2980 matches found
AI Risks
There is no shortage of researchers and industry titans willing to warn us about the potential destructive power of artificial intelligence. Reading the headlines, one would hope that the rapid gains in AI technology have also brought forth a unifying realization of the risks--and the steps we ne...
Breaking RSA through Insufficiently Random Primes
Basically, the SafeZone library doesnt sufficiently randomize the two prime numbers it used to generate RSA keys. Theyre too close to each other, which makes them vulnerable to recovery. There arent many weak keys out there, but there are some: So far, Böck has identified only a handful of keys i...
Details of the REvil Ransomware Attack
ArsTechnica has a good story on the REvil ransomware attack of last weekend, with technical details: This weekends attack was carried out with almost surgical precision. According to Cybereason, the REvil affiliates first gained access to targeted environments and then used the zero-day in the...
TikTok Can Now Collect Biometric Data
This is probably worth paying attention to: A change to TikToks U.S. privacy policy on Wednesday introduced a new section that says the social video app "may collect biometric identifiers and biometric information" from its users content. This includes things like "faceprints and voiceprints," th...
Friday Squid Blogging: Squids in Space
NASA is sending baby bobtail squid into space. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Read my blog posting guidelines here...
On North Korea’s Cyberattack Capabilities
Excellent New Yorker article on North Koreas offensive cyber capabilities...
Backdoor Added — But Found — in PHP
Unknown hackers attempted to add a backdoor to the PHP source code. It was two malicious commits, with the subject "fix typo" and the names of known PHP developers and maintainers. They were discovered and removed before being pushed out to any users. But since 79% of the Internets websites use...
Friday Squid Blogging: Squid Potato Masher
A squid potato masher for only $11.50. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Read my blog posting guidelines here...
Threat Model Humor
At a hospital...
Insider Attack on Home Surveillance Systems
No one who reads this blog regularly will be surprised: A former employee of prominent home security company ADT has admitted that he hacked into the surveillance feeds of dozens of customer homes, doing so primarily to spy on naked women or to leer at unsuspecting couples while they had sex. …...
Brexit Deal Mandates Old Insecure Crypto Algorithms
In what is surely an unthinking cut-and-paste issue, page 921 of the Brexit deal mandates the use of SHA-1 and 1024-bit RSA: The open standard s/MIME as extension to de facto e-mail standard SMTP will be deployed to encrypt messages containing DNA profile information. The protocol s/MIME V3 allow...
Friday Squid Blogging: Vegan "Squid" Made from Chickpeas
It's beyond Beyond Meat. A Singapore company wants to make vegan "squid" -- and shrimp and crab -- from chickpeas. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here...
Friday Squid Blogging: Cocaine Smuggled in Squid
Makes sense; there's room inside a squid's body cavity: Latin American drug lords have sent bumper shipments of cocaine to Europe in recent weeks, including one in a cargo of squid, even though the coronavirus epidemic has stifled legitimate transatlantic trade, senior anti-narcotics officials sa...
The EARN-IT Act
Prepare for another attack on encryption in the U.S. The EARN-IT Act purports to be about protecting children from predation, but it's really about forcing the tech companies to break their encryption schemes: The EARN IT Act would create a "National Commission on Online Child Sexual Exploitation...
Election Machine Insecurity Story
Interesting story of a flawed computer voting machine and a paper ballot available for recount. All ended well, but only because of that paper backup. Vote totals in a Northampton County judge's race showed one candidate, Abe Kassis, a Democrat, had just 164 votes out of 55,000 ballots across mor...
Cameras that Automatically Detect Mobile Phone Use
New South Wales is implementing a camera system that automatically detects when a driver is using a mobile phone...
Factoring 2048-bit Numbers Using 20 Million Qubits
This theoretical paper shows how to factor 2048-bit RSA moduli with a 20-million qubit quantum computer in eight hours. It's interesting work, but I don't want overstate the risk. We know from Shor's Algorithm that both factoring and discrete logs are easy to solve on a large, working quantum...
Friday Squid Blogging: Toraiz SQUID Digital Sequencer
Pioneer DJ has a new sequencer: the Toraiz SQUID: Sequencer Inspirational Device. The 16-track sequencer is designed around jamming and performance with a host of features to create "happy accidents" and trigger random sequences, modulations and chords. There are 16 RGB pads for playing in your...
On Surveillance in the Workplace
Data & Society just published a report entitled "Workplace Monitoring & Surveillance": This explainer highlights four broad trends in employee monitoring and surveillance technologies: Prediction and flagging tools that aim to predict characteristics or behaviors of employees or that are designed...
Friday Squid Blogging: Giant Squid Washes up on Wellington Beach
Another giant squid washed up on a beach, this time in Wellington, New Zealand. Is this a global trend? As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here...
Friday Squid Blogging: Calamari Squid Catching Prey
The calamari squid grabs prey three feet away with its fast tentacles. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here...
Breaking the Anonymity in the Cryptocurrency Monero
Researchers have exploited a flaw in the cryptocurrency Monero to break the anonymity of transactions. Research paper. BoingBoing post...
Detecting Drone Surveillance with Traffic Analysis
This is clever: Researchers at Ben Gurion University in Beer Sheva, Israel have built a proof-of-concept system for counter-surveillance against spy drones that demonstrates a clever, if not exactly simple, way to determine whether a certain person or object is under aerial surveillance. They fir...
HP Shared ArcSight Source Code with Russians
Reuters is reporting that HP Enterprise gave the Russians a copy of the ArcSight source code. The article highlights that ArcSight is used by the Pentagon to protect classified networks, but the security risks are much broader. Any weaknesses the Russians discover could be used against any ArcSig...
XZ Utils Backdoor
The cybersecurity world got really lucky last week. An intentionally placed backdoor in XZ Utils, an open-source compression utility, was pretty much accidentally discovered by a Microsoft engineer--weeks before it would have been incorporated into both Debian and Red Hat Linux. From ArsTehnica:...
Zoom Lied about End-to-End Encryption
The facts arent news, but Zoom will pay $85M -- to the class-action attorneys, and to users -- for lying to users about end-to-end encryption, and for giving user data to Facebook and Google without consent. The proposed settlement would generally give Zoom users $15 or $25 each and was filed...
NSO Group Hacked
NSO Group, the Israeli cyberweapons arms manufacturer behind the Pegasus spyware -- used by authoritarian regimes around the world to spy on dissidents, journalists, human rights workers, and others -- was hacked. Or, at least, an enormous trove of documents was leaked to journalists. Theres a lo...
Colorado Passes Consumer Privacy Law
First California. Then Virginia. Now Colorado. Heres a good comparison of the three states laws...
The Story of the 2011 RSA Hack
Really good long article about the Chinese hacking of RSA, Inc. They were able to get copies of the seed values to the SecurID authentication token, a harbinger of supply-chain attacks to come...
Friday Squid Blogging: Blobs of Squid Eggs Found Near Norway
Divers find three-foot "blobs" -- egg sacs of the squid Illex coindetii -- off the coast of Norway. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Read my blog posting guidelines here...
Virginia Data Privacy Law
Virginia is about to get a data privacy law, modeled on Californias law...
Malicious Barcode Scanner App
Interesting story about a barcode scanner app that has been pushing malware on to Android phones. The app is called Barcode Scanner. Its been around since 2017 and is owned by the Ukrainian company Lavabird Ldt. But a December 2020 update included some new features: However, a rash of malicious...
Humble Bundle's 2020 Cybersecurity Books
For years, Humble Bundle has been selling great books at a "pay what you can afford" model. This month, they're featuring as many as nineteen cybersecurity books for as little as $1, including four of mine. These are digital copies, all DRM-free. Part of the money goes to support the EFF or Let's...
EFF on the Mechanics of Corporate Surveillance
EFF has published a comprehensible and very readable "deep dive" into the technologies of corporate surveillance, both on the Internet and off. Well worth reading and sharing. Boing Boing post...
Details of the Olympic Destroyer APT
Interesting details on Olympic Destroyer, the nation-state cyberattack against the 2018 Winter Olympic Games in South Korea. Wired's Andy Greenberg presents evidence that the perpetrator was Russia, and not North Korea or China...
New Research into Russian Malware
There's some interesting new research about Russian APT malware: The Russian government has fostered competition among the three agencies, which operate independently from one another, and compete for funds. This, in turn, has resulted in each group developing and hoarding its tools, rather than...
New Biometrics
This article discusses new types of biometrics under development, including gait, scent, heartbeat, microbiome, and butt shape no, really...
How Privacy Laws Hurt Defendants
Rebecca Wexler has an interesting op-ed about an inadvertent harm that privacy laws can cause: while law enforcement can often access third-party data to aid in prosecution, the accused don't have the same level of access to aid in their defense: The proposed privacy laws would make this situatio...
Vulnerability in French Government Tchap Chat App
A researcher found a vulnerability in the French government WhatsApp replacement app: Tchap. The vulnerability allows anyone to surreptitiously join any conversation. Of course the developers will fix this vulnerability. But it is amusing to point out that this is exactly the backdoor that GCHQ i...
Mail Fishing
Not email, paper mail: Thieves, often at night, use string to lower glue-covered rodent traps or bottles coated with an adhesive down the chute of a sidewalk mailbox. This bait attaches to the envelopes inside, and the fish in this case -- mail containing gift cards, money orders or checks, which...
New Shamoon Variant
A new variant of the Shamoon malware has destroyed significant amounts of data at a UAE "heavy engineering company" and the Italian oil and gas contractor Saipem. Shamoon is the Iranian malware that was targeted against the Saudi Arabian oil company, Saudi Aramco, in 2012 and 2016. We have no ide...
FBI Takes Down a Massive Advertising Fraud Ring
The FBI announced that it dismantled a large Internet advertising fraud network, and arrested eight people: A 13-count indictment was unsealed today in federal court in Brooklyn charging Aleksandr Zhukov, Boris Timokhin, Mikhail Andreev, Denis Avdeev, Dmitry Novikov, Sergey Ovsyannikov, Aleksandr...
Information Attacks against Democracies
Democracy is an information system. That's the starting place of our new paper: "Common-Knowledge Attacks on Democracy." In it, we look at democracy through the lens of information security, trying to understand the current waves of Internet disinformation attacks. Specifically, we wanted to...
Another Spectre-Like CPU Vulnerability
Google and Microsoft researchers have disclosed another Spectre-like CPU side-channel vulnerability, called "Speculative Store Bypass." Like the others, the fix will slow the CPU down. The German tech site Heise reports that more are coming. I'm not surprised. Writing about Spectre and Meltdown i...
New NSA/Cyber Command Head Confirmed by Senate
It's Lt. Gen. Paul Nakasone. I know nothing about him...
Adding Backdoors at the Chip Level
Interesting research into undetectably adding backdoors into computer chips during manufacture: "Stealthy dopant-level hardware Trojans: extended version," also available here: Abstract: In recent years, hardware Trojans have drawn the attention of governments and industry as well as the scientif...
Friday Squid Blogging: Giant Squid Stealing Food from Each Other
An interesting hunting strategy: Off of northern Spain, giant squid often feed on schools of fish called blue whiting. The schools swim 400 meters or less below the surface, while the squid prefer to hang out around a mile deep. The squid must ascend to hunt, probably seizing fish from below with...
Facebook Will Verify the Physical Location of Ad Buyers with Paper Postcards
It's not a great solution, but it's something: The process of using postcards containing a specific code will be required for advertising that mentions a specific candidate running for a federal office, Katie Harbath, Facebook's global director of policy programs, said. The requirement will not...
After Section 702 Reauthorization
For over a decade, civil libertarians have been fighting government mass surveillance of innocent Americans over the Internet. We've just lost an important battle. On January 18, President Trump signed the renewal of Section 702, domestic mass surveillance became effectively a permanent part of U...
E-Mail Tracking
Interesting survey paper: on the privacy implications of e-mail tracking: Abstract: We show that the simple act of viewing emails contains privacy pitfalls for the unwary. We assembled a corpus of commercial mailing-list emails, and find a network of hundreds of third parties that track email...