2981 matches found
Friday Squid Blogging: Live Giant Squid Found in Japan
A giant squid was found alive in the port of Izumo, Japan. Not a lot of news, just this Twitter thread with a couple of videos. If confirmed, I believe this will be the THIRD time EVER a giant squid was filmed alive! As usual, you can also use this squid post to talk about the security stories in...
Zodiac Killer Cipher Solved
The SF Chronicle is reporting more details here, and the FBI is confirming, that a Melbourne mathematician and team has decrypted the 1969 message sent by the Zodiac Killer to the newspaper. Theres no paper yet, but there are a bunch of details in the news articles. Heres an interview with one of...
“Privacy Nutrition Labels” in Apple’s App Store
Apple will start requiring standardized privacy labels for apps in its app store, starting in December: Apple allows data disclosure to be optional if all of the following conditions apply: if its not used for tracking, advertising or marketing; if its not shared with a data broker; if collection...
Friday Squid Blogging: Saving the Humboldt Squid
Genetic research finds the Humboldt squid is vulnerable to overfishing. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Read my blog posting guidelines here...
Documented Death from a Ransomware Attack
A Dusseldorf woman died when a ransomware attack against a hospital forced her to be taken to a different hospital in another city. I think this is the first documented case of a cyberattack causing a fatality. UK hospitals had to redirect patients during the 2017 WannaCry ransomware attack, but...
Friday Squid Blogging: Morning Squid
Asa ika means "morning squid" in Japanese. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here...
Attack Against PC Thunderbolt Port
The attack requires physical access to the computer, but it's pretty devastating: On Thunderbolt-enabled Windows or Linux PCs manufactured before 2019, his technique can bypass the login screen of a sleeping or locked computer -- and even its hard disk encryption -- to gain full access to the...
Contact Tracing COVID-19 Infections via Smartphone Apps
Google and Apple have announced a joint project to create a privacy-preserving COVID-19 contact tracing app. Details, such as we have them, are here. It's similar to the app being developed at MIT, and similar to others being described and developed elsewhere. It's nice seeing the privacy...
Voatz Internet Voting App Is Insecure
This paper describes the flaws in the Voatz Internet voting app: "The Ballot is Busted Before the Blockchain: A Security Analysis of Voatz, the First Internet Voting Application Used in U.S. Federal Elections." Abstract: In the 2018 midterm elections, West Virginia became the first state in the...
USB Cable Kill Switch for Laptops
BusKill is designed to wipe your laptop Linux only if it is snatched from you in a public place: The idea is to connect the BusKill cable to your Linux laptop on one end, and to your belt, on the other end. When someone yanks your laptop from your lap or table, the USB cable disconnects from the...
WhatsApp Sues NSO Group
WhatsApp is suing the Israeli cyberweapons arms manufacturer NSO Group in California court: WhatsApp's lawsuit, filed in a California court on Tuesday, has demanded a permanent injunction blocking NSO from attempting to access WhatsApp computer systems and those of its parent company, Facebook. I...
Buying Used Voting Machines on eBay
This is not surprising: This year, I bought two more machines to see if security had improved. To my dismay, I discovered that the newer model machines -- those that were used in the 2016 election -- are running Windows CE and have USB ports, along with other components, that make them even easie...
Cell Phone Security and Heads of State
Earlier this week, the New York Times reported that the Russians and the Chinese were eavesdropping on President Donald Trump's personal cell phone and using the information gleaned to better influence his behavior. This should surprise no one. Security experts have been talking about the potenti...
Font Steganography
Interesting research in steganography at the font level...
CSE Releases Malware Analysis Tool
The Communications Security Establishment of Canada -- basically, Canada's version of the NSA -- has released a suite of malware analysis tools: Assemblyline is described by CSE as akin to a conveyor belt: files go in, and a handful of small helper applications automatically comb through each one...
Proof that HMAC-DRBG has No Back Doors
New research: "Verified Correctness and Security of mbedTLS HMAC-DRBG," by Katherine Q. Ye, Matthew Green, Naphat Sanguansin, Lennart Beringer, Adam Petcher, and Andrew W. Appel. Abstract: We have formalized the functional specification of HMAC-DRBG NIST 800-90A, and we have proved its...
Passwords at the Border
The password-manager 1Password has just implemented a travel mode that tries to protect users while crossing borders. It doesn't make much sense. To enable it, you have to create a list of passwords you feel safe traveling with, and then you can turn on the mode that only gives you access to thos...
WannaCry Ransomware
Criminals go where the money is, and cybercriminals are no exception. And right now, the money is in ransomware. It's a simple scam. Encrypt the victim's hard drive, then extract a fee to decrypt it. The scammers can't charge too much, because they want the victim to pay rather than give up on th...
The US Senate Is Using Signal
The US Senate just approved Signal for staff use. Signal is a secure messaging app with no backdoor, and no large corporate owner who can be pressured to install a backdoor. Susan Landau comments. Maybe I'm being optimistic, but I think we just won the Crypto War. A very important part of the US...
Operation Triangulation: Zero-Click iPhone Malware
Kaspersky is reporting a zero-click iOS exploit in the wild: Mobile device backups contain a partial copy of the filesystem, including some of the user data and service databases. The timestamps of the files, folders and the database records allow to roughly reconstruct the events happening to th...
Friday Squid Blogging: Squid Game
Netflix has a new series called Squid Game, about people competing in a deadly game for money. It has nothing to do with actual squid. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Read my blog posting guidelines here...
More Military Cryptanalytics, Part III
Late last year, the NSA declassified and released a redacted version of Lambros D. Callimahoss Military Cryptanalytics, Part III. We just got most of the index. Its hard to believe that there are any real secrets left in this 44-year-old volume...
Surveillance of the Internet Backbone
Vice has an article about how data brokers sell access to the Internet backbone. This is netflow data. Its useful for cybersecurity forensics, but can also be used for things like tracing VPN activity. At a high level, netflow data creates a picture of traffic flow and volume across a network. It...
The Supreme Court Narrowed the CFAA
In a 6-3 ruling, the Supreme Court just narrowed the scope of the Computer Fraud and Abuse Act: In a ruling delivered today, the court sided with Van Buren and overturned his 18-month conviction. In a 37-page opinion written and delivered by Justice Amy Coney Barrett, the court explained that the...
Signal Adds Cryptocurrency Support
According to Wired, Signal is adding support for the cryptocurrency MobileCoin, "a form of digital cash designed to work efficiently on mobile devices while protecting users privacy and even their anonymity." Moxie Marlinspike, the creator of Signal and CEO of the nonprofit that runs it, describe...
System Update: New Android Malware
Researchers have discovered a new Android app called "System Update" that is a sophisticated Remote-Access Trojan RAT. From a news article: The broad range of data that this sneaky little bastard is capable of stealing is pretty horrifying. It includes: instant messenger messages and database...
Security Analysis of Apple’s “Find My…” Protocol
Interesting research: "Who Can Find My Devices? Security and Privacy of Apples Crowd-Sourced Bluetooth Location Tracking System": Abstract: Overnight, Apple has turned its hundreds-of-million-device ecosystem into the worlds largest crowd-sourced location tracking network called offline finding O...
The Problem with Treating Data as a Commodity
Excellent Brookings paper: "Why data ownership is the wrong approach to protecting privacy." From the introduction: Treating data like it is property fails to recognize either the value that varieties of personal information serve or the abiding interest that individuals have in their personal...
Check Washing
I cant believe that check washing is still a thing: "Check washing" is a practice where thieves break into mailboxes or otherwise steal mail, find envelopes with checks, then use special solvents to remove the information on that check except for the signature and then change the payee and the...
Friday Squid Blogging: Underwater Robot Uses Squid-Like Propulsion
This is neat: By generating powerful streams of water, UCSDs squid-like robot can swim untethered. The "squidbot" carries its own power source, and has the room to hold more, including a sensor or camera for underwater exploration. As usual, you can also use this squid post to talk about the...
On Executive Order 12333
Mark Jaycox has written a long article on the US Executive Order 12333: "No Oversight, No Limits, No Worries: A Primer on Presidential Spying and Executive Order 12,333": Abstract: Executive Order 12,333 "EO 12333" is a 1980s Executive Order signed by President Ronald Reagan that, among other...
Upcoming Speaking Engagements
This is a current list of where and when I am scheduled to speak: I’m speaking at the Cybersecurity Law & Policy Scholars Virtual Conference on September 17, 2020. I’m keynoting the Canadian Internet Registration Authority’s online symposium, Canadians Connected, on Wednesday, September 23, 2020...
Twitter Hacker Arrested
A 17-year-old Florida boy was arrested and charged with last week's Twitter hack. News articles. Boing Boing post. Florida state attorney press release. This is a developing story. Post any additional news in the comments. EDITED TO ADD 8/1: Two others have been charged as well. EDITED TO ADD 8/1...
Fake Stories in Real News Sites
Fireeye is reporting that a hacking group called Ghostwriter broke into the content management systems of Eastern European news sites to plant fake stories. From a Wired story: The propagandists have created and disseminated disinformation since at least March 2017, with a focus on undermining NA...
Facebook Helped Develop a Tails Exploit
This is a weird story: Hernandez was able to evade capture for so long because he used Tails, a version of Linux designed for users at high risk of surveillance and which routes all inbound and outbound connections through the open-source Tor network to anonymize it. According to Vice, the FBI ha...
Bart Gellman on Snowden
Bart Gellman's long-awaited at least by me book on Edward Snowden, Dark Mirror: Edward Snowden and the American Surveillance State, will finally be published in a couple of weeks. There is an adapted excerpt in the Atlantic. It's an interesting read, mostly about the government surveillance of hi...
AI and Cybersecurity
Ben Buchanan has written "A National Security Research Agenda for Cybersecurity and Artificial Intelligence." It's really good -- well worth reading...
Internet Voting in Puerto Rico
Puerto Rico is considered allowing for Internet voting. I have joined a group of security experts in a letter opposing the bill. Cybersecurity experts agree that under current technology, no practically proven method exists to securely, verifiably, or privately return voted materials over the...
CIA Dirty Laundry Aired
Joshua Schulte, the CIA employee standing trial for leaking the Wikileaks Vault 7 CIA hacking tools, maintains his innocence. And during the trial, a lot of shoddy security and sysadmin practices are coming out: All this raises a question, though: just how bad is the CIA's security that it wasn't...
Newly Declassified Study Demonstrates Uselessness of NSA's Phone Metadata Program
The New York Times is reporting on the NSA's phone metadata program, which the NSA shut down last year: A National Security Agency system that analyzed logs of Americans' domestic phone calls and text messages cost $100 million from 2015 to 2019, but yielded only a single significant investigatio...
Companies that Scrape Your Email
Motherboard has a long article on apps -- Edison, Slice, and Cleanfox -- that spy on your email by scraping your screen, and then sell that information to others: Some of the companies listed in the J.P. Morgan document sell data sourced from "personal inboxes," the document adds. A spokesperson...
New Research on the Adtech Industry
The Norwegian Consumer Council has published an extensive report about how the adtech industry violates consumer privacy. At the same time, it is filing three legal complaints against six companies in this space. From a Twitter summary: 1. thread We are filing legal complaints against six...
Collating Hacked Data Sets
Two Harvard undergraduates completed a project where they went out on the dark web and found a bunch of stolen datasets. Then they correlated all the information, and combined it with additional, publicly available, information. No surprise: the result was much more detailed and personal. "What w...
Smartphone Election in Washington State
This year: King County voters will be able to use their name and birthdate to log in to a Web portal through the Internet browser on their phones, says Bryan Finney, the CEO of Democracy Live, the Seattle-based voting company providing the technology. Once voters have completed their ballots, the...
SIM Hijacking
SIM hijacking -- or SIM swapping -- is an attack where a fraudster contacts your cell phone provider and convinces them to switch your account to a phone that they control. Since your smartphone often serves as a security measure or backup verification system, this allows the fraudster to take ov...
New SHA-1 Attack
There's a new, practical, collision attack against SHA-1: In this paper, we report the first practical implementation of this attack, and its impact on real-world security with a PGP/GnuPG impersonation attack. We managed to significantly reduce the complexity of collisions attack against SHA-1: ...
Andy Ellis on Risk Assessment
Andy Ellis, the CSO of Akamai, gave a great talk about the psychology of risk at the Business of Software conference this year. I've written about this before. One quote of mine: "The problem is our brains are intuitively suited to the sorts of risk management decisions endemic to living in small...
Facebook Plans on Backdooring WhatsApp
This article points out that Facebook's planned content moderation scheme will result in an encryption backdoor into WhatsApp: In Facebook's vision, the actual end-to-end encryption client itself such as WhatsApp will include embedded content moderation and blacklist filtering algorithms. These...
Bad Consumer Security Advice
There are lots of articles about there telling people how to better secure their computers and online accounts. While I agree with some of it, this article contains some particularly bad advice: 1. Never, ever, ever use public unsecured Wi-Fi such as the Wi-Fi in a café, hotel or airport. To...
Three-Rotor Enigma Machine Up for Auction Today
Sotheby's is auctioning off a working, I think three-rotor Enigma machine today. They're expecting it to sell for about $200K. I have an Enigma, but it's missing the rotors...