2981 matches found
Security Risks of Chatbots
Good essay on the security risks -- to democratic discourse -- of chatbots...
Consumer Reports Reviews Wireless Home-Security Cameras
Consumer Reports is starting to evaluate the security of IoT devices. As part of that, it's reviewing wireless home-security cameras. It found significant security vulnerabilities in D-Link cameras: In contrast, D-Link doesn't store video from the DCS-2630L in the cloud. Instead, the camera has i...
Security Vulnerability in Internet-Connected Construction Cranes
This seems bad: The F25 software was found to contain a capture replay vulnerability -- basically an attacker would be able to eavesdrop on radio transmissions between the crane and the controller, and then send their own spoofed commands over the air to seize control of the crane. "These devices...
Gas Pump Hack
This is weird: Police in Detroit are looking for two suspects who allegedly managed to hack a gas pump and steal over 600 gallons of gasoline, valued at about $1,800. The theft took place in the middle of the day and went on for about 90 minutes, with the gas station attendant unable to thwart th...
Domain Name Stealing at Gunpoint
I missed this story when it came around last year: someone tried to steal a domain name at gunpoint. He was just sentenced to 20 years in jail...
The Habituation of Security Warnings
We all know that it happens: when we see a security warning too often -- and without effect -- we start tuning it out. A new paper uses fMRI, eye tracking, and field studies to prove it. EDITED TO ADD 6/6: This blog post summarizes the findings...
Supermarket Shoplifting
The rise of self-checkout has caused a corresponding rise in shoplifting...
Sending Inaudible Commands to Voice Assistants
Researchers have demonstrated the ability to send inaudible commands to voice assistants like Alexa, Siri, and Google Assistant. Over the last two years, researchers in China and the United States have begun demonstrating that they can send hidden commands that are undetectable to the human ear t...
COPPA Compliance
Interesting research: "'Won't Somebody Think of the Children?' Examining COPPA Compliance at Scale": Abstract: We present a scalable dynamic analysis framework that allows for the automatic evaluation of the privacy behaviors of Android apps. We use our system to analyze mobile apps' compliance...
Detecting Adblocker Blockers
Interesting research on the prevalence of adblock blockers: "Measuring and Disrupting Anti-Adblockers Using Differential Execution Analysis": Abstract: Millions of people use adblockers to remove intrusive and malicious ads as well as protect themselves against tracking and pervasive surveillance...
Mozilla's Guide to Privacy-Aware Christmas Shopping
Mozilla reviews the privacy practices of Internet-connected toys, home accessories, exercise equipment, and more...
Apple FaceID Hacked
It only took a week: On Friday, Vietnamese security firm Bkav released a blog post and video showing that -- by all appearances -- they'd cracked FaceID with a composite mask of 3-D-printed plastic, silicone, makeup, and simple paper cutouts, which in combination tricked an iPhone X into unlockin...
Human Rights Watch Needs an Information Security Director
I'm sure it pays less than the industry average, and the stakes are much higher than the average. But if you want to be a Director of Information Security that makes a difference, Human Rights Watch is hiring...
Leaving Authentication Credentials in Public Code
Interesting article about a surprisingly common vulnerability: programmers leaving authentication credentials and other secrets in publicly accessible software code: Researchers from security firm GitGuardian this week reported finding almost 4,000 unique secrets stashed inside a total of 450,000...
LLMs and Tool Use
Last March, just two weeks after GPT-4 was released, researchers at Microsoft quietly announced a plan to compile millions of APIs--tools that can do everything from ordering a pizza to solving physics equations to controlling the TV in your living room--into a compendium that would be made...
Hacks at Pwn2Own Vancouver 2023
An impressive array of hacks were demonstrated at the first day of the Pwn2Own conference in Vancouver: On the first day of Pwn2Own Vancouver 2023, security researchers successfully demoed Tesla Model 3, Windows 11, and macOS zero-day exploits and exploit chains to win $375,000 and a Tesla Model ...
How AI Could Write Our Laws
Nearly 90% of the multibillion-dollar federal lobbying apparatus in the United States serves corporate interests. In some cases, the objective of that money is obvious. Google pours millions into lobbying on bills related to antitrust regulation. Big energy companies expect action whenever there ...
Friday Squid Blogging: Squid-Headed Statue Appears in Dallas
Someone left it in a cemetery. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Read my blog posting guidelines here...
Nation-State Attacker of Telecommunications Networks
Someone has been hacking telecommunications networks around the world: LightBasin aka UNC1945 is an activity cluster that has been consistently targeting the telecommunications sector at a global scale since at least 2016, leveraging custom tools and an in-depth knowledge of telecommunications...
Interesting Privilege Escalation Vulnerability
If you plug a Razer peripheral mouse or keyboard, I think into a Windows 10 or 11 machine, you can use a vulnerability in the Razer Synapse software -- which automatically downloads -- to gain SYSTEM privileges. It should be noted that this is a local privilege escalation LPE vulnerability, which...
Friday Squid Blogging: On Squid Brains
Interesting National Geographic article. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Read my blog posting guidelines here...
AIs and Fake Comments
This month, the New York state attorney general issued a report on a scheme by "U.S. Companies and Partisans to Hack Democracy." This wasn’t another attempt by Republicans to make it harder for Black people and urban residents to vote. It was a concerted attack on another core element of US...
Serious MacOS Vulnerability Patched
Apple just patched a MacOS vulnerability that bypassed malware checks. The flaw is akin to a front entrance thats barred and bolted effectively, but with a cat door at the bottom that you can easily toss a bomb through. Apple mistakenly assumed that applications will always have certain specific...
Biden Administration Imposes Sanctions on Russia for SolarWinds
On April 15, the Biden administration both formally attributed the SolarWinds espionage campaign to the Russian Foreign Intelligence Service SVR, and imposed a series of sanctions designed to punish the country for the attack and deter future attacks. I will leave it to those with experience in...
Dutch Insider Attack on COVID-19 Data
Insider data theft: Dutch police have arrested two individuals on Friday for allegedly selling data from the Dutch health ministrys COVID-19 systems on the criminal underground. … According to Verlaan, the two suspects worked in DDG call centers, where they had access to official Dutch government...
How China Uses Stolen US Personnel Data
Interesting analysis of Chinas efforts to identify US spies: By about 2010, two former CIA officials recalled, the Chinese security services had instituted a sophisticated travel intelligence program, developing databases that tracked flights and passenger lists for espionage purposes. "We looked...
Friday Squid Blogging: Christmas Squid Memories
Stuffed squid for Christmas Eve. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Read my blog posting guidelines here...
Another Massive Russian Hack of US Government Networks
The press is reporting a massive hack of US government networks by sophisticated Russian hackers. Officials said a hunt was on to determine if other parts of the government had been affected by what looked to be one of the most sophisticated, and perhaps among the largest, attacks on federal...
A Cybersecurity Policy Agenda
The Aspen Institutes Aspen Cybersecurity Group -- Im a member -- has released its cybersecurity policy agenda for the next four years. The next administration and Congress cannot simultaneously address the wide array of cybersecurity risks confronting modern society. Policymakers in the White...
More on the Security of the 2020 US Election
Last week I signed on to two joint letters about the security of the 2020 election. The first was as one of 59 election security experts, basically saying that while the election seems to have been both secure and accurate voter suppression notwithstanding, we still need to work to secure our...
Upcoming Speaking Engagements
This is a current list of where and when I am scheduled to speak: I'm giving a keynote address at the Cybersecurity and Data Privacy Law virtual conference on September 9, 2020. The list is maintained on this page...
Friday Squid Blogging: Introducing the Seattle Kraken
The Kraken is the name of Seattle's new NFL franchise. I have always really liked collective nouns as sports team names like the Utah Jazz or the Minnesota Wild, mostly because it's hard to describe individual players. As usual, you can also use this squid post to talk about the security stories ...
Business Email Compromise (BEC) Criminal Ring
A criminal group called Cosmic Lynx seems to be based in Russia: Dubbed Cosmic Lynx, the group has carried out more than 200 BEC campaigns since July 2019, according to researchers from the email security firm Agari, particularly targeting senior executives at large organizations and corporations...
Bank Card "Master Key" Stolen
South Africa's Postbank experienced a catastrophic security failure. The bank's master PIN key was stolen, forcing it to cancel and replace 12 million bank cards. The breach resulted from the printing of the bank's encrypted master key in plain, unencrypted digital language at the Postbank's old...
Bluetooth Vulnerability: BIAS
This is new research on a Bluetooth vulnerability called BIAS that allows someone to impersonate a trusted device: Abstract: Bluetooth BR/EDR is a pervasive technology for wireless communication used by billions of devices. The Bluetooth standard includes a legacy authentication procedure and a...
Another California Data Privacy Law
The California Consumer Privacy Act is a lesson in missed opportunities. It was passed in haste, to stop a ballot initiative that would have been even more restrictive: In September 2017, Alastair Mactaggart and Mary Ross proposed a statewide ballot initiative entitled the "California Consumer...
On Cyber Warranties
Interesting article discussing cyber-warranties, and whether they are an effective way to transfer risk as envisioned by Ackerlof's "market for lemons" or a marketing trick. The conclusion: Warranties must transfer non-negligible amounts of liability to vendors in order to meaningfully overcome t...
LA Covers Up Bad Cybersecurity
This is bad in several dimensions. The Los Angeles Department of Water and Power has been accused of deliberately keeping widespread gaps in its cybersecurity a secret from regulators in a large-scale coverup involving the city's mayor...
Firefox Enables DNS over HTTPS
This is good news: Whenever you visit a website -- even if it's HTTPS enabled -- the DNS query that converts the web address into an IP address that computers can read is usually unencrypted. DNS-over-HTTPS, or DoH, encrypts the request so that it can't be intercepted or hijacked in order to send...
A New Clue for the Kryptos Sculpture
Jim Sanborn, who designed the Kryptos sculpture in a CIA courtyard, has released another clue to the still-unsolved part 4. I think he's getting tired of waiting. Did we mention Mr. Sanborn is 74? Holding on to one of the world's most enticing secrets can be stressful. Some would-be codebreakers...
Apple Abandoned Plans for Encrypted iCloud Backup after FBI Complained
This is new from Reuters: More than two years ago, Apple told the FBI that it planned to offer users end-to-end encryption when storing their phone data on iCloud, according to one current and three former FBI officials and one current and one former Apple employee. Under that plan, primarily...
Securing Tiffany's Move
Story of how Tiffany & Company moved all of its inventory from one store to another. Short summary: careful auditing and a lot of police...
Hacking School Surveillance Systems
Lance Vick suggesting that students hack their schools' surveillance systems. "This is an ethical minefield that I feel students would be well within their rights to challenge, and if needed, undermine," he said. Of course, there are a lot more laws in place against this sort of thing than there...
Another Side Channel in Intel Chips
Not that serious, but interesting: In late 2011, Intel introduced a performance enhancement to its line of server processors that allowed network cards and other peripherals to connect directly to a CPU's last-level cache, rather than following the standard and significantly longer path through t...
Using Hacked IoT Devices to Disrupt the Power Grid
This is really interesting research: "BlackIoT: IoT Botnet of High Wattage Devices Can Disrupt the Power Grid": Abstract: We demonstrate that an Internet of Things IoT botnet of high wattage devices -- such as air conditioners and heaters -- gives a unique ability to adversaries to launch...
Hacking Police Bodycams
Suprising no one, the security of police bodycams is terrible. Mitchell even realized that because he can remotely access device storage on models like the Fire Cam OnCall, an attacker could potentially plant malware on some of the cameras. Then, when the camera connects to a PC for syncing, it...
Hacking the McDonald's Monopoly Sweepstakes
Long and interesting story -- now two decades old -- of massive fraud perpetrated against the McDonald's Monopoly sweepstakes. The central fraudster was the person in charge of securing the winning tickets...
Manipulative Social Media Practices
The Norwegian Consumer Council just published an excellent report on the deceptive practices tech companies use to trick people into giving up their privacy. From the executive summary: Facebook and Google have privacy intrusive defaults, where users who want the privacy friendly option have to g...
Virginia Beach Police Want Encrypted Radios
This article says that the Virginia Beach police are looking to buy encrypted radios. Virginia Beach police believe encryption will prevent criminals from listening to police communications. They said officer safety would increase and citizens would be better protected. Someone should ask them if...
Tracing Stolen Bitcoin
Ross Anderson has a really interesting paper on tracing stolen bitcoin. From a blog post: Previous attempts to track tainted coins had used either the "poison" or the "haircut" method. Suppose I open a new address and pay into it three stolen bitcoin followed by seven freshly-mined ones. Then und...