2984 matches found
Security and Human Behavior (SHB) 2021
Today is the second day of the fourteenth Workshop on Security and Human Behavior. The University of Cambridge is the host, but were all on Zoom. SHB is a small, annual, invitational workshop of people studying various aspects of the human side of security, organized each year by Alessandro...
The Misaligned Incentives for Cloud Security
Russias Sunburst cyberespionage campaign, discovered late last year, impacted more than 100 large companies and US federal agencies, including the Treasury, Energy, Justice, and Homeland Security departments. A crucial part of the Russians success was their ability to move through these...
Security Vulnerabilities in Cellebrite
Moxie Marlinspike has an intriguing blog post about Cellebrite, a tool used by police and others to break into smartphones. Moxie got his hands on one of the devices, which seems to be a pair of Windows software packages and a whole lot of connecting cables. According to Moxie, the software is...
Exploiting Spectre Over the Internet
Google has demonstrated exploiting the Spectre CPU attack remotely over the web: Today, were sharing proof-of-concept PoC code that confirms the practicality of Spectre exploits against JavaScript engines. We use Google Chrome to demonstrate our attack, but these issues are not specific to Chrome...
Friday Squid Blogging: On SQUIDS
A good tutorial: But we can go beyond the polarization of electrons and really leverage the electron waviness. By interleaving thin layers of superconducting and normal materials, we can make the quantum electronic equivalents of transistors and diodes such as Superconducting Tunnel Junctions SJT...
National Security Risks of Late-Stage Capitalism
Early in 2020, cyberspace attackers apparently working for the Russian government compromised a piece of widely used network management software made by a company called SolarWinds. The hack gave the attackers access to the computer networks of some 18,000 of SolarWinds’s customers, including US...
WEIS 2021 Call for Papers
The 20th Annual Workshop on the Economics of Information Security WEIS 2021 will be held online in June. We just published the call for papers...
Deliberately Playing Copyrighted Music to Avoid Being Live-Streamed
Vice is reporting on a new police hack: playing copyrighted music when being filmed by citizens, trying to provoke social media sites into taking the videos down and maybe even banning the filmers: In a separate part of the video, which Devermont says was filmed later that same afternoon, Devermo...
COVID-19 Risks of Flying
I fly a lot. Over the past five years, my average speed has been 32 miles an hour. That all changed mid-March. It's been 105 days since I've been on an airplane -- longer than any other time in my adult life -- and I have no future flights scheduled. This is all a prelude to saying that I have be...
Friday Squid Blogging: Humboldt Squid Communication
Humboldt Squid communicate by changing their skin patterns and glowing. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here...
Microsoft Buys Corp.com
A few months ago, Brian Krebs told the story of the domain corp.com, and how it is basically a security nightmare: At issue is a problem known as "namespace collision," a situation where domain names intended to be used exclusively on an internal company network end up overlapping with domains th...
NSA Security Awareness Posters
From a FOIA request, over a hundred old NSA security awareness posters. Here are the BBC's favorites. Here are Motherboard's favorites. I have a related personal story. Back in 1993, during the first Crypto Wars, I and a handful of other academic cryptographers visited the NSA for some meeting or...
Mapping Security and Privacy Research across the Decades
This is really interesting: "A Data-Driven Reflection on 36 Years of Security and Privacy Research," by Aniqua Baset and Tamara Denning: Abstract: Meta-research---research about research---allows us, as a community, to examine trends in our research and make informed decisions regarding the cours...
Phone Pharming for Ad Fraud
Interesting article on people using banks of smartphones to commit ad fraud for profit. No one knows how prevalent ad fraud is on the Internet. I believe it is surprisingly high -- here's an article that places losses between $6.5 and $19 billion annually -- and something companies like Google an...
Regulating International Trade in Commercial Spyware
Siena Anstis, Ronald J. Deibert, and John Scott-Railton of Citizen Lab published an editorial calling for regulating the international trade in commercial surveillance systems until we can figure out how to curb human rights abuses. Any regime of rigorous human rights safeguards that would make a...
Cryptanalysis of SIMON-32/64
A weird paper was posted on the Cryptology ePrint Archive working link is via the Wayback Machine, claiming an attack against the NSA-designed cipher SIMON. You can read some commentary about it here. Basically, the authors claimed an attack so devastating that they would only publish a...
Friday Squid Blogging: Firefly Squid Museum
The Hotaruika Museum is a museum devoted to firefly squid in Toyama, Japan. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here...
Nicholas Weaver on Cryptocurrencies
This is well-worth reading non-paywalled version. Here's the opening: Cryptocurrencies, although a seemingly interesting idea, are simply not fit for purpose. They do not work as currencies, they are grossly inefficient, and they are not meaningfully distributed in terms of trust. Risks involving...
E-Mail Vulnerabilities and Disclosure
Last week, researchers disclosed vulnerabilities in a large number of encrypted e-mail clients: specifically, those that use OpenPGP and S/MIME, including Thunderbird and AppleMail. These are serious vulnerabilities: An attacker who can alter mail sent to a vulnerable client can trick that client...
Japan's Directorate for Signals Intelligence
The Intercept has a long article on Japan's equivalent of the NSA: the Directorate for Signals Intelligence. Interesting, but nothing really surprising. The directorate has a history that dates back to the 1950s; its role is to eavesdrop on communications. But its operations remain so highly...
Supply-Chain Security
Earlier this month, the Pentagon stopped selling phones made by the Chinese companies ZTE and Huawei on military bases because they might be used to spy on their users. It's a legitimate fear, and perhaps a prudent action. But it's just one instance of the much larger issue of securing our supply...
GreyKey iPhone Unlocker
Some details about the iPhone unlocker from the US company Greyshift, with photos. Little is known about Grayshift or its sales model at this point. We don't know whether sales are limited to US law enforcement, or if it is also selling in other parts of the world. Regardless of that, it's highly...
Intimate Partner Threat
Princeton's Karen Levy has a good article computer security and the intimate partner threat: When you learn that your privacy has been compromised, the common advice is to prevent additional access -- delete your insecure account, open a new one, change your password. This advice is such standard...
Cellebrite Unlocks iPhones for the US Government
Forbes reports that the Israeli company Cellebrite can probably unlock all iPhone models: Cellebrite, a Petah Tikva, Israel-based vendor that's become the U.S. government's company of choice when it comes to unlocking mobile devices, is this month telling customers its engineers currently have th...
WhatsApp Vulnerability
A new vulnerability in WhatsApp has been discovered: ...the researchers unearthed far more significant gaps in WhatsApp's security: They say that anyone who controls WhatsApp's servers could effortlessly insert new people into an otherwise private group, even without the permission of the...
Tourist Scams
A comprehensive list. Most are old and obvious, but there are some clever variants...
Heart Size: Yet Another Biometric
Turns out that heart size doesn't change throughout your adult life, and you can use low-level Doppler radar to scan the size -- even at a distance -- as a biometric. Research paper to be available soon...
The Science of Interrogation
Fascinating article about two psychologists who are studying interrogation techniques. Now, two British researchers are quietly revolutionising the study and practice of interrogation. Earlier this year, in a meeting room at the University of Liverpool, I watched a video of the Diola interview...
More on Kaspersky and the Stolen NSA Attack Tools
Both the New York Times and the Washington Post are reporting that Israel has penetrated Kaspersky's network and detected the Russian operation. From the New York Times: Israeli intelligence officers informed the NSA that, in the course of their Kaspersky hack, they uncovered evidence that Russia...
Bluetooth Vulnerabilities
A bunch of Bluetooth vulnerabilities are being reported, some pretty nasty. BlueBorne concerns us because of the medium by which it operates. Unlike the majority of attacks today, which rely on the internet, a BlueBorne attack spreads through the air. This works similarly to the two less extensiv...
Dubai Deploying Autonomous Robotic Police Cars
It's hard to tell how much of this story is real and how much is aspirational, but it really is only a matter of time: About the size of a child's electric toy car, the driverless vehicles will patrol different areas of the city to boost security and hunt for unusual activity, all the while...
Good Article About Google's Project Zero
Fortune magazine just published a good article about Google's Project Zero, which finds and publishes exploits in other companies' software products. I have mixed feeling about it. The project does great work, and the Internet has benefited enormously from these efforts. But as long as it is...
Using AI to Scale Spear Phishing
The problem with spear phishing is that it takes time and creativity to create individualized enticing phishing emails. Researchers are using GPT-3 to attempt to solve that problem: The researchers used OpenAIs GPT-3 platform in conjunction with other AI-as-a-service products focused on personali...
FBI/AFP-Run Encrypted Phone
For three years, the Federal Bureau of Investigation and the Australian Federal Police owned and operated a commercial encrypted phone app, called AN0M, that was used by organized crime around the world. Of course, the police were able to read everything -- I dont even know if this qualifies as a...
AI Security Risk Assessment Tool
Microsoft researchers just released an open-source automation tool for security testing AI systems: "Counterfit." Details on their blog...
Friday Squid Blogging: COVID Relief Funds
A town in Japan built a giant squid statue with its COVID relief grant. One local told the Chunichi Shimbun newspaper that while the statue may be effective in the long run, the money could have been used for "urgent support," such as for medical staff and long-term care facilities. But a...
On the Insecurity of ES&S Voting Machines’ Hash Code
Andrew Appel and Susan Greenhalgh have a blog post on the insecurity of ES&Ss software authentication system: It turns out that ES&S has bugs in their hash-code checker: if the "reference hashcode" is completely missing, then itll say "yes, boss, everything is fine" instead of reporting an error...
Upcoming Speaking Engagements
This is a current list of where and when I am scheduled to speak: I’m speaking at the Australian Cyber Conference 2021 on March 17 and 18, 2021. I’m keynoting the all-virtual RSA Conference 2021, May 17-20, 2021. I’ll be speaking at an Informa event on September 14, 2021. Details to come. The lis...
Attack against Florida Water Treatment Facility
A water treatment plant in Oldsmar, Florida, was attacked last Friday. The attacker took control of one of the systems, and increased the amount of sodium hydroxide -- thats lye -- by a factor of 100. This could have been fatal to people living downstream, if an alert operator hadnt noticed the...
Cell Phone Location Privacy
We all know that our cell phones constantly give our location away to our mobile network operators; that’s how they work. A group of researchers has figured out a way to fix that. “Pretty Good Phone Privacy” PGPP protects both user identity and user location using the existing cellular networks. ...
Upcoming Speaking Engagements
This is a current list of where and when I am scheduled to speak: Im speaking online as part of Western Washington Universitys Internet Studies Lecture Series on January 20, 2021. Im speaking online at ITU Denmark on February 2, 2021. Details to come. Im being interviewed by Keith Cronin as part ...
DNSSEC Keysigning Ceremony Postponed Because of Locked Safe
Interesting collision of real-world and Internet security: The ceremony sees several trusted internet engineers a minimum of three and up to seven from across the world descend on one of two secure locations -- one in El Segundo, California, just south of Los Angeles, and the other in Culpeper,...
Tree Code
Artist Katie Holten has developed a tree code basically, a font in trees, and New York City is using it to plant secret messages in parks...
Failure Modes in Machine Learning
Interesting taxonomy of machine-learning failures pdf that encompasses both mistakes and attacks, or -- in their words -- intentional and unintentional failure modes. It's a good basis for threat modeling...
Illegal Data Center Hidden in Former NATO Bunker
Interesting: German investigators said Friday they have shut down a data processing center installed in a former NATO bunker that hosted sites dealing in drugs and other illegal activities. Seven people were arrested. ... Thirteen people aged 20 to 59 are under investigation in all, including thr...
How the Anonymous Artist Banksy Authenticates His or Her Work
Interesting scheme: It all starts off with a fairly bog standard gallery style certificate. Details of the work, the authenticating agency, a bit of embossing and a large impressive signature at the bottom. Exactly the sort of things that can be easily copied by someone on a mission to create the...
Hey Secret Service: Don't Plug Suspect USB Sticks into Random Computers
I just noticed this bit from the incredibly weird story of the Chinese woman arrested at Mar-a-Lago: Secret Service agent Samuel Ivanovich, who interviewed Zhang on the day of her arrest, testified at the hearing. He stated that when another agent put Zhang's thumb drive into his computer, it...
First Look Media Shutting Down Access to Snowden NSA Archives
The Daily Beast is reporting that First Look Media -- home of The Intercept and Glenn Greenwald -- is shutting down access to the Snowden archives. The Intercept was the home for Greenwald's subset of Snowden's NSA documents since 2014, after he parted ways with the Guardian the year before. I...
Chip Cards Fail to Reduce Credit Card Fraud in the US
A new study finds that credit card fraud has not declined since the introduction of chip cards in the US. The majority of stolen card information comes from hacked point-of-sale terminals. The reasons seem to be twofold. One, the US uses chip-and-signature instead of chip-and-PIN, obviating the...
Good Primer on Two-Factor Authentication Security
Stuart Schechter published a good primer on the security issues surrounding two-factor authentication. While it's often an important security measure, it's not a panacea. Stuart discusses the usability and security issues that you have to think about before deploying the system...