2981 matches found
On the Insecurity of ES&S Voting Machines’ Hash Code
Andrew Appel and Susan Greenhalgh have a blog post on the insecurity of ES&Ss software authentication system: It turns out that ES&S has bugs in their hash-code checker: if the "reference hashcode" is completely missing, then itll say "yes, boss, everything is fine" instead of reporting an error...
Military Cryptanalytics, Part III
The NSA has just declassified and released a redacted version of Military Cryptanalytics, Part III, by Lambros D. Callimahos, October 1977. Parts I and II, by Lambros D. Callimahos and William F. Friedman, were released decades ago -- I believe repeatedly, in increasingly unredacted form -- and...
Upcoming Speaking Engagements
This is a current list of where and when I am scheduled to speak: I’m speaking at the ISC² Security Congress 2020, November 16, 2020. I’ll be on a panel at the OECD Global Blockchain Policy Forum 2020 on November 17, 2020. The panel is called "Deep Dive: Digital Security and Distributed Ledger...
Friday Squid Blogging: COVID-19 Found on Chinese Squid Packaging
I thought the virus doesnt survive well on food packaging: Authorities in China’s northeastern Jilin province have found the novel coronavirus on the packaging of imported squid, health authorities in the city of Fuyu said on Sunday, urging anyone who may have bought it to get themselves tested. ...
Friday Squid Blogging: Squid Found on Provincetown Sandbar
Headline: "Dozens of squid found on Provincetown sandbar." Slow news day. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here...
Phishing Attacks against Trump and Biden Campaigns
Google's threat analysts have identified state-level attacks from China. I hope both campaigns are working under the assumption that everything they say and do will be dumped on the Internet before the election. That feels like the most likely outcome...
Facebook Announces Messenger Security Features that Don't Compromise Privacy
Note that this is "announced," so we don't know when it's actually going to be implemented. Facebook today announced new features for Messenger that will alert you when messages appear to come from financial scammers or potential child abusers, displaying warnings in the Messenger app that provid...
DNSSEC Keysigning Ceremony Postponed Because of Locked Safe
Interesting collision of real-world and Internet security: The ceremony sees several trusted internet engineers a minimum of three and up to seven from across the world descend on one of two secure locations -- one in El Segundo, California, just south of Los Angeles, and the other in Culpeper,...
Tree Code
Artist Katie Holten has developed a tree code basically, a font in trees, and New York City is using it to plant secret messages in parks...
Iranian Attacks on Industrial Control Systems
New details: At the CyberwarCon conference in Arlington, Virginia, on Thursday, Microsoft security researcher Ned Moran plans to present new findings from the company's threat intelligence group that show a shift in the activity of the Iranian hacker group APT33, also known by the names Holmium,...
Security Vulnerabilities in the RCS Texting Protocol
Interesting research: SRLabs founder Karsten Nohl, a researcher with a track record of exposing security flaws in telephony systems, argues that RCS is in many ways no better than SS7, the decades-old phone system carriers still used for calling and texting, which has long been known to be...
Extracting Data from Smartphones
Privacy International has published a detailed, technical examination of how data is extracted from smartphones...
Becoming a Tech Policy Activist
Carolyn McCarthy gave an excellent TEDx talk about becoming a tech policy activist. It's a powerful call for public-interest technologists...
Public Voice Launches Petition for an International Moratorium on Using Facial Recognition for Mass Surveillance
Coming out of the Privacy Commissioners' Conference in Albania, Public Voice is launching a petition for an international moratorium on using facial recognition software for mass surveillance. You can sign on as an individual or an organization. I did. You should as well. No, I don't think that...
Illegal Data Center Hidden in Former NATO Bunker
Interesting: German investigators said Friday they have shut down a data processing center installed in a former NATO bunker that hosted sites dealing in drugs and other illegal activities. Seven people were arrested. ... Thirteen people aged 20 to 59 are under investigation in all, including thr...
NotPetya
Wired has a long article on NotPetya. EDITED TO ADD 9/12: Another good article on NotPetya...
How the Anonymous Artist Banksy Authenticates His or Her Work
Interesting scheme: It all starts off with a fairly bog standard gallery style certificate. Details of the work, the authenticating agency, a bit of embossing and a large impressive signature at the bottom. Exactly the sort of things that can be easily copied by someone on a mission to create the...
Security Vulnerabilities in VingCard Electronic Locks
Researchers have disclosed a massive vulnerability in the VingCard eletronic lock system, used in hotel rooms around the world: With a $300 Proxmark RFID card reading and writing tool, any expired keycard pulled from the trash of a target hotel, and a set of cryptographic tricks developed over...
Malware from Space
Since you don't have enough to worry about, here's a paper postulating that space aliens could send us malware capable of destroying humanity. Abstract: A complex message from space may require the use of computers to display, analyze and understand. Such a message cannot be decontaminated with...
Ross Anderson on the History of the Crypto Wars in the UK
Ross Anderson gave a talk on the history of the Crypto Wars in the UK. I am intimately familiar with the US story, but didn't know as much about Britain's verson. Hour-long video. Summary...
Turning an Amazon Echo into an Eavesdropping Device
For once, the real story isn't as bad as it seems. A researcher has figured out how to install malware onto an Echo that causes it to stream audio back to a remote controller, but: The technique requires gaining physical access to the target Echo, and it works only on devices sold before 2017. Bu...
Textbook Rental Scam
Heres a story of someone who, with three compatriots, rented textbooks from Amazon and then sold them instead of returning them. They used gift cards and prepaid credit cards to buy the books, so there was no available balance when Amazon tried to charge them the buyout price for non-returned...
Friday Squid Blogging: Far Side Squid Comic
A classic. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Read my blog posting guidelines here...
New US Executive Order on Cybersecurity
President Biden signed an executive order to improve government cybersecurity, setting new security standards for software sold to the federal government. For the first time, the United States will require all software purchased by the federal government to meet, within six months, a series of ne...
Hacking Digitally Signed PDF Files
Interesting paper: "Shadow Attacks: Hiding and Replacing Content in Signed PDFs": Abstract: Digitally signed PDFs are used in contracts and invoices to guarantee the authenticity and integrity of their content. A user opening a signed PDF expects to see a warning in case of any modification. In...
Presidential Cybersecurity and Pelotons
President Biden wants his Peloton in the White House. For those who have missed the hype, its an Internet-connected stationary bicycle. It has a screen, a camera, and a microphone. You can take live classes online, work out with your friends, or join the exercise social network. And all of that i...
Friday Squid Blogging: Squids Don’t Like Pile-Driving Noises
New research: Pile driving occurs during construction of marine platforms, including offshore windfarms, producing intense sounds that can adversely affect marine animals. We quantified how a commercially and economically important squid Doryteuthis pealeii: Lesueur 1821 responded to pile driving...
Cyber Public Health
In a lecture, Adam Shostack makes the case for a discipline of cyber public health. It would relate to cybersecurity in a similar way that public health relates to medicine...
The US Military Buys Commercial Location Data
Vice has a long article about how the US military buys commercial location data worldwide. The U.S. military is buying the granular movement data of people around the world, harvested from innocuous-seeming apps, Motherboard has learned. The most popular app among a group Motherboard analyzed...
Friday Squid Blogging: Peru Defends Its Waters against Chinese Squid Fishing Boats
Squid geopolitics. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Read my blog posting guidelines here...
Criminals and the Normalization of Masks
I was wondering about this: Masks that have made criminals stand apart long before bandanna-wearing robbers knocked over stagecoaches in the Old West and ski-masked bandits held up banks now allow them to blend in like concerned accountants, nurses and store clerks trying to avoid a deadly virus...
Chinese COVID-19 Disinformation Campaign
The New York Times is reporting on state-sponsored disinformation campaigns coming out of China: Since that wave of panic, United States intelligence agencies have assessed that Chinese operatives helped push the messages across platforms, according to six American officials, who spoke on the...
Facebook's Download-Your-Data Tool Is Incomplete
Privacy International has the details: Key facts: Despite Facebook claim, "Download Your Information" doesn't provide users with a list of all advertisers who uploaded a list with their personal data. As a user this means you can't exercise your rights under GDPR because you don't know which...
Clearview AI and Facial Recognition
The New York Times has a long story about Clearview AI, a small company that scrapes identified photos of people from pretty much everywhere, and then uses unstated magical AI technology to identify people in other photos. His tiny company, Clearview AI, devised a groundbreaking facial recognitio...
Chrome Extension Stealing Cryptocurrency Keys and Passwords
A malicious Chrome extension surreptitiously steals Ethereum keys and passwords: According to Denley, the extension is dangerous to users in two ways. First, any funds ETH coins and ERC0-based tokens managed directly inside the extension are at risk. Denley says that the extension sends the priva...
Fabricated Voice Used in Financial Fraud
This seems to be an identity theft first: Criminals used artificial intelligence-based software to impersonate a chief executive's voice and demand a fraudulent transfer of €220,000 $243,000 in March in what cybercrime experts described as an unusual case of artificial intelligence being used in...
Interview of Me in Taiwan
Business Weekly in Taiwan interviewed me. Here's a translation courtesy of Google. It was a surprisingly intimate interview. I hope the Chinese reads better than the translation...
Judging Facebook's Privacy Shift
Facebook is making a new and stronger commitment to privacy. Last month, the company hired three of its most vociferous critics and installed them in senior technical positions. And on Wednesday, Mark Zuckerberg wrote that the company will pivot to focus on private conversations over the public...
The PCLOB Needs a Director
The US Privacy and Civil Liberties Oversight Board is looking for a director. Among other things, this board has some oversight role over the NSA. More precisely, it can examine what any executive-branch agency is doing about counterterrorism. So it can examine the program of TSA watchlists, NSA...
Friday Squid Blogging: Australian Fisherman Gets Inked
Pretty good video. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here...
Government Perspective on Supply Chain Security
This is an interesting interview with a former NSA employee about supply chain security. I consider this to be an insurmountable problem right now...
Evidence for the Security of PKCS #1 Digital Signatures
This is interesting research: "On the Security of the PKCS1 v1.5 Signature Scheme": Abstract: The RSA PKCS1 v1.5 signature algorithm is the most widely used digital signature scheme in practice. Its two main strengths are its extreme simplicity, which makes it very easy to implement, and that...
Hacking a Robot Vacuum
The Diqee 360 robotic vacuum cleaner can be turned into a surveillance device. The attack requires physical access to the device, so in the scheme of things it's not a big deal. But why in the world is the vacuum equipped with a microphone?...
On Financial Fraud
There are some good lessons in this article on financial fraud: That's how we got it so wrong. We were looking for incidental breaches of technical regulations, not systematic crime. And the thing is, that's normal. The nature of fraud is that it works outside your field of vision, subverting the...
Friday Squid Blogging: Dead Squid on Prince Edward Island
A beach on Prince Edward Island is littered with dead squid. No one knows why. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here...
Russian Censorship of Telegram
Internet censors have a new strategy in their bid to block applications and websites: pressuring the large cloud providers that host them. These providers have concerns that are much broader than the targets of censorship efforts, so they have the choice of either standing up to the censors or...
More on the Vulnerabilities Equities Process
Richard Ledgett -- a former Deputy Director of the NSA -- argues against the US government disclosing all vulnerabilities: Proponents argue that this would allow patches to be developed, which in turn would help ensure that networks are secure. On its face, this argument might seem to make sense ...
LastPass Breach
Last August, LastPass reported a security breach, saying that no customer information--or passwords--were compromised. Turns out the full story is worse: While no customer data was accessed during the August 2022 incident, some source code and technical information were stolen from our developmen...
Banning Surveillance-Based Advertising
The Norwegian Consumer Council just published a fantastic new report: "Time to Ban Surveillance-Based Advertising." From the Introduction: The challenges caused and entrenched by surveillance-based advertising include, but are not limited to: privacy and data protection infringements opaque...
Paul van Oorschot’s Computer Security and the Internet
Paul van Oorschots webpage contains a complete copy of his book: Computer Security and the Internet: Tools and Jewels. Its worth reading...