Aug 10, 2016 02:06 AM
Fun with DNA
http://www.theatlantic.com/magazine/arch...na/492743/
EXCERPT: [...] DNA is the oldest medium in existence for storing data, so it makes sense that the double helix could find use in computing. Scientists can encode data as DNA by assigning every number and letter to a unique string of A’s, C’s, G’s, and T’s (much like modern computers encode data as 1’s and 0’s) and then producing strands of synthetic DNA with that information. DNA-sequencing machines can later extract the data.
Why bother? Aside from being ultra-durable, DNA is also an incredibly efficient way to store information. Scientists have already been able to fit 700 terabytes of data—roughly the equivalent of 1 million CDs—in a single gram of DNA, and it can theoretically hold far more. By some estimates, all of the data currently stored on the world’s disk drives could fit in the palm of your hand if encoded in DNA. For this reason, Technicolor, the entertainment company, has begun storing old movies as DNA, starting with the 1902 film A Trip to the Moon. You can also copy DNA-based data nearly indefinitely with simple enzymes. The Harvard geneticist George Church recently converted a book he wrote into DNA, then made 70 billion copies in a test tube—making it the most reproduced text in history.
Beyond just storing data, some researchers have suggested using DNA to build biological computers. These biocomputers wouldn’t look like laptops, with screens and keyboards. Rather, they’d be chemicals inside test tubes or biological membranes. But like laptops, they would have the ability to take in information, process it, and act. DNA seems especially promising for parallel processing, which involves making millions or even billions of computations simultaneously. (An example is weather forecasting, which involves integrating temperature, barometric pressure, and humidity data for many, many points on the Earth’s surface all at once.) And unlike electronic devices, which can’t easily infiltrate living cells, DNA-based computers could penetrate these spaces, giving us ways to record information and possibly fight disease in real time....
Serious security threat to many Internet users highlighted: Communications involving Linux and Android systems can be compromised quickly, easily and from anywhere
https://www.sciencedaily.com/releases/20...143253.htm
RELEASE: Researchers at the University of California, Riverside have identified a weakness in the Transmission Control Protocol (TCP) of all Linux operating systems since late 2012 that enables attackers to hijack users' internet communications completely remotely.
Such a weakness could be used to launch targeted attacks that track users' online activity, forcibly terminate a communication, hijack a conversation between hosts or degrade the privacy guarantee by anonymity networks such as Tor.
Led by Yue Cao, a computer science graduate student in UCR's Bourns College of Engineering, the research will be presented on Wednesday (Aug. 10) at the USENIX Security Symposium in Austin, Texas. The project advisor is Zhiyun Qian, an assistant professor of computer science at UCR, whose research focuses on identifying security vulnerabilities to help software companies improve their systems.
While most users don't interact directly with the Linux operating system, the software runs behind-the -scenes on internet servers, android phones and a range of other devices. To transfer information from one source to another, Linux and other operating systems use the Transmission Control Protocol (TCP) to package and send data, and the Internet Protocol (IP) to ensure the information gets to the correct destination.
For example, when two people communicate by email, TCP assembles their message into a series of data packets -- identified by unique sequence numbers -- that are transmitted, received, and reassembled into the original message. Those TCP sequence numbers are useful to attackers, but with almost 4 billion possible sequences, it's essentially impossible to identify the sequence number associated with any particular communication by chance.
The UCR researchers didn't rely on chance though. Instead, they identified a subtle flaw (in the form of 'side channels') in the Linux software that enables attackers to infer the TCP sequence numbers associated with a particular connection with no more information than the IP address of the communicating parties.
This means that given any two arbitrary machines on the internet, a remote blind attacker without being able to eavesdrop on the communication, can track users' online activity, terminate connections with others and inject false material into their communications. Encrypted connections (e.g., HTTPS) are immune to data injection, but they are still subject to being forcefully terminated by the attacker. The weakness would allow attackers to degrade the privacy of anonymity networks, such as Tor, by forcing the connections to route through certain relays. The attack is fast and reliable, often taking less than a minute and showing a success rate of about 90 percent. The researchers created a short video (https://www.youtube.com/watch?v=S4Ns5wla9DY) showing how the attacks works.
Qian said unlike conventional cyber attacks, users could become victims without doing anything wrong, such as downloading malware or clicking on a link in a phishing email.
"The unique aspect of the attack we demonstrated is the very low requirement to be able to carry it out. Essentially, it can be done easily by anyone in the world where an attack machine is in a network that allows IP spoofing. The only piece of information that is needed is the pair of IP addresses (for victim client and server), which is fairly easy to obtain," Qian said.
Qian said the researchers have alerted Linux about the vulnerability, which has resulted in patches applied to the latest Linux version. Until then, Qian recommends the following temporary patch that can be applied to both client and server hosts. It simply raises the `challenge ACK limit' to an extremely large value to make it practically impossible to exploit the side channel. This can be done on Ubuntu, for instance, as follows:
1. Open /etc/sysctl.conf, append a command "/net.ipv4/tcp_challenge_ack_limit = 999999999."
2. Use "sysctl -p" to update the configuration.
Titled "Off-Path TCP Exploits: Global Rate Limit Considered Dangerous," the paper is available on Qian's lab website (http://www.cs.ucr.edu/~zhiyunq/pub/sec16...ffpath.pdf). In addition to Cao and Qian, Zhongjie Wang, Tuan Dao and Srikanth V. Krishnamurthy from UC Riverside, and Lisa M. Marvel, from the United States Army Research Laboratory, contributed to the work. The work is funded by Army Research Laboratory (ARL Cyber Security CRA) and Nation Science Foundation under Grant 1464410.
http://www.theatlantic.com/magazine/arch...na/492743/
EXCERPT: [...] DNA is the oldest medium in existence for storing data, so it makes sense that the double helix could find use in computing. Scientists can encode data as DNA by assigning every number and letter to a unique string of A’s, C’s, G’s, and T’s (much like modern computers encode data as 1’s and 0’s) and then producing strands of synthetic DNA with that information. DNA-sequencing machines can later extract the data.
Why bother? Aside from being ultra-durable, DNA is also an incredibly efficient way to store information. Scientists have already been able to fit 700 terabytes of data—roughly the equivalent of 1 million CDs—in a single gram of DNA, and it can theoretically hold far more. By some estimates, all of the data currently stored on the world’s disk drives could fit in the palm of your hand if encoded in DNA. For this reason, Technicolor, the entertainment company, has begun storing old movies as DNA, starting with the 1902 film A Trip to the Moon. You can also copy DNA-based data nearly indefinitely with simple enzymes. The Harvard geneticist George Church recently converted a book he wrote into DNA, then made 70 billion copies in a test tube—making it the most reproduced text in history.
Beyond just storing data, some researchers have suggested using DNA to build biological computers. These biocomputers wouldn’t look like laptops, with screens and keyboards. Rather, they’d be chemicals inside test tubes or biological membranes. But like laptops, they would have the ability to take in information, process it, and act. DNA seems especially promising for parallel processing, which involves making millions or even billions of computations simultaneously. (An example is weather forecasting, which involves integrating temperature, barometric pressure, and humidity data for many, many points on the Earth’s surface all at once.) And unlike electronic devices, which can’t easily infiltrate living cells, DNA-based computers could penetrate these spaces, giving us ways to record information and possibly fight disease in real time....
Serious security threat to many Internet users highlighted: Communications involving Linux and Android systems can be compromised quickly, easily and from anywhere
https://www.sciencedaily.com/releases/20...143253.htm
RELEASE: Researchers at the University of California, Riverside have identified a weakness in the Transmission Control Protocol (TCP) of all Linux operating systems since late 2012 that enables attackers to hijack users' internet communications completely remotely.
Such a weakness could be used to launch targeted attacks that track users' online activity, forcibly terminate a communication, hijack a conversation between hosts or degrade the privacy guarantee by anonymity networks such as Tor.
Led by Yue Cao, a computer science graduate student in UCR's Bourns College of Engineering, the research will be presented on Wednesday (Aug. 10) at the USENIX Security Symposium in Austin, Texas. The project advisor is Zhiyun Qian, an assistant professor of computer science at UCR, whose research focuses on identifying security vulnerabilities to help software companies improve their systems.
While most users don't interact directly with the Linux operating system, the software runs behind-the -scenes on internet servers, android phones and a range of other devices. To transfer information from one source to another, Linux and other operating systems use the Transmission Control Protocol (TCP) to package and send data, and the Internet Protocol (IP) to ensure the information gets to the correct destination.
For example, when two people communicate by email, TCP assembles their message into a series of data packets -- identified by unique sequence numbers -- that are transmitted, received, and reassembled into the original message. Those TCP sequence numbers are useful to attackers, but with almost 4 billion possible sequences, it's essentially impossible to identify the sequence number associated with any particular communication by chance.
The UCR researchers didn't rely on chance though. Instead, they identified a subtle flaw (in the form of 'side channels') in the Linux software that enables attackers to infer the TCP sequence numbers associated with a particular connection with no more information than the IP address of the communicating parties.
This means that given any two arbitrary machines on the internet, a remote blind attacker without being able to eavesdrop on the communication, can track users' online activity, terminate connections with others and inject false material into their communications. Encrypted connections (e.g., HTTPS) are immune to data injection, but they are still subject to being forcefully terminated by the attacker. The weakness would allow attackers to degrade the privacy of anonymity networks, such as Tor, by forcing the connections to route through certain relays. The attack is fast and reliable, often taking less than a minute and showing a success rate of about 90 percent. The researchers created a short video (https://www.youtube.com/watch?v=S4Ns5wla9DY) showing how the attacks works.
Qian said unlike conventional cyber attacks, users could become victims without doing anything wrong, such as downloading malware or clicking on a link in a phishing email.
"The unique aspect of the attack we demonstrated is the very low requirement to be able to carry it out. Essentially, it can be done easily by anyone in the world where an attack machine is in a network that allows IP spoofing. The only piece of information that is needed is the pair of IP addresses (for victim client and server), which is fairly easy to obtain," Qian said.
Qian said the researchers have alerted Linux about the vulnerability, which has resulted in patches applied to the latest Linux version. Until then, Qian recommends the following temporary patch that can be applied to both client and server hosts. It simply raises the `challenge ACK limit' to an extremely large value to make it practically impossible to exploit the side channel. This can be done on Ubuntu, for instance, as follows:
1. Open /etc/sysctl.conf, append a command "/net.ipv4/tcp_challenge_ack_limit = 999999999."
2. Use "sysctl -p" to update the configuration.
Titled "Off-Path TCP Exploits: Global Rate Limit Considered Dangerous," the paper is available on Qian's lab website (http://www.cs.ucr.edu/~zhiyunq/pub/sec16...ffpath.pdf). In addition to Cao and Qian, Zhongjie Wang, Tuan Dao and Srikanth V. Krishnamurthy from UC Riverside, and Lisa M. Marvel, from the United States Army Research Laboratory, contributed to the work. The work is funded by Army Research Laboratory (ARL Cyber Security CRA) and Nation Science Foundation under Grant 1464410.
