2980 matches found
Facial Recognition Is Coming to Retail
Summary article...
Yet Another FBI Proposal for Insecure Communications
Deputy Attorney General Rosenstein has given talks where he proposes that tech companies decrease their communications and device security for the benefit of the FBI. In a recent talk, his idea is that tech companies just save a copy of the plaintext: Law enforcement can also partner with private...
Cybersecurity and the 2017 US National Security Strategy
Commentaries on the 2017 US national security strategy by Michael Sulmeyer and Ben Buchanan...
On the Equifax Data Breach
Last Thursday, Equifax reported a data breach that affects 143 million US customers, about 44% of the population. It's an extremely serious breach; hackers got access to full names, Social Security numbers, birth dates, addresses, driver's license numbers -- exactly the sort of information...
US Army Researching Bot Swarms
The US Army Research Agency is funding research into autonomous bot swarms. From the announcement: The objective of this CRA is to perform enabling basic and applied research to extend the reach, situational awareness, and operational effectiveness of large heterogeneous teams of intelligent...
Healthcare Industry Cybersecurity Report
New US government report: "Report on Improving Cybersecurity in the Health Care Industry." It's pretty scathing, but nothing in it will surprise regular readers of this blog. It's worth reading the executive summary, and then skimming the recommendations. Recommendations are in six areas. The Tas...
NSA Abandons "About" Searches
Earlier this month, the NSA said that it would no longer conduct "about" searches of bulk communications data. This was the practice of collecting the communications of Americans based on keywords and phrases in the contents of the messages, not based on who they were from or to. The NSA's own...
Did North Korea Write WannaCry?
The New York Times is reporting that evidence is pointing to North Korea as the author of the WannaCry ransomware. Note that there is no proof at this time, although it would not surprise me if the NSA knows the origins of this malware attack...
TP-Link Router Botnet
There is a new botnet that is infecting TP-Link routers: The botnet can lead to command injection which then makes remote code execution RCE possible so that the malware can spread itself across the internet automatically. This high severity security flaw tracked as CVE-2023-1389 has also been us...
Email Security Flaw Found in the Wild
Googles Threat Analysis Group announced a zero-day against the Zimbra Collaboration email server that has been used against governments around the world. TAG has observed four different groups exploiting the same bug to steal email data, user credentials, and authentication tokens. Most of this...
Hacking Trespass Law
This article talks about public land in the US that is completely surrounded by private land, which in some cases makes it inaccessible to the public. But theres a hack: Some hunters have long believed, however, that the publicly owned parcels on Elk Mountain can be legally reached using a practi...
Cheating on Tests
Interesting story of test-takers in India using Bluetooth-connected flip-flops to communicate with accomplices while taking a test. Whats interesting is how this cheating was discovered. Its not that someone noticed the communication devices. Its that the proctors noticed that cheating test taker...
Friday Squid Blogging: Ram’s Horn Squid Shells
You can find rams horn squid shells on beaches in Texas and presumably elsewhere. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Read my blog posting guidelines here...
Friday Squid Blogging: Giant Squid Model
Pretty wooden model. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Read my blog posting guidelines here...
New Spectre-Like Attacks
Theres new research that demonstrates security vulnerabilities in all of the AMD and Intel chips with micro-op caches, including the ones that were specifically engineered to be resistant to the Spectre/Meltdown attacks of three years ago. Details: The new line of attacks exploits the micro-op...
The FBI Is Now Securing Networks Without Their Owners’ Permission
In January, we learned about a Chinese espionage campaign that exploited four zero-days in Microsoft Exchange. One of the characteristics of the campaign, in the later days when the Chinese probably realized that the vulnerabilities would soon be fixed, was to install a web shell in compromised...
Fugitive Identified on YouTube By His Distinctive Tattoos
A mafia fugitive hiding out in the Dominican Republic was arrested when investigators found his YouTube cooking channel and identified him by his distinctive arm tattoos...
Encoded Message in the Perseverance Mars Lander’s Parachute
NASA made an oblique reference to a coded message in the color pattern of the Perseverance Mars Lander s parachute. More information...
Friday Squid Blogging: Far Side Cartoon
The Far Side on squid. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Read my blog posting guidelines here...
Ransomware Profitability
Analyzing cryptocurrency data, a research group has estimated a lower-bound on 2020 ransomware revenue: $350 million, four times more than in 2019. Based on the companys data, among last years top earners, there were groups like Ryuk, Maze now-defunct, Doppelpaymer, Netwalker disrupted by...
Including Hackers in NATO Wargames
This essay makes the point that actual computer hackers would be a useful addition to NATO wargames: The international information security community is filled with smart people who are not in a military structure, many of whom would be excited to pose as independent actors in any upcoming...
Friday Squid Blogging: Vegan Chili Squid
The restaurant chain Wagamama is selling a vegan version of its Chilli Squid side dish made from king oyster mushrooms. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Read my blog posting guidelines here...
Copying a Key by Listening to It in Action
Researchers are using recordings of keys being used in locks to create copies. Once they have a key-insertion audio file, SpiKey's inference software gets to work filtering the signal to reveal the strong, metallic clicks as key ridges hit the lock's pins and you can hear those filtered clicks...
The NSA on the Risks of Exposing Location Data
The NSA has issued an advisory on the risks of location data. Mitigations reduce, but do not eliminate, location tracking risks in mobile devices. Most users rely on features disabled by such mitigations, making such safeguards impractical. Users should be aware of these risks and take action bas...
Identifying a Person Based on a Photo, LinkedIn and Etsy Profiles, and Other Internet Bread Crumbs
Interesting story of how the police can identify someone by following the evidence chain from website to website. According to filings in Blumenthal's case, FBI agents had little more to go on when they started their investigation than the news helicopter footage of the woman setting the police c...
Password Changing After a Breach
This study shows that most people don't change their passwords after a breach, and if they do they change it to a weaker password. Abstract: To protect against misuse of passwords compromised in a breach, consumers should promptly change affected passwords and any similar passwords on other...
Securing Internet Videoconferencing Apps: Zoom and Others
The NSA just published a survey of video conferencing apps. So did Mozilla. Zoom is on the good list, with some caveats. The company has done a lot of work addressing previous security concerns. It still has a bit to go on end-to-end encryption. Matthew Green looked at this. Zoom does offer...
Global Surveillance in the Wake of COVID-19
OneZero is tracking thirty countries around the world who are implementing surveillance programs in the wake of COVID-19: The most common form of surveillance implemented to battle the pandemic is the use of smartphone location data, which can track population-level movement down to enforcing...
Ransomware Now Leaking Stolen Documents
Originally, ransomware didn't involve any data theft. Malware would encrypt the data on your computer, and demand a ransom for the encryption key. Now ransomware is increasingly involving both encryption and exfiltration. Brian Krebs wrote about this in December. It's a further incentive for the...
Russia Is Trying to Tap Transatlantic Cables
The Times of London is reporting that Russian agents are in Ireland probing transatlantic communications cables. Ireland is the landing point for undersea cables which carry internet traffic between America, Britain and Europe. The cables enable millions of people to communicate and allow financi...
Apple's Tracking-Prevention Feature in Safari has a Privacy Bug
Last month, engineers at Google published a very curious privacy bug in Apple's Safari web browser. Apple's Intelligent Tracking Prevention, a feature designed to reduce user tracking, has vulnerabilities that themselves allow user tracking. Some details: ITP detects and blocks tracking on the we...
GPS Manipulation
Long article on the manipulation of GPS in Shanghai. It seems not to be some Chinese military program, but ships who are stealing sand. The Shanghai "crop circles," which somehow spoof each vessel to a different false location, are something new. "I'm still puzzled by this," says Humphreys. "I...
Cracking Forgotten Passwords
Expandpass is a string expansion program. It's "useful for cracking passwords you kinda-remember." You tell the program what you remember about the password and it tries related passwords. I learned about it in this article about Phil Dougherty, who helps people recover lost cryptocurrency...
Exploiting GDPR to Get Private Information
A researcher abused the GDPR to get information on his fiancee: It is one of the first tests of its kind to exploit the EU's General Data Protection Regulation GDPR, which came into force in May 2018. The law shortened the time organisations had to respond to data requests, added new types of...
Fooling Automated Surveillance Cameras with Patchwork Color Printout
Nice bit of adversarial machine learning. The image from this news article is most of what you need to know, but here's the research paper...
Excellent Analysis of the Boeing 737 Max Software Problems
This is the best analysis of the software causes of the Boeing 737 MAX disasters that I have read. Technically this is safety and not security; there was no attacker. But the fields are closely related and there are a lot of lessons for IoT security -- and the security of complex socio-technical...
Security Risks of Chatbots
Good essay on the security risks -- to democratic discourse -- of chatbots...
Consumer Reports Reviews Wireless Home-Security Cameras
Consumer Reports is starting to evaluate the security of IoT devices. As part of that, it's reviewing wireless home-security cameras. It found significant security vulnerabilities in D-Link cameras: In contrast, D-Link doesn't store video from the DCS-2630L in the cloud. Instead, the camera has i...
Security Vulnerability in Internet-Connected Construction Cranes
This seems bad: The F25 software was found to contain a capture replay vulnerability -- basically an attacker would be able to eavesdrop on radio transmissions between the crane and the controller, and then send their own spoofed commands over the air to seize control of the crane. "These devices...
Recovering Keyboard Inputs through Thermal Imaging
Researchers at the University of California, Irvine, are able to recover user passwords by way of thermal imaging. The tech is pretty straightforward, but it's interesting to think about the types of scenarios in which it might be pulled off. Abstract: As a warm-blooded mammalian species, we huma...
Secure Speculative Execution
We're starting to see research into designing speculative execution systems that avoid Spectre- and Meltdown-like security problems. Here's one. I don't know if this particular design secure. My guess is that we're going to see several iterations of design and attack before we settle on something...
Perverse Vulnerability from Interaction between 2-Factor Authentication and iOS AutoFill
Apple is rolling out an iOS security usability feature called Security code AutoFill. The basic idea is that the OS scans incoming SMS messages for security codes and suggests them in AutoFill, so that people can use them without having to memorize or type them. Sounds like a really good idea, bu...
Friday Squid Blogging: Do Cephalopods Contain Alien DNA?
Maybe not DNA, but biological somethings. "Cause of Cambrian explosion -- Terrestrial or Cosmic?": Abstract: We review the salient evidence consistent with or predicted by the Hoyle-Wickramasinghe H-W thesis of Cometary Cosmic Biology. Much of this physical and biological evidence is...
White House Eliminates Cybersecurity Position
The White House has eliminated the cybersecurity coordinator position. This seems like a spectacularly bad idea...
Computer Alarm that Triggers When Lid Is Opened
"Do Not Disturb" is a Macintosh app that send an alert when the lid is opened. The idea is to detect computer tampering. Wired article: Do Not Disturb goes a step further than just the push notification. Using the Do Not Disturb iOS app, a notified user can send themselves a picture snapped with...
Cybersecurity Insurance
Good article about how difficult it is to insure an organization against Internet attacks, and how expensive the insurance is. Companies like retailers, banks, and healthcare providers began seeking out cyberinsurance in the early 2000s, when states first passed data breach notification laws. But...
Hijacking Computers for Cryptocurrency Mining
Interesting paper "A first look at browser-based cryptojacking": Abstract: In this paper, we examine the recent trend towards in-browser mining of cryptocurrencies; in particular, the mining of Monero through Coinhive and similar code-bases. In this model, a user visiting a website will download ...
Splitting the NSA and US Cyber Command
Rumor is that the Trump administration will separate the NSA and US Cyber Command. I have long thought this was a good idea. Here's a good discussion of what it does and doesn't mean...
Me on Restaurant Surveillance Technology
I attended the National Restaurant Association exposition in Chicago earlier this year, and looked at all the ways modern restaurant IT is spying on people. But there's also a fundamentally creepy aspect to much of this. One of the prime ways to increase value for your brand is to use the Interne...
Hacking Spotify
Some of the ways artists are hacking the music-streaming service Spotify...