch-list.

You should also be aware that the biggest risk to your phone – and by extension your bank account – is not a virus, it’s clicking on an e-mail link or replying to an SMS.

Never click through to one of your online accounts via a link in an e-mail. Instead, use the appropriate app or type in the internet address of the website.

Replying to an SMS from an unfamiliar number could subscribe you to a foreign premium line service that will add thousands to your bill in a shockingly short space of time.

If you have international roaming enabled, cancel it now and reinstate it just before you travel. That way, you’ll have a much easier time persuading your service provider that you don’t owe them more than your house is worth. - Sunday Tribune

The website said it copied lists of email addresses and phone numbers from those who used its smartphone application.

London - Twitter has admitted harvesting contact lists from its customers’ mobile phone address books without telling them.

The website said it copied lists of email addresses and phone numbers from those who used its smartphone application, amid claims it kept them on its database for 18 months.

Its management on Thursday agreed to change guidance to users about what it does with their personal information, after a storm of protest from privacy campaigners in the US.

The breach occurs when users of the micro-blogging site click the “Find Friends” option to see if any of their contacts are also on it.

Many of them did not know this meant the site then uploaded their entire address book and stored it afterwards.

Twitter spokesman Carolyn Penner said it would now offer users the option to “upload your address book” or “import your contacts” to make it clearer.

She said: “We want to be clear and transparent in our communications with users. Along those lines, in our next app updates, which are coming soon, we are updating the language associated with Find Friends – to be more explicit.”

The practice by a giant such as Twitter raises more concerns about the privacy implications posed by social networking sites which are used by an estimated 37 million Britons.

There is no suggestion the San Francisco-based firm was using the data – which it said was securely encrypted – for anything other than finding contacts for its customers.

But critics say the lack of “informed consent” raises questions about other less reputable sites which could harvest details to sell on, or potentially leave customers open to identity fraud. The admission also raises difficult questions for Apple, makers of the iPhone, as to why it had been allowed to happen, after the firm said such harvesting was a violation of its policy.

Two American congressman wrote to Apple about the practice, prompting it to toughen measures to make sure applications did not harvest data without “explicit user approval”.

Twitter is the latest social networking site to face a scandal over harvesting contact details, after Facebook came under fire for “synchronising” users’ email address books to its site. This has since been changed. - Daily Mail

Researchers have revealed a flaw in the way data is scrambled to protect the privacy of online banking.

San Francisco - Researchers on Wednesday revealed a flaw in the way data is scrambled to protect the privacy of online banking, shopping and other kinds of sensitive exchanges.

A program used to generate random number sequences for encrypting digital information worked properly 99.8 percent of the time, meaning that two out of every thousand “keys” wouldn't thwart crooks or spies, the report warned.

“We found that the vast majority of public keys work as intended,” said a report based on work by a team of US and European researchers led by Arjen Lenstra of Ecole Polytechnique Federale de Lausanne (EPFL).

“A more disconcerting finding is that two out of every one thousand RSA moduli that we collected offer no security.”

Online rights champion Electronic Frontier Foundation (EFF) supplied key data for the research, and said that Lenstra's team found tens of thousands of keys that essentially failed to guard data in supposedly encrypted online sessions.

“The consequences of these vulnerabilities are extremely serious,” the EFF's Dan Auerbach and Peter Eckersley said in a blog post.

“In all cases, a weak key would allow an eavesdropper on the network to learn confidential information, such as passwords or the content of messages, exchanged with a vulnerable server.”

Hackers could also pose as trusted websites, such as an online bank, in what are referred to as man-in-the-middle attacks, according to the EFF.

The non-profit EFF said it is working “around the clock” with EPFL to warn operators of computer servers using encryption keys offering no protection. - Sapa-AFP

The Nasdaq.com website was briefly inaccessible at times although it was back online and functioning normally late in the day.

Washington - Hackers have targeted the public websites of the operators of the Nasdaq and Bats stock exchanges over the past two days with cyberattacks that disrupted the sites but had no impact on trading.

The Nasdaq.com website was briefly inaccessible at times on Tuesday although it was back online and functioning normally late in the day.

Nasdaq did not immediately reply to an inquiry from AFP but The Wall Street Journal quoted a spokesman as saying that “during the past 24 hours, Nasdaq OMX has experienced intermittent service disruptions on our corporate websites.”

The Kansas-based Bats, which operates the BZX and BYX exchanges, said the Bats public website, “along with other securities industry websites,” was hit by a Distributed Denial of Service (DDoS) attack on Monday.

“Our trading systems were not affected and there were no Exchange customer disruptions associated with the incident,” a Bats spokeswoman told AFP.

“Our website is used to display general information about our market activity for the casual user, and there are no critical functions supported through our general public site,” she said.

“We worked with our Internet Service Provider and swiftly returned our website to a normal operating state,” the Bats spokeswoman said. “Our trading systems continue to operate normally today.”

In a DDoS attack, a large number of computers are commanded to simultaneously visit a website, overwhelming its servers and knocking it offline.

The hacker group Anonymous claimed Friday to have rendered the website of the Central Intelligence Agency briefly inaccessible with a DDoS attack.

Anonymous last month also briefly knocked the websites of the US Justice Department and the Federal Bureau of Investigation offline.

There was no immediate claim on Twitter feeds used by Anonymous for the attacks on the Nasdaq and Bats websites. - Sapa-AFP

Many experts believe that Israel, possibly with assistance from the United States, was responsible for creating and deploying Stuxnet.

Iranian engineers have succeeded in neutralising and purging the computer virus known as Stuxnet from their country's nuclear machinery, European and US officials and private experts have told Reuters.

The malicious code, whose precise origin and authorship remain unconfirmed, made its way as early as 2009 into equipment controlling centrifuges Iran is using to enrich uranium, dealing a significant but perhaps temporary setback to Iran's suspected nuclear weapons work.

Many experts believe that Israel, possibly with assistance from the United States, was responsible for creating and deploying Stuxnet. But no authoritative account of who invented Stuxnet or how it got into Iran's centrifuge control equipment has surfaced.

US and European officials, who insisted on anonymity when discussing a highly sensitive subject, said their governments' experts agreed that the Iranians had succeeded in disabling Stuxnet and getting it out of their machinery.

The officials declined to provide any details on how their governments verified that the Iranians had ultimately defeated the virus. It was not clear when it occurred but secrecy on the subject has been so tight that news is only now emerging.

Some officials said they believe that the Iranians were helped in their efforts by Western cybersecurity experts, whose detailed technical analyses of Stuxnet's computer code have circulated widely on the Internet.

Once the Iranians became aware that their equipment had been infected by the virus, experts said it would only have been a matter of time before they would have been able to figure out a way of shutting down the malicious code and getting it out of their systems.

“If Iran would not have gotten rid of Stuxnet by now (or even months ago), that would indicate that they were complete idiots,” said German computer security consultant Ralph Langner. Langner is regarded as the first Western expert to identify the ultra-complex worm and conclude that it was specifically targeted toward equipment controlling Iranian nuclear centrifuges.

Peter Sommer, a computer security expert based in Britain, said that once Iran had detected the presence of the worm and figured out how it worked, it shouldn't have been too hard for them to disable it.

“Once you know that it's there it's not that difficult to reverse engineer... Neutralization of Stuxnet, once its operation is understood, would not be that difficult as it was precisely engineered to disrupt a specific item of machinery.

“Once Stuxnet's signature is identified it can be eliminated from a system,” Sommer added.

Private experts say that however well-crafted the original Stuxnet was, whoever created it probably would have to be even more clever if they want to try to supplant it with new cyber-weapons directed at Iran's nuclear program.

“Aspects of Stuxnet could be re-used, but it is important to understand that its success depended not only on 'clever coding' but also required a great deal of specific intelligence and testing. It was the first known highly-targeted cyber-weapon, as opposed to more usual cyber weapons which are more diffuse in their targeting,” Sommer said.

David Albright, a former United Nations weapons inspector who has extensively investigated Iran's nuclear program for the private Institute for Science and International Security, which he leads, said that spy agencies would have to go back to the drawing board if they're intent on continuing to try to hobble Iran's nuclear program via cyber-warfare.

Iran says that its nuclear program is for peaceful purposes but many Western officials believe it is seeking to build nuclear weapons.

“I would assume that once Iran learned of Stuxnet, then intelligence agencies looked at this method of cyber attack as compromised regardless of how long it has taken Iran to neutralise it. It is a cat and mouse game.”

But Albright added that “intelligence agencies have likely been looking at more advanced forms of attack for a couple of years that they hope will catch the Iranians unprepared.”

Reports first surfaced in 2010 that Iran's main nuclear enrichment facility at Natanz was hit by Stuxnet, though some experts later said it likely first was deployed a year earlier. Experts who later analysed the Stuxnet code said it was engineered specifically to attack machines made by the German company Siemens that control high-speed centrifuges, used to purify uranium which can fuel a nuclear weapon.

Tehran accused the United States and Israel of planting the virus. In November 2010, Iranian President Mahmoud Ahmadinejad said that malicious software had created problems in some of Iran's uranium enrichment centrifuges, although he said the problems had been solved.

Several experts said, however, that while they believed the virus' potency waned over time, they had not heard confirmation that the Iranians had defeated and purged it.

Experts say the inventors of Stuxnet had to be unusually clever because the centrifuge control equipment at which it was targeted - and which it apparently succeeded in hobbling - was entirely cut-off from the Internet. So not only did the worm's creators have to write a code that would cause targeted equipment to malfunction but they had to figure out a way to physically introduce the code into a “closed system.”

Most experts think the virus was somehow introduced into Iran's control systems via some kind of computer thumb drive.

European and US experts have said that they believe that Stuxnet, at least for a time, caused serious malfunctions in the operations of Iranian nuclear centrifuges.

Iran and its antagonists today appear to be engaged in multiple levels of clandestine warfare, with unknown assailants killing Iranian nuclear scientists and, in the last few days, bomb attacks on Israeli embassy personnel in India and Georgia. Israel has blamed Iran. - Reuters

Rhodri Marsden salutes the intrepid geeks of the world.

London - Security personnel tend not to challenge the public to sneak unnoticed into buildings they're guarding, preferring to give the impression that the entrances are impregnable and they themselves are invincible.

But the “keep out or else” approach doesn't work online, where cyber attacks are rampant and the task of thwarting them is too colossal for stretched IT departments.

Instead, companies are encouraging us to discover weaknesses by hacking their websites: to have a go if we think we're clever enough. At a recent TED (Technology, Entertainment, Design) event in Hawaii, web-security expert Jeremiah Grossman gave a talk entitled “Hack Yourself First” which outlined this principle of ethical hacking; permitting people to hack systems provided that they disclose their findings.

Thinking of hacking as a benevolent practice runs contrary to everything we've ever been told, but there's a growing movement of crusading “white hat” hackers, partly encouraged by the huge sums that companies pay out in rewards for uncovering flaws. An annual white-hat conference, ShmooCon, took place in Washington DC a few days ago and was attended by 1,800 people whose interest in gaining access to restricted areas is totally benign - at least, that's what they say.

Google has a roll-call of people who've pointed out coding errors and helped make its products safer, grandly termed the “Security Hall Of Fame”; one of the latest additions is a 15-year-old boy from Norway, Cim Stordal. In an interview with CNET he revealed the time it took him to uncover flaws (four days for Facebook, five minutes for Apple) but the more surprising revelation was that he's only been doing this kind of thing for a year.

When you know that an inexperienced teenager can quickly find holes in the world's most popular websites, it's easy to see why hacking of the non-white-hat variety is so widespread. And why some companies are now having to place their trust in white-hat hackery.

Despite its bad-boy name, jailbreaking is legal, for now...

When spiffy new features appear on your smartphone during software upgrades, you can be sure that a handful of those ideas emerged from the jailbreak community. Jailbreaking - or rooting - is about getting under the bonnet of the phone, gaining access to features that the operating system (OS) wouldn't normally allow, and exploiting them with apps. Jailbroken iPhones, for example, could sync over Wifi and record video clips long before their squeaky-clean, Apple-approved cousins.

Unsurprisingly, jailbreaking isn't smiled upon by manufacturers; it wrests control of the device away from them, transporting it away from a safe, fluffy, cosseted world and into one full of possibility and (so we're told) danger. So it probably invalidates your warranty, and keeping it jailbroken when your phone's OS is upgraded can be tiresome - but it's not illegal, and hasn't been since a ruling by the US Copyright Office in 2010.

These rulings come up for renewal every couple of years, however, and so the issue of jailbreaking is once again being kicked around furiously. The Electronic Frontier Foundation (EFF) is campaigning for the exemption to be extended to tablets and video game consoles, arguing that it provides an essential platform for innovation, and allows the untapped potential of our devices to be explored and tinkered with.

The Apples and Googles of this world will be submitting incredibly detailed legal arguments as to why this isn't a good idea. It seems unfair to me that a niche activity borne out of curiosity and enthusiasm should ever be punishable by a fine or a jail sentence - but then again I'm not a multinational technology company, so what do I know?

Intrepid geekery may also have a big part to play as emerging legislation begins to affect the way we use the internet.

Much has been written about Sopa (Stop Online Privacy Act) and Pipa (Protect Intellectual Property Act) that are currently being debated in the US, along with the global Anti-Counterfeiting Trade Agreement (Acta); all three seek to criminalise certain types of internet activity, but some vague definitions and lazy wording seem to jeopardise some legal activity, too.

Last week, Infoworld's Paul Venezia lamented the internet becoming “crippled by greed and ignorance”. But, as the slogan goes, information wants to be free. And there'll be thousands upon thousands of tech-savvy netizens working hard to circumvent any measures that are put in place.

Anonymising services such as Tor are already used by whistleblowers and human rights workers, alternative domain name servers (DNS) can circumvent countrywide blocks, while proxy servers and virtual private networks can run rings around attempts to censor the web.

Venezia envisages a jailbroken internet, where all these circumvention measures are wrapped up into a package you can install to bypass the standard internet pathways, prolonging this digital game of cat and mouse. Many might deem it frivolous, wilful lawbreaking, but those whose voices are being silenced by oppressive regimes will relish the idea of a jailbroken internet. - The Independent

Social network Path has apologised for uploading users' address book information without asking for permission.

Social network Path on Wednesday apologized for uploading users' address book information without asking for permission.

“We made a mistake,” Path co-founder and chief executive David Morin said in a blog post. “We are deeply sorry if you were uncomfortable with how our application used your phone contacts.”

Path released updated applications modified to ask users whether they would like to opt in or out of letting the service use personal contact list information to help them connect with friends or family at the social network.

“We want to clarify that the use of this information is limited to improving the quality of friend suggestions when you use the 'Add Friends' feature and to notify you when one of your contacts joins Path -- nothing else,” Morin said.

Contact information mined from users computers was encrypted before being transmitted to Path servers, where the information was securely stored,” according to the company.

“We now understand that the way we had designed our 'Add Friends' feature was wrong,” said Morin, a former Facebook executive.

“As a clear signal of our commitment to your privacy, we've deleted the entire collection of uploaded contact information from our servers.”

Path was slammed with criticism after news spread of a software developer who discovered that the social network's applications copied information from people's phone books without letting them know.

Path has free applications tailored for use on devices powered by Apple or Android software. - AFP

A hacker released the source code for antivirus firm Symantec's pcAnywhere utility.

A hacker released the source code for antivirus firm Symantec's pcAnywhere utility on Tuesday, raising fears that others could find security holes in the product and attempt takeovers of customer computers.

The release followed failed email negotiations over a $50,000 payout to the hacker calling himself YamaTough to destroy the code.

The email thread was published on Monday, but the hacker and the company said their participation had been a ruse. YamaTough said he was always going to publish the code, while Symantec said law enforcement had been directing its side of the talks.

The negotiations also might have bought Symantec time while it issued fixes to the pcAnywhere program, which allows customers to access their desktop machines from another location.

“Symantec was prepared for the code to be posted at some point and has developed and distributed a series of patches since January 23 to protect our users against known vulnerabilities,” said company spokesman Cris Paden.

Symantec had taken the extraordinary step of asking customers to stop using the software temporarily until it readied the patches. It issued fixes for “known vulnerabilities” in version 12.5 of the software on January 23 and fixes for versions 12.0 and 12.1 on Friday January 27.

Paden said that Symantec had contacted its customers and that it had not lost any customers. He said that if they were running up-to-date, patched versions they should not face increased risk.

Symantec also expects hackers to release other source code in their possession, 2006 versions of Norton Antivirus Corporate Edition and Norton Internet Security. “As we have already stated publicly, this is old code, and Symantec and Norton customers will not be at an increased risk as a result of any disclosure,” Paden said.

The emails over the $50,000 payoff was widely circulated, with some mocking the world's largest standalone security company for its apparent attempt to buy protection.

But the company said the emails were in fact between the hacker and law enforcement officials posing as a Symantec employee.

“The communications with the person(s) attempting to extort the payment from Symantec were part of the law enforcement investigation ,” Paden said, adding that no money was paid.

Paden declined to name the law enforcement agency, saying it could compromise the investigation.

Symantec had previously confirmed the hacker, part of a group called Lords of Dharmaraja and affiliated with Anonymous, was in possession of source code for its products, obtained in a 2006 breach of the company's networks.

The email exchange released by the hacker, who claims to be based in Mumbai, India, shows drawn-out negotiations with a purported Symantec employee starting on January 18.

The email negotiations echoed conversations in past years, viewed by Reuters, in which police agencies directed talks between victims and hackers.

“We can't pay you $50,000 at once for the reasons we discussed previously,” said one email from a purported Symantec employee Sam Thomas, who offered to pay the full amount at a later date.

“In exchange, you will make a public statement on behalf of your group that you lied about the hack.”

A common tactic of the FBI and others investigating extortionists and kidnappers is to seek to break down the amount of money sought by the suspects into multiple smaller payments.

This stretches out the negotiation, giving authorities more insight into the suspect and more time in which to make an arrest. It also lessens the risk to any victim inclined to pay the entire amount demanded.

Most important, it creates more transactions, each one of which provides a trail of records and human beings that can be traced as the police seek their quarry.

The hacker said he never intended to take the money.

“We tricked them into offering us a bribe so we could humiliate them,” YamaTough told Reuters.

In recent weeks, the hacker has posted segments of code for Norton Utilities and other programs. A software maker's intellectual property, specifically its source code, is its most precious asset.

Symantec's Norton Internet Security is among the most popular software available to stop viruses, spyware, and online identity theft. - Reuters