2981 matches found
Thomas Dullien on Complexity and Security
For many years, I have said that complexity is the worst enemy of security. At CyCon earlier this month, Thomas Dullien gave an excellent talk on the subject with far more detail than I've ever provided. Video. Slides...
Replacing Social Security Numbers
In the wake of the Equifax break, I've heard calls to replace Social Security numbers. Steve Bellovin explains why this is hard...
Unfixable Automobile Computer Security Vulnerability
There is an unpatchable vulnerability that affects most modern cars. It's buried in the Controller Area Network CAN: Researchers say this flaw is not a vulnerability in the classic meaning of the word. This is because the flaw is more of a CAN standard design choice that makes it unpatchable...
Bank Robbery Tactic
This video purports to be a bank robbery in Kiev. He first threatens a teller, who basically ignores him because she's behind bullet-proof glass. But then the robber threatens one of her co-workers, who is on his side of the glass. Interesting example of a security system failing for an unexpecte...
Many of My E-Books for Cheap
Humble Bundle is selling a bunch of cybersecurity books very cheaply. You can get copies of Applied Cryptography, Secrets and Lies, and Cryptography Engineering -- and also Ross Anderson's Security Engineering, Adam Shostack's Threat Modeling, and many others. This is the cheapest you'll ever see...
Friday Squid Blogging: Squid Skin Is Naturally Anti-microbial
Often it feels like squid just evolved better than us mammals. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Read my blog posting guidelines here...
Friday Squid Blogging: 500-Million-Year-Old Cephalopod
The oldest known cephalopod -- the ancestor of all modern octopuses, squid, cuttlefish and nautiluses -- is 500 million years old. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Read my blog posting guidelines here...
Dependency Confusion: Another Supply-Chain Vulnerability
Alex Birsan writes about being able to install malware into proprietary corporate software by naming the code files to be identical to internal corporate code files. From a ZDNet article: Today, developers at small or large companies use package managers to download and import libraries that are...
Policy vs Technology
Sometime around 1993 or 1994, during the first Crypto Wars, I was part of a group of cryptography experts that went to Washington to advocate for strong encryption. Matt Blaze and Ron Rivest were with me; I don't remember who else. We met with then Massachusetts Representative Ed Markey. He didn'...
Friday Squid Blogging: Squids Are as Intelligent as Dogs
More news based on the squid brain MRI scan: the complexity of their brains are comparable to dogs. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here...
Customer Tracking at Ralphs Grocery Store
To comply with California's new data privacy law, companies that collect information on consumers and users are forced to be more transparent about it. Sometimes the results are creepy. Here's an article about Ralphs, a California supermarket chain owned by Kroger: ...the form proceeds to state...
Calculating the Benefits of the Advanced Encryption Standard
NIST has completed a study -- it was published last year, but I just saw it recently -- calculating the costs and benefits of the Advanced Encryption Standard. From the conclusion: The result of performing that operation on the series of cumulated benefits extrapolated for the 169 survey...
Using Machine Learning to Detect IP Hijacking
This is interesting research: In a BGP hijack, a malicious actor convinces nearby networks that the best path to reach a specific IP address is through their network. That's unfortunately not very hard to do, since BGP itself doesn't have any security procedures for validating that a message is...
Cracking the Passwords of Early Internet Pioneers
Lots of them weren't very good: BSD co-inventor Dennis Ritchie, for instance, used "dmac" his middle name was MacAlistair; Stephen R. Bourne, creator of the Bourne shell command line interpreter, chose "bourne"; Eric Schmidt, an early developer of Unix software and now the executive chairman of...
On Cybersecurity Insurance
Good paper on cybersecurity insurance: both the history and the promise for the future. From the conclusion: Policy makers have long held high hopes for cyber insurance as a tool for improving security. Unfortunately, the available evidence so far should give policymakers pause. Cyber insurance...
Programmers Who Don't Understand Security Are Poor at Security
A university study confirmed the obvious: if you pay a random bunch of freelance programmers a small amount of money to write security software, they're not going to do a very good job at it. In an experiment that involved 43 programmers hired via the Freelancer.com platform, University of Bonn...
"Insider Threat" Detection Software
Notice this bit from an article on the arrest of Christopher Hasson: It was only after Hasson's arrest last Friday at his workplace that the chilling plans prosecutors assert he was crafting became apparent, detected by an internal Coast Guard program that watches for any "insider threat." The...
The Digital Security Exchange Is Live
Last year I wrote about the Digital Security Exchange. The project is live: The DSX works to strengthen the digital resilience of U.S. civil society groups by improving their understanding and mitigation of online threats. We do this by pairing civil society and social sector organizations with...
Research on What Motivates ISIS -- and Other -- Fighters
Interesting research from Nature Human Behaviour: "The devoted actor's will to fight and the spiritual dimension of human conflict": Abstract: Frontline investigations with fighters against the Islamic State ISIL or ISIS, combined with multiple online studies, address willingness to fight and die...
De-anonymization Story
This is important: Monsignor Jeffrey Burrill was general secretary of the US Conference of Catholic Bishops USCCB, effectively the highest-ranking priest in the US who is not a bishop, before records of Grindr usage obtained from data brokers was correlated with his apartment, place of work,...
AI-Piloted Fighter Jets
News from Georgetowns Center for Security and Emerging Technology: China Claims Its AI Can Beat Human Pilots in Battle: Chinese state media reported that an AI system had successfully defeated human pilots during simulated dogfights. According to the Global Times report, the system had shot down...
Friday Squid Blogging: Picking up Squid on the Beach
Make sure theyre dead. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Read my blog posting guidelines here...
Metadata Left in Security Agency PDFs
Really interesting research: "Exploitation and Sanitization of Hidden Data in PDF Files" Abstract: Organizations publish and share more and more electronic documents like PDF files. Unfortunately, most organizations are unaware that these documents can compromise sensitive information like author...
Friday Squid Blogging: China Launches Six New Squid Jigging Vessels
From Pingtan Marine Enterprise: The 6 large-scale squid jigging vessels are normally operating vessels that returned to China earlier this year from the waters of Southwest Atlantic Ocean for maintenance and repair. These vessels left the port of Mawei on December 17, 2020 and are sailing to the...
Friday Squid Blogging: Small Giant Squid Washes Ashore in Japan
A ten-foot giant squid has washed ashore on the Western coast of Japan. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Read my blog posting guidelines here...
Glitter Bomb against Package Thieves
Stealing packages from unattended porches is a rapidly rising crime, as more of us order more things by mail. One person hid a glitter bomb and a video recorder in a package, posting the results when thieves opened the box. At least, that's what might have happened. At least some of the video was...
Upcoming Speaking Engagements
This is a current list of where and when I am scheduled to speak: I'm speaking at Kiwicon in Wellington, New Zealand on November 16, 2018. I'm appearing on IBM Resilient's End of Year Review webinar on "The Top Cyber Security Trends in 2018 and Predictions for the Year Ahead," December 6, 2018 at...
The Pentagon Is Publishing Foreign Nation-State Malware
This is a new thing: The Pentagon has suddenly started uploading malware samples from APTs and other nation-state sources to the website VirusTotal, which is essentially a malware zoo that's used by security pros and antivirus/malware detection engines to gain a better understanding of the threat...
Friday Squid Blogging: Squid Protein Used in Variable Thermal Conductivity Material
This is really neat. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here...
Suing South Carolina Because Its Election Machines Are Insecure
A group called Protect Democracy is suing South Carolina because its insecure voting machines are effectively denying people the right to vote. Note: I am an advisor to Protect Democracy on its work related to election cybersecurity, and submitted a declaration in litigation it filed, challenging...
On the Security of Walls
Interesting history of the security of walls: Dún Aonghasa presents early evidence of the same principles of redundant security measures at work in 13th century castles, 17th century star-shaped artillery fortifications, and even "defense in depth" security architecture promoted today by the...
Student Cracks Inca Knot Code
Interesting...
Motherboard Digital Security Guide
This digital security guide by Motherboard is very good. I put alongside EFF's "Surveillance Self-Defense" and John Scott-Railton's "Digital Security Low Hanging Fruit." There's also "Digital Security and Privacy for Human Rights Defenders." There are too many of these...
Long Article on NSA and the Shadow Brokers
The New York Times just published a long article on the Shadow Brokers and their effects on NSA operations. Summary: it's been an operational disaster, the NSA still doesn't know who did it or how, and NSA morale has suffered considerably. This is me on the Shadow Brokers from last May...
Robot Safecracking
Robots can crack safes faster than humans -- and differently: So Seidle started looking for shortcuts. First he found that, like many safes, his SentrySafe had some tolerance for error. If the combination includes a 12, for instance, 11 or 13 would work, too. That simple convenience measure meant...
More on the NSA's Use of Traffic Shaping
"Traffic shaping" -- the practice of tricking data to flow through a particular route on the Internet so it can be more easily surveiled -- is an NSA technique that has gotten much less attention than it deserves. It's a powerful technique that allows an eavesdropper to get access to communicatio...
Friday Squid Blogging: Squid-Related Game
Its called "Squid Fishering." As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Read my blog posting guidelines here...
APT Horoscope
This delightful essay matches APT hacker groups up with astrological signs. This is me: Capricorn is renowned for its discipline, skilled navigation, and steadfastness. Just like Capricorn, Helix Kitten also known as APT 35 or OilRig is a skilled navigator of vast online networks, maneuvering...
Friday Squid Blogging: Ram’s Horn Squid Video
This is the first video footage of a rams horn squid Spirula spirula . As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Read my blog posting guidelines here...
Friday Squid Blogging: Giant Squid Washes Up on South African Beach
Fourteen feet long and 450 pounds. It was dead before it washed up. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here...
Friday Squid Blogging: Humboldt Squid Backlight Themselves to Communicate More Clearly
This is neat: Deep in the Pacific Ocean, six-foot-long Humboldt squid are known for being aggressive, cannibalistic and, according to new research, good communicators. Known as "red devils," the squid can rapidly change the color of their skin, making different patterns to communicate, something...
Attacker Causes Epileptic Seizure over the Internet
This isn't a first, but I think it will be the first conviction: The GIF set off a highly unusual court battle that is expected to equip those in similar circumstances with a new tool for battling threatening trolls and cyberbullies. On Monday, the man who sent Eichenwald the moving image, John...
Scaring People into Supporting Backdoors
Back in 1998, Tim May warned us of the "Four Horsemen of the Infocalypse": "terrorists, pedophiles, drug dealers, and money launderers." I tended to cast it slightly differently. This is me from 2005: Beware the Four Horsemen of the Information Apocalypse: terrorists, drug dealers, kidnappers, an...
Security Vulnerabilities in Android Firmware
Researchers have discovered and revealed 146 vulnerabilities in various incarnations of Android smartphone firmware. The vulnerabilities were found by scanning the phones of 29 different Android makers, and each is unique to a particular phone or maker. They were found using automatic tools, and ...
Upcoming Speaking Engagements
This is a current list of where and when I am scheduled to speak: I'm speaking on "Securing a World of Physically Capable Computers" at the Indian Institute of Science in Bangalore, India on December 12, 2019. The list is maintained on this page...
Supply-Chain Security and Trust
The United States government's continuing disagreement with the Chinese company Huawei underscores a much larger problem with computer technologies in general: We have no choice but to trust them completely, and it's impossible to verify that they're trustworthy. Solving this problem which is...
The Myth of Consumer-Grade Security
The Department of Justice wants access to encrypted consumer devices but promises not to infiltrate business products or affect critical infrastructure. Yet that's not possible, because there is no longer any difference between those categories of devices. Consumer devices are critical...
Surveillance as a Condition for Humanitarian Aid
Excellent op-ed on the growing trend to tie humanitarian aid to surveillance. Despite the best intentions, the decision to deploy technology like biometrics is built on a number of unproven assumptions, such as, technology solutions can fix deeply embedded political problems. And that auditing fo...
Adversarial Machine Learning against Tesla's Autopilot
Researchers have been able to fool Tesla's autopilot in a variety of ways, including convincing it to drive into oncoming traffic. It requires the placement of stickers on the road. Abstract: Keen Security Lab has maintained the security research work on Tesla vehicle and shared our research...
EU Offering Bug Bounties on Critical Open-Source Software
The EU is offering "bug bounties on Free Software projects that the EU institutions rely on." Slashdot thread...