2980 matches found
Hacking Spotify
Some of the ways artists are hacking the music-streaming service Spotify...
Security of St. Jude Pacemakers
This is a good summary article about the horrible security of St. Jude pacemakers, and the history of the company not doing anything about it...
Hacks at Pwn2Own Vancouver 2023
An impressive array of hacks were demonstrated at the first day of the Pwn2Own conference in Vancouver: On the first day of Pwn2Own Vancouver 2023, security researchers successfully demoed Tesla Model 3, Windows 11, and macOS zero-day exploits and exploit chains to win $375,000 and a Tesla Model ...
How AI Could Write Our Laws
Nearly 90% of the multibillion-dollar federal lobbying apparatus in the United States serves corporate interests. In some cases, the objective of that money is obvious. Google pours millions into lobbying on bills related to antitrust regulation. Big energy companies expect action whenever there ...
Friday Squid Blogging: Squid-Headed Statue Appears in Dallas
Someone left it in a cemetery. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Read my blog posting guidelines here...
Friday Squid Blogging: On Squid Brains
Interesting National Geographic article. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Read my blog posting guidelines here...
AIs and Fake Comments
This month, the New York state attorney general issued a report on a scheme by "U.S. Companies and Partisans to Hack Democracy." This wasn’t another attempt by Republicans to make it harder for Black people and urban residents to vote. It was a concerted attack on another core element of US...
Serious MacOS Vulnerability Patched
Apple just patched a MacOS vulnerability that bypassed malware checks. The flaw is akin to a front entrance thats barred and bolted effectively, but with a cat door at the bottom that you can easily toss a bomb through. Apple mistakenly assumed that applications will always have certain specific...
Biden Administration Imposes Sanctions on Russia for SolarWinds
On April 15, the Biden administration both formally attributed the SolarWinds espionage campaign to the Russian Foreign Intelligence Service SVR, and imposed a series of sanctions designed to punish the country for the attack and deter future attacks. I will leave it to those with experience in...
Dutch Insider Attack on COVID-19 Data
Insider data theft: Dutch police have arrested two individuals on Friday for allegedly selling data from the Dutch health ministrys COVID-19 systems on the criminal underground. … According to Verlaan, the two suspects worked in DDG call centers, where they had access to official Dutch government...
How China Uses Stolen US Personnel Data
Interesting analysis of Chinas efforts to identify US spies: By about 2010, two former CIA officials recalled, the Chinese security services had instituted a sophisticated travel intelligence program, developing databases that tracked flights and passenger lists for espionage purposes. "We looked...
Friday Squid Blogging: Christmas Squid Memories
Stuffed squid for Christmas Eve. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Read my blog posting guidelines here...
Another Massive Russian Hack of US Government Networks
The press is reporting a massive hack of US government networks by sophisticated Russian hackers. Officials said a hunt was on to determine if other parts of the government had been affected by what looked to be one of the most sophisticated, and perhaps among the largest, attacks on federal...
A Cybersecurity Policy Agenda
The Aspen Institutes Aspen Cybersecurity Group -- Im a member -- has released its cybersecurity policy agenda for the next four years. The next administration and Congress cannot simultaneously address the wide array of cybersecurity risks confronting modern society. Policymakers in the White...
More on the Security of the 2020 US Election
Last week I signed on to two joint letters about the security of the 2020 election. The first was as one of 59 election security experts, basically saying that while the election seems to have been both secure and accurate voter suppression notwithstanding, we still need to work to secure our...
Nihilistic Password Security Questions
Posted three years ago, but definitely appropriate for the times...
Upcoming Speaking Engagements
This is a current list of where and when I am scheduled to speak: I'm giving a keynote address at the Cybersecurity and Data Privacy Law virtual conference on September 9, 2020. The list is maintained on this page...
Friday Squid Blogging: Introducing the Seattle Kraken
The Kraken is the name of Seattle's new NFL franchise. I have always really liked collective nouns as sports team names like the Utah Jazz or the Minnesota Wild, mostly because it's hard to describe individual players. As usual, you can also use this squid post to talk about the security stories ...
Business Email Compromise (BEC) Criminal Ring
A criminal group called Cosmic Lynx seems to be based in Russia: Dubbed Cosmic Lynx, the group has carried out more than 200 BEC campaigns since July 2019, according to researchers from the email security firm Agari, particularly targeting senior executives at large organizations and corporations...
Bank Card "Master Key" Stolen
South Africa's Postbank experienced a catastrophic security failure. The bank's master PIN key was stolen, forcing it to cancel and replace 12 million bank cards. The breach resulted from the printing of the bank's encrypted master key in plain, unencrypted digital language at the Postbank's old...
Bluetooth Vulnerability: BIAS
This is new research on a Bluetooth vulnerability called BIAS that allows someone to impersonate a trusted device: Abstract: Bluetooth BR/EDR is a pervasive technology for wireless communication used by billions of devices. The Bluetooth standard includes a legacy authentication procedure and a...
Another California Data Privacy Law
The California Consumer Privacy Act is a lesson in missed opportunities. It was passed in haste, to stop a ballot initiative that would have been even more restrictive: In September 2017, Alastair Mactaggart and Mary Ross proposed a statewide ballot initiative entitled the "California Consumer...
On Cyber Warranties
Interesting article discussing cyber-warranties, and whether they are an effective way to transfer risk as envisioned by Ackerlof's "market for lemons" or a marketing trick. The conclusion: Warranties must transfer non-negligible amounts of liability to vendors in order to meaningfully overcome t...
LA Covers Up Bad Cybersecurity
This is bad in several dimensions. The Los Angeles Department of Water and Power has been accused of deliberately keeping widespread gaps in its cybersecurity a secret from regulators in a large-scale coverup involving the city's mayor...
Firefox Enables DNS over HTTPS
This is good news: Whenever you visit a website -- even if it's HTTPS enabled -- the DNS query that converts the web address into an IP address that computers can read is usually unencrypted. DNS-over-HTTPS, or DoH, encrypts the request so that it can't be intercepted or hijacked in order to send...
A New Clue for the Kryptos Sculpture
Jim Sanborn, who designed the Kryptos sculpture in a CIA courtyard, has released another clue to the still-unsolved part 4. I think he's getting tired of waiting. Did we mention Mr. Sanborn is 74? Holding on to one of the world's most enticing secrets can be stressful. Some would-be codebreakers...
Apple Abandoned Plans for Encrypted iCloud Backup after FBI Complained
This is new from Reuters: More than two years ago, Apple told the FBI that it planned to offer users end-to-end encryption when storing their phone data on iCloud, according to one current and three former FBI officials and one current and one former Apple employee. Under that plan, primarily...
Securing Tiffany's Move
Story of how Tiffany & Company moved all of its inventory from one store to another. Short summary: careful auditing and a lot of police...
Hacking School Surveillance Systems
Lance Vick suggesting that students hack their schools' surveillance systems. "This is an ethical minefield that I feel students would be well within their rights to challenge, and if needed, undermine," he said. Of course, there are a lot more laws in place against this sort of thing than there...
Another Side Channel in Intel Chips
Not that serious, but interesting: In late 2011, Intel introduced a performance enhancement to its line of server processors that allowed network cards and other peripherals to connect directly to a CPU's last-level cache, rather than following the standard and significantly longer path through t...
Using Hacked IoT Devices to Disrupt the Power Grid
This is really interesting research: "BlackIoT: IoT Botnet of High Wattage Devices Can Disrupt the Power Grid": Abstract: We demonstrate that an Internet of Things IoT botnet of high wattage devices -- such as air conditioners and heaters -- gives a unique ability to adversaries to launch...
Hacking Police Bodycams
Suprising no one, the security of police bodycams is terrible. Mitchell even realized that because he can remotely access device storage on models like the Fire Cam OnCall, an attacker could potentially plant malware on some of the cameras. Then, when the camera connects to a PC for syncing, it...
Hacking the McDonald's Monopoly Sweepstakes
Long and interesting story -- now two decades old -- of massive fraud perpetrated against the McDonald's Monopoly sweepstakes. The central fraudster was the person in charge of securing the winning tickets...
Gas Pump Hack
This is weird: Police in Detroit are looking for two suspects who allegedly managed to hack a gas pump and steal over 600 gallons of gasoline, valued at about $1,800. The theft took place in the middle of the day and went on for about 90 minutes, with the gas station attendant unable to thwart th...
Domain Name Stealing at Gunpoint
I missed this story when it came around last year: someone tried to steal a domain name at gunpoint. He was just sentenced to 20 years in jail...
The Habituation of Security Warnings
We all know that it happens: when we see a security warning too often -- and without effect -- we start tuning it out. A new paper uses fMRI, eye tracking, and field studies to prove it. EDITED TO ADD 6/6: This blog post summarizes the findings...
Supermarket Shoplifting
The rise of self-checkout has caused a corresponding rise in shoplifting...
COPPA Compliance
Interesting research: "'Won't Somebody Think of the Children?' Examining COPPA Compliance at Scale": Abstract: We present a scalable dynamic analysis framework that allows for the automatic evaluation of the privacy behaviors of Android apps. We use our system to analyze mobile apps' compliance...
Mozilla's Guide to Privacy-Aware Christmas Shopping
Mozilla reviews the privacy practices of Internet-connected toys, home accessories, exercise equipment, and more...
Apple FaceID Hacked
It only took a week: On Friday, Vietnamese security firm Bkav released a blog post and video showing that -- by all appearances -- they'd cracked FaceID with a composite mask of 3-D-printed plastic, silicone, makeup, and simple paper cutouts, which in combination tricked an iPhone X into unlockin...
Gaming Google News
Turns out that it's surprisingly easy to game: It appears that news sites deemed legitimate by Google News are being modified by third parties. These sites are then exploited to redirect to the spam content. It appears that the compromised sites are examining the referrer and redirecting visitors...
Forbes Names Beyond Fear as One of the "13 Books Technology Executives Should Have On Their Shelves"
It's a weird list...
Human Rights Watch Needs an Information Security Director
I'm sure it pays less than the industry average, and the stakes are much higher than the average. But if you want to be a Director of Information Security that makes a difference, Human Rights Watch is hiring...
The Hacking of Culture and the Creation of Socio-Technical Debt
Culture is increasingly mediated through algorithms. These algorithms have splintered the organization of culture, a result of states and tech companies vying for influence over mass audiences. One byproduct of this splintering is a shift from imperfect but broad cultural narratives to a...
Leaving Authentication Credentials in Public Code
Interesting article about a surprisingly common vulnerability: programmers leaving authentication credentials and other secrets in publicly accessible software code: Researchers from security firm GitGuardian this week reported finding almost 4,000 unique secrets stashed inside a total of 450,000...
Friday Squid Blogging: On the Ugliness of Squid Fishing
And seafood in general: A squid ship is a bustling, bright, messy place. The scene on deck looks like a mechanics garage where an oil change has gone terribly wrong. Scores of fishing lines extend into the water, each bearing specialized hooks operated by automated reels. When they pull a squid o...
LLMs and Tool Use
Last March, just two weeks after GPT-4 was released, researchers at Microsoft quietly announced a plan to compile millions of APIs--tools that can do everything from ordering a pizza to solving physics equations to controlling the TV in your living room--into a compendium that would be made...
You Can’t Rush Post-Quantum-Computing Cryptography Standards
I just read an article complaining that NIST is taking too long in finalizing its post-quantum-computing cryptography standards. This process has been going on since 2016, and since that time there has been a huge increase in quantum technology and an equally large increase in quantum understandi...
Redacting Documents with a Black Sharpie Doesn’t Work
We have learned this lesson again: As part of the FTC v. Microsoft hearing, Sony supplied a document from PlayStation chief Jim Ryan that includes redacted details on the margins Sony shares with publishers, its Call of Duty revenues, and even the cost of developing some of its games. It looks li...
Mary Queen of Scots Letters Decrypted
This is a neat piece of historical research. The team of computer scientist George Lasry, pianist Norbert Biermann and astrophysicist Satoshi Tomokiyo--all keen cryptographers--initially thought the batch of encoded documents related to Italy, because that was how they were filed at the...