One of the best password managers for your PC, devices, and the cloud

D. asked me to recommend a good password manager.
Everyone who uses the Internet absolutely must have a password manager. Without one, you'll forget some of your passwords. Or you'll use the same password for different sites, which allows a thief who's hacked one password to know them all. Or you'll use simple passwords that are easy to remember but also easy to hack.
A password manager program stores your passwords and other login information in an encrypted database. If you need to log into a website or a secure application, you open the password manager, type the password to your password manager (which is the only password you'll ever have to memorize), and get the information that you need.
But which password manager should you use?
[Have a tech question? Ask PCWorld Contributing Editor Lincoln Spector. Send your query to answer@pcworld.com.]

KeePass Password Safe

I use KeePass Password Safe, which is both free and open source. (Of course, there are plenty of other options.) Thanks to the recent Heartbleed and Truecrypt vulnerabilities, I'm not as big a fan of open-source security software as I used to be. But I've seen nothing to convince me that open source is less safe than closed source--which could have a backdoor that we'd never learn about.
Popular open-source programs tend to be cross-platform, because anyone with the skills can create a compatible program. I use Android and iOS password managers that are compatible with KeePass, and use the same database file with them and my Windows PC.

You can set up a KeePass database to be opened with a password, a keyfile, or both. A keyfile can be any sort of file, but if that file changes in any way--even a single flipped bit--the database will become inaccessible and you'll lose all of your passwords.
If you go the password route, you'll need a password that you can remember, but is too long and complex for anyone else to hack. If you forget your password, you'll lose access to all of your other passwords (that's the disadvantage of not having a backdoor). And if it's too short or simple (such as a single word), it can be hacked.
KeePass has other useful features. You can organize your passwords into folders--like files on a drive. It can generate long, complex, and random passwords of any length. And with the click of an icon, it can automatically insert the appropriate name and password into a web page.

WELCOME TO THE FUTURE WITH NO FUEL SPACE ENGINE

NASA has carried out tests on futuristic no-fuel quantum space engine which works 

A study conducted last year by NASA scientists has become the latest, and by far the highest profile, piece of evidence in favor of a seemingly impossible space thruster design that’s been evoking worldwide skepticism for some time now. Apparently annoyed by the persistent boosters of several similar but distinct designs, the space agency finally agreed to test an American-made variant called the Cannae Drive. “Alright!” they said. “We’ll test your stupid drive that won’t work.” Except it did work. Seemingly in contravention of the law of conservation of momentum, the team confirmed that the device produces thrust by using electricity, and nothing else. Supporters call them microwave thrusters or quantum vacuum plasma thrusters (QVPT), while most others use the phrase “anomalous thrust device.”
First, the results of NASA’s experiment, since that’s all the team itself wants you to be talking about. Seemingly wanting to avoid unproductive controversy about the nature of existence, they’ve totally ignored the question of how the drive works in favour of simply reporting the data. With controls in place to avoid any confounding forces or variables, the NASA team recorded a reliable thrust between 30 and 50 micro-Newtons, less than a thousandth of the output of some relatively low-powered ion thrusters in use today. Still, the ion thrusters require fuel to operate, and the original QVPT inventor claims the version NASA tested is flawed, leading them to collect far lower thrust readings than his original can provide.

This is an older version of the QVPT than the one NASA tested, though it may still produce more thrust

If confirmed, the practical upshot of this technology would be amazing. Solar panels could provide the electricity needed to keep the thruster working, meaning that propulsion would be low-thrust and long-term with virtually no associated cost. That would not only drastically reduce the cost of keeping satellites running and in orbit, but it could make interstellar travel much easier; Harold White, of warp drive fame, predicted that a beefed up version of the QVPT could reach Proxima Centauri in about 30 years (assuming the concept actually works at all).

Warp drives aren’t such a harebrained concept any more, so why should quantum drives be?

While NASA might not want to talk about it, though, for us it’s worth discussing just how this drive’s creators hypothesize the thruster works. By now, most people are aware that the laws of classical physics tend to break down at the quantum scale, and exploiting that fact can give you interesting little physical impossibilities like infinitely accelerating negative-mass photons. However, the effects of these quantum-scale impossibilities have always stayed at the quantum scale; sure one atom could theoretically phase-shift through another, but we still can’t run through walls.
The central insight here (assuming this isn’t all a big mistake) is that something called quantum vacuum fluctuations will occasionally spontaneously create particles all throughout the vacuum of space, and that these short-lived particles can be put to useful work. Thus, this thruster actually does use fuel — it just finds and uses that fuel as it goes. The thruster essentially turns these virtual particles into a plasma and expels them out the back of the ship, much like a conventional fuel source. The quantum fuel, though, spontaneously appears inside the thruster’s reaction area without even the need for collection or injection hardware. All things considered, that’s more than a little exciting.

Ion thrusters are another low-powered solution, applying weak but constant acceleration

The original design, called the emDrive by creator Roger Shawyer, should get significantly more attention in the coming months, which ought to feel good given the long struggles he’s had with professional apathy and skepticism. As mentioned, the version tested by NASA is distinct from the emDrive, but still (they think) makes use of the quantum vacuum particles as the propellant. There are very preliminary plans to test a version of the drive in space, but such orbital work is expensive; now it might finally have the juice to warrant such a plan.

Update Your Java to Patch 20 Vulnerabilities Or Just Disable it

Today, Oracle has released its quarterly Critical Patch Update (CPU) for the month of July, as part of its monthly security bulletin, in which it fixes a total of 113 new security vulnerabilities for hundreds of the company’s products.

The security update for Oracle’s popular browser plug-in Java addresses 20 vulnerabilities in the software, all of which are remotely exploitable without authentication, that means an attacker wouldn't need a username and password to exploit them over a network.

MOST CRITICAL ONE TO PATCH FIRST

Oracle uses the Common Vulnerability Scoring System (CVSS) to provide an open and standardized rating of the security holes it finds in its products. One or more of the Java vulnerabilities received the most “critical” rating according to Oracle’s Common Vulnerability Scoring System (CVSS), i.e. base score of 10 or near.

Although, numerous other Oracle products and software components addressed in the latest security updates, which address around 29 vulnerabilities in Oracle Fusion Middleware out of which 27 enable remote code execution, seven vulnerabilities in Hyperion products and five apiece for Oracle database and E-Business Suite. But, Java was the only impacted with security issues scoring the highest critical rating.

So, Java patches are the most urgent and should be at the top of your list, as one of the Java SE vulnerabilities (CVE-2014-4227) in this patch update, scores ten out of ten in the common vulnerability rating system, and seven of the other Java SE client vulnerabilities received a CVSS score of 9.3.

Oracle Database Server will also be updated for five vulnerabilities, one of which is remotely exploitable, while there will be 10 patches released for MySQL Server, but none of them are remotely exploitable.

JAVA WILL CONTINUE TO SUPPORT WINDOWS XP

The company recently announced that it would no longer support Java on Windows XP, though it expect Java 7 to continue to work on Windows XP platform and Oracle security updates for Java on XP machines will continue.

“This end of support announcement has been misread as ‘Java no longer works on Windows XP’ or ‘Oracle will stop Java updates from being applied on Windows XP.’ These statements are not correct,” said Oracle vice-president of product management in the Java Platform Group Henrik Stahl.

“We expect all versions of Java that were supported prior to the Microsoft de-support announcement to continue to work on Windows XP for the foreseeable future. In particular, we expect that JDK 7 will continue to work on Windows XP.”

However, Java 8 is not designed even to install on Windows XP operating system. So, the installer for the developer releases of Java 8 will not run on it without manual intervention.

PATCH OR SIMPLY DISABLE JAVA?

Java runs on more than 850 million personal computers and on billions of devices worldwide, therefore protecting against Java zero-day exploits is a rising concern among millions of Windows, Mac OS, and Linux users.



Security experts recommend not installing Java if you don't already have it, and perhaps even disable it if you have it if you do not regularly use an application or visit any Web site that requires Java.

UPDATE YOUR SYSTEMS NOW

The company is urging its customers to update their systems as soon as possible. "Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Critical Patch Update fixes as soon as possible," the firm warned.

Oracle has published the full details about the list of patches here.

HACKING SMART-CARS

By

Illustration: iStockphoto

Walk into a BMW, Infiniti or Cadillac showroom, and you might see a host of enticing new cars. Chris Valasek, on the other hand, sees targets for an attack.
He and a colleague have conducted the first industry-wide study of remote hacking possibilities (not actual hacks) for smart cars. The researchers are presenting their work at this week’s Black Hat security conference in Las Vegas.
While they discovered numerous potential exploits, they also found the hacks needed to open the cars’ computers to mischief to be time-consuming, expensive, and difficult. Don’t expect your Bluetooth-enabled 2015 Cadillac Escalade — vulnerable though it may be to theoretical attacks — to be maliciously transformed into a spam botnet, like press accounts earlier this year suggested some smart fridges could be.
Any rational hacker isn’t going to waste inordinate resources when botnets can always be made cheaper and easier going after vulnerable PCs and smartphones, Valasek says. On the other hand, companies that operate luxury cars for specialized purposes such as limousines and high-end security vehicles might want to pay special attention to this new work.
“Because the research effort is pretty great and very costly, a car [attack] would be very targeted,” he says. Dignitaries and other high-value occupants of smart cars make the most likely targets for the ultimate recipients of smart car hacks.
“If you have a vulnerability in your internet browser, someone may hack your computer and steal your credit card number,” he says. “But if they hack into your car, while it seems it’s much more difficult, the circumstances could be them wrecking your car or tracking wherever you drive. So I think that’s why people tend to be a little more scared about it.”
Not surprisingly, James Bond anticipated the trend. In the 1997 movie Tommorow Never Dies, Bond, played by Pierce Brosnan, uses an early Ericsson mobile phone to control his BMW 750i.
In the cases Valasek and his co-author Charlie Miller (whose day job is at Twitter) considered, of course, the bad guys would be the ones seizing control of the vehicle.
And for the 21 different cars the researchers surveyed, they considered three essential components of an attack: the possible ways in, the computers that could be compromised, and the control features —the “cyberphysical” assets as they call it—that those compromised automotive computers could then maliciously exploit.
For example, Valasek says, the three most vulnerable of the 21 cars they looked at were the 2014 Jeep Cherokee, 2015 Cadillac Escalade, and the 2014 Infiniti Q50.
“There’s a lot of remote connectivity,” he says of the Escalade. “They have cellular communications, bluetooth communications, regular radio communications. They have an internet app for your phone, and an app for your car. And there’s a lot of cyberphysical features. The car can brake itself. There’s power-assisted steering. Things like that.”
By contrast, the least hackable of the 21 were the 2014 Dodge Viper, 2014 Audi A8, and the 2014 Honda Accord.
Of the A8, for instance, Valasek and Miller report that “The vehicle not only separates viable attack points (Bluetooth, telematics, radio) from safety critical components (steering, braking, acceleration), but also has them working on different" computer networks.
For all 21 cars, the researchers were studying publicly available documentation and car specs available to mechanics on the car companies’ websites. Valasek says the next phase of his research will involve using their findings to try to actually hack and maliciously exploit one or more of the cars he studied.
He adds that the hacks and exploits are all in the service of finding holes in the system and helping the car companies patch them up before bad guys can do the same. Indeed, as of last month Valasek was appointed to head the new Vehicle Security Research team at his company IOActive.
He says the full report he and Miller will be presenting at Black Hat this week will be posted on IOActive’s website before the end of the summer.


source:spectrum