2981 matches found
Indistinguishability Obfuscation
Quanta magazine recently published a breathless article on indistinguishability obfuscation -- calling it the "crown jewel of cryptography" -- and saying that it had finally been achieved, based on a recently published paper. I want to add some caveats to the discussion. Basically, obfuscation...
“Privacy Nutrition Labels” in Apple’s App Store
Apple will start requiring standardized privacy labels for apps in its app store, starting in December: Apple allows data disclosure to be optional if all of the following conditions apply: if its not used for tracking, advertising or marketing; if its not shared with a data broker; if collection...
Friday Squid Blogging: Saving the Humboldt Squid
Genetic research finds the Humboldt squid is vulnerable to overfishing. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Read my blog posting guidelines here...
Documented Death from a Ransomware Attack
A Dusseldorf woman died when a ransomware attack against a hospital forced her to be taken to a different hospital in another city. I think this is the first documented case of a cyberattack causing a fatality. UK hospitals had to redirect patients during the 2017 WannaCry ransomware attack, but...
Friday Squid Blogging: Morning Squid
Asa ika means "morning squid" in Japanese. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here...
Attack Against PC Thunderbolt Port
The attack requires physical access to the computer, but it's pretty devastating: On Thunderbolt-enabled Windows or Linux PCs manufactured before 2019, his technique can bypass the login screen of a sleeping or locked computer -- and even its hard disk encryption -- to gain full access to the...
Contact Tracing COVID-19 Infections via Smartphone Apps
Google and Apple have announced a joint project to create a privacy-preserving COVID-19 contact tracing app. Details, such as we have them, are here. It's similar to the app being developed at MIT, and similar to others being described and developed elsewhere. It's nice seeing the privacy...
Voatz Internet Voting App Is Insecure
This paper describes the flaws in the Voatz Internet voting app: "The Ballot is Busted Before the Blockchain: A Security Analysis of Voatz, the First Internet Voting Application Used in U.S. Federal Elections." Abstract: In the 2018 midterm elections, West Virginia became the first state in the...
USB Cable Kill Switch for Laptops
BusKill is designed to wipe your laptop Linux only if it is snatched from you in a public place: The idea is to connect the BusKill cable to your Linux laptop on one end, and to your belt, on the other end. When someone yanks your laptop from your lap or table, the USB cable disconnects from the...
WhatsApp Sues NSO Group
WhatsApp is suing the Israeli cyberweapons arms manufacturer NSO Group in California court: WhatsApp's lawsuit, filed in a California court on Tuesday, has demanded a permanent injunction blocking NSO from attempting to access WhatsApp computer systems and those of its parent company, Facebook. I...
Buying Used Voting Machines on eBay
This is not surprising: This year, I bought two more machines to see if security had improved. To my dismay, I discovered that the newer model machines -- those that were used in the 2016 election -- are running Windows CE and have USB ports, along with other components, that make them even easie...
Cell Phone Security and Heads of State
Earlier this week, the New York Times reported that the Russians and the Chinese were eavesdropping on President Donald Trump's personal cell phone and using the information gleaned to better influence his behavior. This should surprise no one. Security experts have been talking about the potenti...
Font Steganography
Interesting research in steganography at the font level...
CSE Releases Malware Analysis Tool
The Communications Security Establishment of Canada -- basically, Canada's version of the NSA -- has released a suite of malware analysis tools: Assemblyline is described by CSE as akin to a conveyor belt: files go in, and a handful of small helper applications automatically comb through each one...
Proof that HMAC-DRBG has No Back Doors
New research: "Verified Correctness and Security of mbedTLS HMAC-DRBG," by Katherine Q. Ye, Matthew Green, Naphat Sanguansin, Lennart Beringer, Adam Petcher, and Andrew W. Appel. Abstract: We have formalized the functional specification of HMAC-DRBG NIST 800-90A, and we have proved its...
WannaCry Ransomware
Criminals go where the money is, and cybercriminals are no exception. And right now, the money is in ransomware. It's a simple scam. Encrypt the victim's hard drive, then extract a fee to decrypt it. The scammers can't charge too much, because they want the victim to pay rather than give up on th...
The US Senate Is Using Signal
The US Senate just approved Signal for staff use. Signal is a secure messaging app with no backdoor, and no large corporate owner who can be pressured to install a backdoor. Susan Landau comments. Maybe I'm being optimistic, but I think we just won the Crypto War. A very important part of the US...
Friday Squid Blogging: Squid Game
Netflix has a new series called Squid Game, about people competing in a deadly game for money. It has nothing to do with actual squid. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Read my blog posting guidelines here...
Vulnerabilities in Weapons Systems
"If you think any of these systems are going to work as expected in wartime, youre fooling yourself." That was Bruces response at a conference hosted by US Transportation Command in 2017, after learning that their computerized logistical systems were mostly unclassified and on the Internet. That...
Signal Adds Cryptocurrency Support
According to Wired, Signal is adding support for the cryptocurrency MobileCoin, "a form of digital cash designed to work efficiently on mobile devices while protecting users privacy and even their anonymity." Moxie Marlinspike, the creator of Signal and CEO of the nonprofit that runs it, describe...
System Update: New Android Malware
Researchers have discovered a new Android app called "System Update" that is a sophisticated Remote-Access Trojan RAT. From a news article: The broad range of data that this sneaky little bastard is capable of stealing is pretty horrifying. It includes: instant messenger messages and database...
Security Analysis of Apple’s “Find My…” Protocol
Interesting research: "Who Can Find My Devices? Security and Privacy of Apples Crowd-Sourced Bluetooth Location Tracking System": Abstract: Overnight, Apple has turned its hundreds-of-million-device ecosystem into the worlds largest crowd-sourced location tracking network called offline finding O...
The Problem with Treating Data as a Commodity
Excellent Brookings paper: "Why data ownership is the wrong approach to protecting privacy." From the introduction: Treating data like it is property fails to recognize either the value that varieties of personal information serve or the abiding interest that individuals have in their personal...
Friday Squid Blogging: Underwater Robot Uses Squid-Like Propulsion
This is neat: By generating powerful streams of water, UCSDs squid-like robot can swim untethered. The "squidbot" carries its own power source, and has the room to hold more, including a sensor or camera for underwater exploration. As usual, you can also use this squid post to talk about the...
On Executive Order 12333
Mark Jaycox has written a long article on the US Executive Order 12333: "No Oversight, No Limits, No Worries: A Primer on Presidential Spying and Executive Order 12,333": Abstract: Executive Order 12,333 "EO 12333" is a 1980s Executive Order signed by President Ronald Reagan that, among other...
Upcoming Speaking Engagements
This is a current list of where and when I am scheduled to speak: I’m speaking at the Cybersecurity Law & Policy Scholars Virtual Conference on September 17, 2020. I’m keynoting the Canadian Internet Registration Authority’s online symposium, Canadians Connected, on Wednesday, September 23, 2020...
Twitter Hacker Arrested
A 17-year-old Florida boy was arrested and charged with last week's Twitter hack. News articles. Boing Boing post. Florida state attorney press release. This is a developing story. Post any additional news in the comments. EDITED TO ADD 8/1: Two others have been charged as well. EDITED TO ADD 8/1...
Fake Stories in Real News Sites
Fireeye is reporting that a hacking group called Ghostwriter broke into the content management systems of Eastern European news sites to plant fake stories. From a Wired story: The propagandists have created and disseminated disinformation since at least March 2017, with a focus on undermining NA...
Bart Gellman on Snowden
Bart Gellman's long-awaited at least by me book on Edward Snowden, Dark Mirror: Edward Snowden and the American Surveillance State, will finally be published in a couple of weeks. There is an adapted excerpt in the Atlantic. It's an interesting read, mostly about the government surveillance of hi...
AI and Cybersecurity
Ben Buchanan has written "A National Security Research Agenda for Cybersecurity and Artificial Intelligence." It's really good -- well worth reading...
Internet Voting in Puerto Rico
Puerto Rico is considered allowing for Internet voting. I have joined a group of security experts in a letter opposing the bill. Cybersecurity experts agree that under current technology, no practically proven method exists to securely, verifiably, or privately return voted materials over the...
Newly Declassified Study Demonstrates Uselessness of NSA's Phone Metadata Program
The New York Times is reporting on the NSA's phone metadata program, which the NSA shut down last year: A National Security Agency system that analyzed logs of Americans' domestic phone calls and text messages cost $100 million from 2015 to 2019, but yielded only a single significant investigatio...
Companies that Scrape Your Email
Motherboard has a long article on apps -- Edison, Slice, and Cleanfox -- that spy on your email by scraping your screen, and then sell that information to others: Some of the companies listed in the J.P. Morgan document sell data sourced from "personal inboxes," the document adds. A spokesperson...
New Research on the Adtech Industry
The Norwegian Consumer Council has published an extensive report about how the adtech industry violates consumer privacy. At the same time, it is filing three legal complaints against six companies in this space. From a Twitter summary: 1. thread We are filing legal complaints against six...
Collating Hacked Data Sets
Two Harvard undergraduates completed a project where they went out on the dark web and found a bunch of stolen datasets. Then they correlated all the information, and combined it with additional, publicly available, information. No surprise: the result was much more detailed and personal. "What w...
Smartphone Election in Washington State
This year: King County voters will be able to use their name and birthdate to log in to a Web portal through the Internet browser on their phones, says Bryan Finney, the CEO of Democracy Live, the Seattle-based voting company providing the technology. Once voters have completed their ballots, the...
SIM Hijacking
SIM hijacking -- or SIM swapping -- is an attack where a fraudster contacts your cell phone provider and convinces them to switch your account to a phone that they control. Since your smartphone often serves as a security measure or backup verification system, this allows the fraudster to take ov...
New SHA-1 Attack
There's a new, practical, collision attack against SHA-1: In this paper, we report the first practical implementation of this attack, and its impact on real-world security with a PGP/GnuPG impersonation attack. We managed to significantly reduce the complexity of collisions attack against SHA-1: ...
Andy Ellis on Risk Assessment
Andy Ellis, the CSO of Akamai, gave a great talk about the psychology of risk at the Business of Software conference this year. I've written about this before. One quote of mine: "The problem is our brains are intuitively suited to the sorts of risk management decisions endemic to living in small...
Facebook Plans on Backdooring WhatsApp
This article points out that Facebook's planned content moderation scheme will result in an encryption backdoor into WhatsApp: In Facebook's vision, the actual end-to-end encryption client itself such as WhatsApp will include embedded content moderation and blacklist filtering algorithms. These...
Bad Consumer Security Advice
There are lots of articles about there telling people how to better secure their computers and online accounts. While I agree with some of it, this article contains some particularly bad advice: 1. Never, ever, ever use public unsecured Wi-Fi such as the Wi-Fi in a café, hotel or airport. To...
Three-Rotor Enigma Machine Up for Auction Today
Sotheby's is auctioning off a working, I think three-rotor Enigma machine today. They're expecting it to sell for about $200K. I have an Enigma, but it's missing the rotors...
The US National Cyber Strategy
Last month, the White House released the "National Cyber Strategy of the United States of America. I generally don't have much to say about these sorts of documents. They're filled with broad generalities. Who can argue with: Defend the homeland by protecting networks, systems, functions, and dat...
Helen Nissenbaum on Data Privacy and Consent
This is a fantastic Q with Cornell Tech Professor Helen Nissenbaum on data privacy and why it's wrong to focus on consent. I'm not going to pull a quote, because you should read the whole thing...
Major Tech Companies Finally Endorse Federal Privacy Regulation
The major tech companies, scared that states like California might impose actual privacy regulations, have now decided that they can better lobby the federal government for much weaker national legislation that will preempt any stricter state measures. I'm sure they'll still do all they can to...
AES Resulted in a $250-Billion Economic Benefit
NIST has released a new study concluding that the AES encryption standard has resulted in a $250-billion worldwide economic benefit over the past 20 years. I have no idea how to even begin to assess the quality of the study and its conclusions -- it's all in the 150-page report, though -- but I d...
New Ways to Track Internet Browsing
Interesting research on web tracking: "Who Left Open the Cookie Jar? A Comprehensive Evaluation of Third-Party Cookie Policies: Abstract: Nowadays, cookies are the most prominent mechanism to identify and authenticate users on the Internet. Although protected by the Same Origin Policy, popular...
Acoustical Attacks against Hard Drives
Interesting destructive attack: "Acoustic Denial of Service Attacks on HDDs": Abstract: Among storage components, hard disk drives HDDs have become the most commonly-used type of non-volatile storage due to their recent technological advances, including, enhanced energy efficacy and...
Passwords at the Border
The password-manager 1Password has just implemented a travel mode that tries to protect users while crossing borders. It doesn't make much sense. To enable it, you have to create a list of passwords you feel safe traveling with, and then you can turn on the mode that only gives you access to thos...
DOGE as a National Cyberattack
In the span of just weeks, the US government has experienced what may be the most consequential security breach in its history--not through a sophisticated cyberattack or an act of foreign espionage, but through official orders by a billionaire with a poorly defined government role. And the...