2981 matches found
Easy SMS Hijacking
Vice is reporting on a cell phone vulnerability caused by commercial SMS services. One of the things these services permit is text message forwarding. It turns out that with a little bit of anonymous money -- in this case, $16 off an anonymous prepaid credit card -- and a few lies, you can forwar...
Injecting a Backdoor into SolarWinds Orion
Crowdstrike is reporting on a sophisticated piece of malware that was able to inject malware into the SolarWinds build process: Key Points SUNSPOT is StellarParticles malware used to insert the SUNBURST backdoor into software builds of the SolarWinds Orion IT management product. SUNSPOT monitors...
Extracting Personal Information from Large Language Models Like GPT-2
Researchers have been able to find all sorts of personal information within GPT-2. This information was part of the training data, and can be extracted with the right sorts of queries. Paper: "Extracting Training Data from Large Language Models." Abstract: It has become common to publish large...
Friday Squid Blogging: Linguine allo Scoglio Recipe
Delicious seafood pasta dish -- includes squid -- from Americas Test Kitchen. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Read my blog posting guidelines here...
Hiding Malware in Social Media Buttons
Clever tactic: This new malware was discovered by researchers at Dutch cyber-security company Sansec that focuses on defending e-commerce websites from digital skimming also known as Magecart attacks. The payment skimmer malware pulls its sleight of hand trick with the help of a double payload...
Cybersecurity During COVID-19
Three weeks ago could it possibly be that long already?, I wrote about the increased risks of working remotely during the COVID-19 pandemic. One, employees are working from their home networks and sometimes from their home computers. These systems are more likely to be out of date, unpatched, and...
Privacy vs. Surveillance in the Age of COVID-19
The trade-offs are changing: As countries around the world race to contain the pandemic, many are deploying digital surveillance tools as a means to exert social control, even turning security agency technologies on their own civilians. Health and law enforcement authorities are understandably...
Police Surveillance Tools from Special Services Group
Special Services Group, a company that sells surveillance tools to the FBI, DEA, ICE, and other US government agencies, has had its secret sales brochure published. Motherboard received the brochure as part of a FOIA request to the Irvine Police Department in California. "The Tombstone Cam is our...
Mysterious Drones Are Flying over Colorado
No one knows who they belong to. Well, of course someone knows. And my guess is that it's likely that we will know soon. EDITED TO ADD 1/3: Another article...
Lousy IoT Security
DTEN makes smart screens and whiteboards for videoconferencing systems. Forescout found that their security is terrible: In total, our researchers discovered five vulnerabilities of four different kinds: Data exposure: PDF files of shared whiteboards e.g. meeting notes and other sensitive files...
xHelper Malware for Android
xHelper is not interesting because of its infection mechanism; the user has to side-load an app onto his phone. It's not interesting because of its payload; it seems to do nothing more than show unwanted ads. it's interesting because of its persistence: Furthermore, even if users spot the xHelper...
Measuring the Security of IoT Devices
In August, CyberITL completed a large-scale survey of software security practices in the IoT environment, by looking at the compiled software. Data Collected: 22 Vendors 1,294 Products 4,956 Firmware versions 3,333,411 Binaries analyzed Date range of data: 2003-03-24 to 2019-01-24 varies by vendo...
Stealing Ethereum by Guessing Weak Private Keys
Someone is stealing millions of dollars worth of Ethereum by guessing users' private keys. Normally this should be impossible, but lots of keys seem to be very weak. Researchers are unsure how those weak keys are being generated and used. Their paper is here...
More on the Triton Malware
FireEye is releasing much more information about the Triton malware that attacks critical infrastructure. It has been discovered in more places. This is also a good -- but older -- article on Triton. We don't know who wrote it. Initial speculation was Iran; more recent speculation is Russia. Both...
Can Everybody Read the US Terrorist Watch List?
After years of claiming that the Terrorist Screening Database is kept secret within the government, we have now learned that the DHS shares it "with more than 1,400 private entities, including hospitals and universities...." Critics say that the watchlist is wildly overbroad and mismanaged, and...
Google Tracks its Users Even if They Opt-Out of Tracking
Google is tracking you, even if you turn off tracking: Google says that will prevent the company from remembering where you've been. Google's support page on the subject states: "You can turn off Location History at any time. With Location History off, the places you go are no longer stored." Tha...
Friday Squid Blogging: Cephalopod Week on Science Friday
It's Cephalopod Week! "Three hearts, eight arms, can't lose." As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here...
Friday Squid Blogging: US Army Developing 3D-Printable Battlefield Robot Squid
The next major war will be super weird. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here...
Russia is Banning Telegram
Russia has banned the secure messaging app Telegram. It's making an absolute mess of the ban -- blocking 16 million IP addresses, many belonging to the Amazon and Google clouds -- and it's not even clear that it's working. But, more importantly, I'm not convinced Telegram is secure in the first...
Public Hearing on IoT Risks
The US Consumer Product Safety Commission is holding hearings on IoT risks: The U.S. Consumer Product Safety Commission CPSC, Commission, or we will conduct a public hearing to receive information from all interested parties about potential safety issues and hazards associated with...
Greyshift Sells Phone Unlocking Services
Here's another company that claims to unlock phones for a price...
Apple to Store Encryption Keys in China
Apple is bowing to pressure from the Chinese government and storing encryption keys in China. While I would prefer it if it would take a stand against China, I really can't blame it for putting its business model ahead of its desires for customer privacy. Two more articles...
NSA Morale
The Washington Post is reporting that poor morale at the NSA is causing a significant talent shortage. A November New York Times article said much the same thing. The articles point to many factors: the recent reorganization, low pay, and the various leaks. I have been saying for a while that the...
Hacking a Fingerprint Biometric
Embedded in this story about infidelity and a mid-flight altercation, there's an interesting security tidbit: The woman had unlocked her husband's phone using his thumb impression when he was sleeping...
Deloitte Hacked
The large accountancy firm Deloitte was hacked, losing client e-mails and files. The hackers had access inside the company's networks for months. Deloitte is doing its best to downplay the severity of this hack, but Brian Krebs reports that the hack "involves the compromise of all administrator...
Do the Police Need a Search Warrant to Access Cell Phone Location Data?
The US Supreme Court is deciding a case that will establish whether the police need a warrant to access cell phone location data. This week I signed on to an amicus brief from a wide array of security technologists outlining the technical arguments as why the answer should be yes. Susan Landau...
The Future of Forgeries
This article argues that AI technologies will make image, audio, and video forgeries much easier in the future. Combined, the trajectory of cheap, high-quality media forgeries is worrying. At the current pace of progress, it may be as little as two or three years before realistic audio forgeries...
Commentary on US Election Security
Good commentaries from Ed Felten and Matt Blaze. Both make a point that I have also been saying: hacks can undermine the legitimacy of an election, even if there is no actual voter or vote manipulation. Felten: The second lesson is that we should be paying more attention to attacks that aim to...
Breaking RSA with a Quantum Computer
A group of Chinese researchers have just published a paper claiming that they can--although they have not yet done so--break 2048-bit RSA. This is something to take seriously. It might not be correct, but its not obviously wrong. We have long known from Shors algorithm that factoring with a quant...
Cobalt Strike Vulnerability Affects Botnet Servers
Cobalt Strike is a security tool, used by penetration testers to simulate network attackers. But its also used by attackers -- from criminals to governments -- to automate their own attacks. Researchers have found a vulnerability in the product. The main components of the security tool are the...
Mollitiam Industries is the Newest Cyberweapons Arms Manufacturer
Wired is reporting on a company called Mollitiam Industries: Marketing materials left exposed online by a third-party claim Mollitiams interception products, dubbed "Invisible Man" and "Night Crawler," are capable of remotely accessing a targets files, location, and covertly turning on a devices...
Upcoming Speaking Engagements
This is a current list of where and when I am scheduled to speak: Ill be part of a European Internet Forum virtual debate on June 17, 2021. The topic is "Decrypting the encryption debate: How to ensure public safety with a privacy-preserving and secure Internet?" I’m speaking at the all-online...
Security Vulnerability in Apple’s Silicon “M1” Chip
The website for the M1racles security vulnerability is an excellent demonstration that not all vulnerabilities are exploitable. Be sure to read the FAQ through to the end. EDITED TO ADD: Wired article...
Bizarro Banking Trojan
Bizarro is a new banking trojan that is stealing financial information and crypto wallets. …the program can be delivered in a couple of ways -- either via malicious links contained within spam emails, or through a trojanized app. Using these sneaky methods, trojan operators will implant the...
Book Sale: Beyond Fear
I have 80 copies of my 2000 book Beyond Fear available at the very cheap price of $5 plus shipping. Note that there is a 20% chance that your book will have a "BT Counterpane" sticker on the front cover. Order your signed copy here...
Friday Squid Blogging: Squid-Shaped Bike Rack
Theres a new squid-shaped bike rack in Ballard, WA. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Read my blog posting guidelines here...
Details of a Computer Banking Scam
This is a longish video that describes a profitable computer banking scam thats run out of call centers in places like India. Theres a lot of fluff about glitterbombs and the like, but the details are interesting. The scammers convince the victims to give them remote access to their computers, an...
NSA on Authentication Hacks (Related to SolarWinds Breach)
The NSA has published an advisory outlining how "malicious cyber actors" are "are manipulating trust in federated authentication environments to access protected data in the cloud." This is related to the SolarWinds hack I have previously written about, and represents one of the techniques the SV...
Friday Squid Blogging: Newly Identified Ichthyosaur Species Probably Ate Squid
This is a deep-diving species that "fed on small prey items such as squid." Academic paper. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Read my blog posting guidelines here...
Friday Squid Blogging: Bigfin Squid Found in Australian Waters
A bigfin squid has been found -- and filmed -- in Australian waters for the first time. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Read my blog posting guidelines here...
Enigma Machine Recovered from the Baltic Sea
Neat story: German divers searching the Baltic Sea for discarded fishing nets have stumbled upon a rare Enigma cipher machine used by the Nazi military during World War Two which they believe was thrown overboard from a scuttled submarine. Thinking they had discovered a typewriter entangled in a...
Impressive iPhone Exploit
This is a scarily impressive vulnerability: Earlier this year, Apple patched one of the most breathtaking iPhone vulnerabilities ever: a memory corruption bug in the iOS kernel that gave attackers remote access to the entire device -- over Wi-Fi, with no user interaction required at all. Oh, and...
Inrupt’s Solid Announcement
Earlier this year, I announced that I had joined Inrupt, the company commercializing Tim Berners-Lees Solid specification: The idea behind Solid is both simple and extraordinarily powerful. Your data lives in a pod that is controlled by you. Data generated by your things -- your computer, your...
US Cyber Command and Microsoft Are Both Disrupting TrickBot
Earlier this month, we learned that someone is disrupting the TrickBot botnet network. Over the past 10 days, someone has been launching a series of coordinated attacks designed to disrupt Trickbot, an enormous collection of more than two million malware-infected Windows PCs that are constantly...
Websites Conducting Port Scans
Security researcher Charlie Belmer is reporting that commercial websites such as eBay are conducting port scans of their visitors. Looking at the list of ports they are scanning, they are looking for VNC services being run on the host, which is the same thing that was reported for bank sites. I...
Marriott Was Hacked -- Again
Marriott announced another data breach, this one affecting 5.2 million people: At this point, we believe that the following information may have been involved, although not all of this information was present for every guest involved: Contact Details e.g., name, mailing address, email address, an...
A Broken Random Number Generator in AMD Microcode
Interesting story. I always recommend using a random number generator like Fortuna, even if you're using a hardware random source. It's just safer...
Dark Web Site Taken Down without Breaking Encryption
The US Department of Justice unraveled a dark web child-porn website, leading to the arrest of 337 people in at least 18 countries. This was all accomplished not through any backdoors in communications systems, but by analyzing the bitcoin transactions and following the money: Welcome to Video ma...
More on Backdooring (or Not) WhatsApp
Yesterday, I blogged about a Facebook plan to backdoor WhatsApp by adding client-side scanning and filtering. It seems that I was wrong, and there are no such plans. The only source for that post was a Forbes essay by Kalev Leetaru, which links to a previous Forbes essay by him, which links to a...
Russians Hacked the Olympics
Two weeks ago, I blogged about the myriad of hacking threats against the Olympics. Last week, the Washington Post reported that Russia hacked the Olympics network and tried to cast the blame on North Korea. Of course, the evidence is classified, so there's no way to verify this claim. And while t...