2981 matches found
Massive Brazilian Data Breach
I think this is the largest data breach of all time: 220 million people. Lots more stories are in Portuguese...
Friday Squid Blogging: New Report on Squid Markets
This report costs $2,000. Please don't buy it for me. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here...
Friday Squid Blogging: T-Shirt
"Squid Pro Quo" T-shirt. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here...
NTSB Investigation of Fatal Driverless Car Accident
Autonomous systems are going to have to do much better than this. The Uber car that hit and killed Elaine Herzberg in Tempe, Ariz., in March 2018 could not recognize all pedestrians, and was being driven by an operator likely distracted by streaming video, according to documents released by the...
Workshop on the Economics of Information Security
Last week, I hosted the eighteenth Workshop on the Economics of Information Security at Harvard. Ross Anderson liveblogged the talks...
Friday Squid Blogging: Problems with the Squid Emoji
The Monterey Bay Aquarium has some problems with the squid emoji. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here...
Hiding Secret Messages in Fingerprints
This is a fun steganographic application: hiding a message in a fingerprint image. Can't see any real use for it, but that's okay...
Friday Squid Blogging: Watch Squid Change Colors
This is an amazing short video of a squid -- I don't know the species -- changing its color instantly. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here...
Chinese Supply Chain Hardware Attack
Bloomberg is reporting about a Chinese espionage operating involving inserting a tiny chip into computer products made in China. I've written about alternate link this threat more generally. Supply-chain security is an insurmountably hard problem. Our IT industry is inexorably international, and...
Ray Ozzie's Encryption Backdoor
Last month, Wired published a long article about Ray Ozzie and his supposed new scheme for adding a backdoor in encrypted devices. It's a weird article. It paints Ozzie's proposal as something that "attains the impossible" and "satisfies both law enforcement and privacy purists," when 1 it's bare...
Israeli Scientists Accidentally Reveal Classified Information
According to this story non-paywall English version here, Israeli scientists released some information to the public they shouldn't have. Defense establishment officials are now trying to erase any trace of the secret information from the web, but they have run into difficulties because the...
Friday Squid Blogging: How the Optic Lobe Controls Squid Camouflage
Experiments on the oval squid. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here...
Spectre and Meltdown Attacks
After a week or so of rumors, everyone is now reporting about the Spectre and Meltdown attacks against pretty much every modern processor out there. These are side-channel attacks where one process can spy on other processes. They affect computers where an untrusted browser window can execute cod...
Cybercriminals Infiltrating E-Mail Networks to Divert Large Customer Payments
There's a new criminal tactic involving hacking an e-mail account of a company that handles high-value transactions and diverting payments. Here it is in real estate: The scam generally works like this: Hackers find an opening into a title company's or realty agent's email account, track upcoming...
GPS Spoofing Attacks
Wired has a story about a possible GPS spoofing attack by Russia: After trawling through AIS data from recent years, evidence of spoofing becomes clear. Goward says GPS data has placed ships at three different airports and there have been other interesting anomalies. "We would find very large oil...
A Framework for Cyber Security Insurance
New paper: "Policy measures and cyber insurance: a framework," by Daniel Woods and Andrew Simpson, Journal of Cyber Policy, 2017. Abstract: The role of the insurance industry in driving improvements in cyber security has been identified as mutually beneficial for both insurers and policy-makers. ...
Massive Government Data Leak in Sweden
Seems to be incompetence rather than malice, but a good example of the dangers of blindly trusting the cloud...
DNI Wants Research into Secure Multiparty Computation
The Intelligence Advanced Research Projects Activity IARPA is soliciting proposals for research projects in secure multiparty computation: Specifically of interest is computing on data belonging to different -- potentially mutually distrusting -- parties, which are unwilling or unable e.g., due t...
New Open SSH Vulnerability
Its a serious one: The vulnerability, which is a signal handler race condition in OpenSSHs server sshd, allows unauthenticated remote code execution RCE as root on glibc-based Linux systems; that presents a significant security risk. This race condition affects sshd in its default configuration. ...
New Bluetooth Attack
New attack breaks forward secrecy in Bluetooth. Three news articles: BLUFFS is a series of exploits targeting Bluetooth, aiming to break Bluetooth sessions forward and future secrecy, compromising the confidentiality of past and future communications between devices. This is achieved by exploitin...
Vulnerability in the Kaspersky Password Manager
A vulnerability just patched in the random number generator used in the Kaspersky Password Manager resulted in easily guessable passwords: The password generator included in Kaspersky Password Manager had several problems. The most critical one is that it used a PRNG not suited for cryptographic...
Friday Squid Blogging: Video of Giant Squid Hunting Prey
Fantastic video of a giant squid hunting at depths between 1,827 and 3,117 feet. This is a follow-on from this post. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Read my blog posting guidelines here...
Friday Squid Blogging: On Squid Coloration
Nice excerpt from Martin Wallins book Squid. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Read my blog posting guidelines here...
DNI’s Annual Threat Assessment
The office of the Director of National Intelligence released its "Annual Threat Assessment of the U.S. Intelligence Community." Cybersecurity is covered on pages 20-21. Nothing surprising: Cyber threats from nation states and their surrogates will remain acute. States increasing use of cyber...
Friday Squid Blogging: Shark vs. Squid
National Geographic has a photo of a 7-foot long shark that fought a giant squid and lived to tell the tale. Or, at least, lived to show off the suction marks on his skin. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blo...
Upcoming Speaking Engagements
This is a current list of where and when I am scheduled to speak: I'll be at RSA Conference 2020 in San Francisco. On Wednesday, February 26, at 2:50 PM, I'll be part of a panel on "How to Reduce Supply Chain Risk: Lessons from Efforts to Block Huawei." On Thursday, February 27, at 9:20 AM, I'm...
Homemade TEMPEST Receiver
Tom's Guide writes about home brew TEMPEST receivers: Today, dirt-cheap technology and free software make it possible for ordinary citizens to run their own Tempest programs and listen to what their own -- and their neighbors' -- electronic devices are doing. Elliott, a researcher at Boston-based...
Friday Squid Blogging: Squid Skin "Inspires" New Thermal Sheeting
Researchers are making space blankets using technology based on squid skin. Honestly, it's hard to tell how much squid is actually involved in this invention. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting...
TajMahal Spyware
Kaspersky has released details about a sophisticated nation-state spyware it calls TajMahal: The TajMahal framework's 80 modules, Shulmin says, comprise not only the typical keylogging and screengrabbing features of spyware, but also never-before-seen and obscure tricks. It can intercept document...
Estonia's Volunteer Cyber Militia
Interesting -- although short and not very detailed -- article about Estonia's volunteer cyber-defense militia. Padar's militia of amateur IT workers, economists, lawyers, and other white-hat types are grouped in the city of Tartu, about 65 miles from the Russian border, and in the capital,...
Access Now Is Looking for a Chief Security Officer
The international digital human rights organization Access Now I am on the board is looking to hire a Chief Security Officer. I believe that, somewhere, there is a highly qualified security person who has had enough of corporate life and wants instead to make a difference in the world. If that's...
Detecting Phishing Sites with Machine Learning
Really interesting article: A trained eye or even a not-so-trained one can discern when something phishy is going on with a domain or subdomain name. There are search tools, such as Censys.io, that allow humans to specifically search through the massive pile of certificate log entries for sites...
Friday Squid Blogging: Antifungal Squid-Egg Coating
The Hawaiian bobtail squid coats its eggs with antifungal bacteria. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here...
Lifting a Fingerprint from a Photo
Police in the UK were able to read a fingerprint from a photo of a hand: Staff from the unit's specialist imaging team were able to enhance a picture of a hand holding a number of tablets, which was taken from a mobile phone, before fingerprint experts were able to positively identify that the ha...
OURSA Conference
Responding to the lack of diversity at the RSA Conference, a group of security experts have announced a competing one-day conference: OUR Security Advocates, or OURSA. It's in San Francisco, and it's during RSA, so you can attend both...
History of the US Army Security Agency
Interesting history.pdf of the US Army Security Agency in the early years of Cold War Germany...
New National Academies Report on Crypto Policy
The National Academies has just published "Decrypting the Encryption Debate: A Framework for Decision Makers." It looks really good, although I have not read it yet. Not much news or analysis yet. Please post any links you find in the comments, and I will summarize them here...
Insider Attack on Lottery Software
Eddie Tipton, a programmer for the Multi-State Lottery Association, secretly installed software that allowed him to predict jackpots. What's surprising to me is how many lotteries don't use real random number generators. What happened to picking golf balls out of wind-blown steel cages on...
Penetrating a Casino's Network through an Internet-Connected Fish Tank
Attackers used a vulnerability in an Internet-connected fish tank to successfully penetrate a casino's network. BoingBoing post...
Password Masking
Slashdot asks if password masking -- replacing password characters with asterisks as you type them -- is on the way out. I don't know if that's true, but I would be happy to see it go. Shoulder surfing, the threat is defends against, is largely nonexistent. And it is becoming harder to type in...
Using “Master Faces” to Bypass Face-Recognition Authenticating Systems
Fascinating research: "Generating Master Faces for Dictionary Attacks with a Network-Assisted Latent Space Evolution." Abstract: A master face is a face image that passes face-based identity-authentication for a large portion of the population. These faces can be used to impersonate, with a high...
Friday Squid Blogging: Jurassic Squid and Prey
A 180-million-year-old Vampire squid ancestor was fossilized along with its prey. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Read my blog posting guidelines here...
Fast Random Bit Generation
Science has a paper and commentary on generating 250 random terabits per second with a laser. I dont know how cryptographically secure they are, but that can be cleaned up with something like Fortuna. EDITED TO ADD 3/12: Here are free versions of the paper and the commentary...
On Vulnerability-Adjacent Vulnerabilities
At the virtual Enigma Conference, Googles Project Zeros Maggie Stone gave a talk about zero-day exploits in the wild. In it, she talked about how often vendors fix vulnerabilities only to have the attackers tweak their exploits to work again. From a MIT Technology Review article: Soon after they...
iOS XML Bug
This is a good explanation of an iOS bug that allowed someone to break out of the application sandbox. A summary: What a crazy bug, and Siguza's explanation is very cogent. Basically, it comes down to this: XML is terrible. iOS uses XML for Plists, and Plists are used everywhere in iOS and MacOS...
Attacking the Intel Secure Enclave
Interesting paper by Michael Schwarz, Samuel Weiser, Daniel Gruss. The upshot is that both Intel and AMD have assumed that trusted enclaves will run only trustworthy code. Of course, that's not true. And there are no security mechanisms that can deal with malicious enclaves, because the designers...
Brazilian Cell Phone Hack
I know there's a lot of politics associated with this story, but concentrate on the cybersecurity aspect for a moment. The cell phones of a thousand Brazilians, including senior government officials, were hacked -- seemingly by actors much less sophisticated than rival governments. Brazil's...
An Argument that Cybersecurity Is Basically Okay
Andrew Odlyzko's new essay is worth reading -- "Cybersecurity is not very important": Abstract: There is a rising tide of security breaches. There is an even faster rising tide of hysteria over the ostensible reason for these breaches, namely the deficient state of our information infrastructure...
Pegasus Spyware Used in 45 Countries
Citizen Lab has published a new report about the Pegasus spyware. From a ZDNet article: The malware, known as Pegasus or Trident, was created by Israeli cyber-security firm NSO Group and has been around for at least three years -- when it was first detailed in a report over the summer of 2016. Th...
The NSA's Domestic Surveillance Centers
The Intercept has a long story about the NSA's domestic interception points. Includes some new Snowden documents...