2981 matches found
Mail Fishing
Not email, paper mail: Thieves, often at night, use string to lower glue-covered rodent traps or bottles coated with an adhesive down the chute of a sidewalk mailbox. This bait attaches to the envelopes inside, and the fish in this case -- mail containing gift cards, money orders or checks, which...
New Shamoon Variant
A new variant of the Shamoon malware has destroyed significant amounts of data at a UAE "heavy engineering company" and the Italian oil and gas contractor Saipem. Shamoon is the Iranian malware that was targeted against the Saudi Arabian oil company, Saudi Aramco, in 2012 and 2016. We have no ide...
FBI Takes Down a Massive Advertising Fraud Ring
The FBI announced that it dismantled a large Internet advertising fraud network, and arrested eight people: A 13-count indictment was unsealed today in federal court in Brooklyn charging Aleksandr Zhukov, Boris Timokhin, Mikhail Andreev, Denis Avdeev, Dmitry Novikov, Sergey Ovsyannikov, Aleksandr...
Information Attacks against Democracies
Democracy is an information system. That's the starting place of our new paper: "Common-Knowledge Attacks on Democracy." In it, we look at democracy through the lens of information security, trying to understand the current waves of Internet disinformation attacks. Specifically, we wanted to...
Two NSA Algorithms Rejected by the ISO
The ISO has rejected two symmetric encryption algorithms: SIMON and SPECK. These algorithms were both designed by the NSA and made public in 2013. They are optimized for small and low-cost processors like IoT devices. The risk of using NSA-designed ciphers, of course, is that they include...
Friday Squid Blogging: Eating Firefly Squid
In Tokama, Japan, you can watch the firefly squid catch and eat them in various ways: "It's great to eat hotaruika around when the seasons change, which is when people tend to get sick," said Ryoji Tanaka, an executive at the Toyama prefectural federation of fishing cooperatives. "In addition to...
Friday Squid Blogging: Sake Decanters Made of Dried Squid
This is interesting. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here...
Hacking a Phone Through a Replacement Touchscreen
Researchers demonstrated a really clever hack: they hid malware in a replacement smart phone screen. The idea is that you would naively bring your smart phone in for repair, and the repair shop would install this malicious screen without your knowledge. The malware is hidden in touchscreen...
Forged Documents and Microsoft Fonts
A set of documents in Pakistan were detected as forgeries because their fonts were not in circulation at the time the documents were dated...
Post-Quantum RSA
Interesting research on a version of RSA that is secure against a quantum computer: Post-quantum RSA Daniel J. Bernstein, Nadia Heninger, Paul Lou, and Luke Valenta Abstract: This paper proposes RSA parameters for which 1 key generation, encryption, decryption, signing, and verification are...
Defeating Microsoft’s Trusted Platform Module
This is a really interesting story explaining how to defeat Microsofts TPM in 30 minutes -- without having to solder anything to the motherboard. Researchers at the security consultancy Dolos Group, hired to test the security of one clients network, received a new Lenovo computer preconfigured to...
More Russian Hacking
Two reports this week. The first is from Microsoft, which wrote: As part of our investigation into this ongoing activity, we also detected information-stealing malware on a machine belonging to one of our customer support agents with access to basic account information for a small number of our...
The Future of Machine Learning and Cybersecurity
The Center for Security and Emerging Technology has a new report: "Machine Learning and Cybersecurity: Hype and Reality." Heres the bottom line: The report offers four conclusions: Machine learning can help defenders more accurately detect and triage potential attacks. However, in many cases thes...
Intentional Flaw in GPRS Encryption Algorithm GEA-1
General Packet Radio Service GPRS is a mobile data standard that was widely used in the early 2000s. The first encryption algorithm for that standard was GEA-1, a stream cipher built on three linear-feedback shift registers and a non-linear combining function. Although the algorithm has a 64-bit...
Detecting Deepfake Picture Editing
"Markpainting" is a clever technique to watermark photos in such a way that makes it easier to detect ML-based manipulation: An image owner can modify their image in subtle ways which are not themselves very visible, but will sabotage any attempt to inpaint it by adding visible information...
Information Flows and Democracy
Henry Farrell and I published a paper on fixing American democracy: "Rechanneling Beliefs: How Information Flows Hinder or Help Democracy." Its much easier for democratic stability to break down than most people realize, but this doesnt mean we must despair over the future. Its possible, though...
Malware Hidden in Call of Duty Cheating Software
News article: Most troublingly, Activision says that the "cheat" tool has been advertised multiple times on a popular cheating forum under the title "new COD hack." Gamers looking to flout the rules will typically go to such forums to find new ways to do so. While the report doesnt mention which...
On Chinese-Owned Technology Platforms
I am a co-author on a report published by the Hoover Institution: "Chinese Technology Platforms Operating in the United States." From a blog post: The report suggests a comprehensive framework for understanding and assessing the risks posed by Chinese technology platforms in the United States and...
Friday Squid Blogging: Searching for Giant Squid by Collecting Environmental DNA
The idea is to collect and analyze random DNA floating around the ocean, and using that to figure out where the giant squid are. No one is sure if this will actually work. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Read my blo...
IMSI-Catchers from Canada
Gizmodo is reporting that Harris Corp. is no longer selling Stingray IMSI-catchers and, presumably, its follow-on models Hailstorm and Crossbow to local governments: L3Harris Technologies, formerly known as the Harris Corporation, notified police agencies last year that it planned to discontinue...
US Government Exposes North Korean Malware
US Cyber Command has uploaded North Korean malware samples to the VirusTotal aggregation repository, adding to the malware samples it uploaded in February. The first of the new malware variants, COPPERHEDGE, is described as a Remote Access Tool RAT "used by advanced persistent threat APT cyber...
The Story of Tiversa
The New Yorker has published the long and interesting story of the cybersecurity firm Tiversa. Watching "60 Minutes," Boback saw a remarkable new business angle. Here was a multibillion-dollar industry with a near-existential problem and no clear solution. He did not know it then, but, as he turn...
Obfuscation as a Privacy Tool
This essay discusses the futility of opting out of surveillance, and suggests data obfuscation as an alternative. We can apply obfuscation in our own lives by using practices and technologies that make use of it, including: The secure browser Tor, which among other anti-surveillance technologies...
Cheating at Professional Poker
Interesting story about someone who is almost certainly cheating at professional poker. But then I start to see things that seem so obvious, but I wonder whether they aren't just paranoia after hours and hours of digging into the mystery. Like the fact that he starts wearing a hat that has a...
Speakers Censored at AISA Conference in Melbourne
Two speakers were censored at the Australian Information Security Association's annual conference this week in Melbourne. Thomas Drake, former NSA employee and whistleblower, was scheduled to give a talk on the golden age of surveillance, both government and corporate. Suelette Dreyfus, lecturer ...
First Physical Retaliation for a Cyberattack
Israel has acknowledged that its recent airstrikes against Hamas were a real-time response to an ongoing cyberattack. From Twitter: CLEARED FOR RELEASE: We thwarted an attempted Hamas cyber offensive against Israeli targets. Following our successful cyber defensive operation, we targeted a buildi...
Blockchain and Trust
In his 2008 white paper that first proposed bitcoin, the anonymous Satoshi Nakamoto concluded with: "We have proposed a system for electronic transactions without relying on trust." He was referring to blockchain, the system behind bitcoin cryptocurrency. The circumvention of trust is a great...
How Surveillance Inhibits Freedom of Expression
In my book Data and Goliath, I write about the value of privacy. I talk about how it is essential for political liberty and justice, and for commercial fairness and equality. I talk about how it increases personal freedom and individual autonomy, and how the lack of it makes us all less secure. B...
Friday Squid Blogging: British Columbia "Squid Run" Is a Tourist Attraction
On James Island. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here...
Friday Squid Blogging: Fried Squid with Turmeric
Good-looking recipe. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here...
Friday Squid Blogging: Market Squid in Alaskan Waters
Rising sea temperatures is causing market squid to move north into Alaskan waters. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here...
E-Mail Leaves an Evidence Trail
If you're going to commit an illegal act, it's best not to discuss it in e-mail. It's also best to Google tech instructions rather than asking someone else to do it: One new detail from the indictment, however, points to just how unsophisticated Manafort seems to have been. Here's the relevant...
Jackpotting Attacks Against US ATMs
Brian Krebs is reporting sophisticated jackpotting attacks against US ATMs. The attacker gains physical access to the ATM, plants malware using specialized electronics, and then later returns and forces the machine to dispense all the cash it has inside. The Secret Service alert explains that the...
Jim Risen Writes about Reporting Government Secrets
Jim Risen writes a long and interesting article about his battles with the US government and the New York Times to report government secrets...
Post-Quantum Algorithms
NIST has organized a competition for public-key algorithms secure against a quantum computer. It recently published all of its Round 1 submissions. Details of the NIST efforts are here. A timeline for the new algorithms is here...
Your Personal Bodycam
Shonin is a personal bodycam up on Kickstarter. There are a lot of complicated issues surrounding bodycams -- for example, it's obvious that police bodycams reduce violence -- but the one thing everyone is certain about is that they will proliferate. I'm not sure society is fully ready for the...
The grugq on Reality Winner, the Intercept, and OPSEC
Good commentary...
NSA AI Security Center
The NSA is starting a new artificial intelligence security center: The AI security centers establishment follows an NSA study that identified securing AI models from theft and sabotage as a major national security challenge, especially as generative AI technologies emerge with immense...
What Will It Take?
What will it take for policy makers to take cybersecurity seriously? Not minimal-change seriously. Not here-and-there seriously. But really seriously. What will it take for policy makers to take cybersecurity seriously enough to enact substantive legislative changes that would address the problem...
Storing Encrypted Photos in Google’s Cloud
New paper: "Encrypted Cloud Photo Storage Using Google Photos": Abstract: Cloud photo services are widely used for persistent, convenient, and often free photo storage, which is especially useful for mobile devices. As users store more and more photos in the cloud, significant privacy concerns...
Apple Will Offer Onion Routing for iCloud/Safari Users
At this years Apple Worldwide Developer Conference, Apple announced something called "iCloud Private Relay." Thats basically its private version of onion routing, which is what Tor does. Privacy Relay is built into both the forthcoming iOS and MacOS versions, but it will only work if youre an...
Security and Human Behavior (SHB) 2021
Today is the second day of the fourteenth Workshop on Security and Human Behavior. The University of Cambridge is the host, but were all on Zoom. SHB is a small, annual, invitational workshop of people studying various aspects of the human side of security, organized each year by Alessandro...
The Misaligned Incentives for Cloud Security
Russias Sunburst cyberespionage campaign, discovered late last year, impacted more than 100 large companies and US federal agencies, including the Treasury, Energy, Justice, and Homeland Security departments. A crucial part of the Russians success was their ability to move through these...
Identifying People Through Lack of Cell Phone Use
In this entertaining story of French serial criminal Rédoine Faïd and his jailbreaking ways, theres this bit about cell phone surveillance: After Faïds helicopter breakout, 3,000 police officers took part in the manhunt. According to the 2019 documentary La Traque de Rédoine Faïd, detective units...
Security Vulnerabilities in Cellebrite
Moxie Marlinspike has an intriguing blog post about Cellebrite, a tool used by police and others to break into smartphones. Moxie got his hands on one of the devices, which seems to be a pair of Windows software packages and a whole lot of connecting cables. According to Moxie, the software is...
Exploiting Spectre Over the Internet
Google has demonstrated exploiting the Spectre CPU attack remotely over the web: Today, were sharing proof-of-concept PoC code that confirms the practicality of Spectre exploits against JavaScript engines. We use Google Chrome to demonstrate our attack, but these issues are not specific to Chrome...
National Security Risks of Late-Stage Capitalism
Early in 2020, cyberspace attackers apparently working for the Russian government compromised a piece of widely used network management software made by a company called SolarWinds. The hack gave the attackers access to the computer networks of some 18,000 of SolarWinds’s customers, including US...
SonicWall Zero-Day
Hackers are exploiting a zero-day in SonicWall: In an email, an NCC Group spokeswoman wrote: "Our team has observed signs of an attempted exploitation of a vulnerabilitythat affects the SonicWall SMA 100 series devices. We are working closely with SonicWall to investigate this in more depth." In...
COVID-19 Risks of Flying
I fly a lot. Over the past five years, my average speed has been 32 miles an hour. That all changed mid-March. It's been 105 days since I've been on an airplane -- longer than any other time in my adult life -- and I have no future flights scheduled. This is all a prelude to saying that I have be...
Microsoft Buys Corp.com
A few months ago, Brian Krebs told the story of the domain corp.com, and how it is basically a security nightmare: At issue is a problem known as "namespace collision," a situation where domain names intended to be used exclusively on an internal company network end up overlapping with domains th...