2980 matches found
The Hacking of Culture and the Creation of Socio-Technical Debt
Culture is increasingly mediated through algorithms. These algorithms have splintered the organization of culture, a result of states and tech companies vying for influence over mass audiences. One byproduct of this splintering is a shift from imperfect but broad cultural narratives to a...
Leaving Authentication Credentials in Public Code
Interesting article about a surprisingly common vulnerability: programmers leaving authentication credentials and other secrets in publicly accessible software code: Researchers from security firm GitGuardian this week reported finding almost 4,000 unique secrets stashed inside a total of 450,000...
Friday Squid Blogging: On the Ugliness of Squid Fishing
And seafood in general: A squid ship is a bustling, bright, messy place. The scene on deck looks like a mechanics garage where an oil change has gone terribly wrong. Scores of fishing lines extend into the water, each bearing specialized hooks operated by automated reels. When they pull a squid o...
LLMs and Tool Use
Last March, just two weeks after GPT-4 was released, researchers at Microsoft quietly announced a plan to compile millions of APIs--tools that can do everything from ordering a pizza to solving physics equations to controlling the TV in your living room--into a compendium that would be made...
You Can’t Rush Post-Quantum-Computing Cryptography Standards
I just read an article complaining that NIST is taking too long in finalizing its post-quantum-computing cryptography standards. This process has been going on since 2016, and since that time there has been a huge increase in quantum technology and an equally large increase in quantum understandi...
Redacting Documents with a Black Sharpie Doesn’t Work
We have learned this lesson again: As part of the FTC v. Microsoft hearing, Sony supplied a document from PlayStation chief Jim Ryan that includes redacted details on the margins Sony shares with publishers, its Call of Duty revenues, and even the cost of developing some of its games. It looks li...
Mary Queen of Scots Letters Decrypted
This is a neat piece of historical research. The team of computer scientist George Lasry, pianist Norbert Biermann and astrophysicist Satoshi Tomokiyo--all keen cryptographers--initially thought the batch of encoded documents related to Italy, because that was how they were filed at the...
Malware Delivered through Google Search
Criminals using Google search ads to deliver malware isnt new, but Ars Technica declared that the problem has become much worse recently. The surge is coming from numerous malware families, including AuroraStealer, IcedID, Meta Stealer, RedLine Stealer, Vidar, Formbook, and XLoader. In the past,...
Security Vulnerabilities in Eufy Cameras
Eufy cameras claim to be local only, but upload data to the cloud. The company is basically lying to reporters, despite being shown evidence to the contrary. The companys behavior is so egregious that ReviewGeek is no longer recommending them. This will be interesting to watch. If Eufy can ignore...
A New Cybersecurity “Social Contract”
The US National Cyber Director Chris Inglis wrote an essay outlining a new social contract for the cyber age: The United States needs a new social contract for the digital age -- one that meaningfully alters the relationship between public and private sectors and proposes a new set of obligations...
Friday Squid Blogging: Strawberry Squid
Pretty pictures of a strawberry squid Histioteuthis heteropsis. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Read my blog posting guidelines here...
I Am Not Satoshi Nakamoto
This isnt the first time Ive received an e-mail like this: Hey! Ive done my research and looked at a lot of facts and old forgotten archives. I know that you are Satoshi, I do not want to tell anyone about this. I just wanted to say that you created weapons of mass destruction where niches remain...
ProtonMail Now Keeps IP Logs
After being compelled by a Swiss court to monitor IP logs for a particular user, ProtonMail no longer claims that "we do not keep any IP logs." EDITED TO ADD 9/14: This seems to be more complicated. ProtonMail is not yet saying that they keep logs. Their privacy policy still states that they do n...
Zero-Click iPhone Exploits
Citizen Lab is reporting on two zero-click iMessage exploits, in spyware sold by the cyberweapons arms manufacturer NSO Group to the Bahraini government. These are particularly scary exploits, since they dont require to victim to do anything, like click on a link or open a file. The victim receiv...
Interesting Privilege Escalation Vulnerability
If you plug a Razer peripheral mouse or keyboard, I think into a Windows 10 or 11 machine, you can use a vulnerability in the Razer Synapse software -- which automatically downloads -- to gain SYSTEM privileges. It should be noted that this is a local privilege escalation LPE vulnerability, which...
Ransomware Is Getting Ugly
Modern ransomware has two dimensions: pay to get your data back, and pay not to have your data dumped on the Internet. The DC police are the victims of this ransomware, and the criminals have just posted personnel records -- "including the results of psychological assessments and polygraph tests;...
Investigating the Navalny Poisoning
Bellingcat has investigated the near-fatal poisoning of Alexey Navalny by the Russian FSB back in August. The details display some impressive traffic analysis. Navalny got a confession out of one of the poisoners, displaying some masterful social engineering. Lots of interesting opsec details in...
Open Source Does Not Equal Secure
Way back in 1999, I wrote about open-source software: First, simply publishing the code does not automatically mean that people will examine it for security flaws. Security researchers are fickle and busy people. They do not have the time to examine every piece of source code that is published. S...
New Zealand Election Fraud
It seems that this election season has not gone without fraud. In New Zealand, a vote for "Bird of the Year" has been marred by fraudulent votes: More than 1,500 fraudulent votes were cast in the early hours of Monday in the countrys annual bird election, briefly pushing the Little-Spotted Kiwi t...
On Risk-Based Authentication
Interesting usability study: "More Than Just Good Passwords? A Study on Usability and Security Perceptions of Risk-based Authentication": Abstract: Risk-based Authentication RBA is an adaptive security measure to strengthen password-based authentication. RBA monitors additional features during...
Hacking a Coffee Maker
As expected, IoT devices are filled with vulnerabilities: As a thought experiment, Martin Hron, a researcher at security company Avast, reverse engineered one of the older coffee makers to see what kinds of hacks he could do with it. After just a week of effort, the unqualified answer was: quite ...
CEO of NS8 Charged with Securities Fraud
The founder and CEO of the Internet security company NS8 has been arrested and "charged in a Complaint in Manhattan federal court with securities fraud, fraud in the offer and sale of securities, and wire fraud." I admit that Ive never even heard of the company before...
The Third Edition of Ross Anderson’s Security Engineering
Ross Andersons fantastic textbook, Security Engineering, will have a third edition. The book wont be published until December, but Ross has been making drafts of the chapters available online as he finishes them. Now that the book is completed, I expect the publisher to make him take the drafts o...
Half a Million IoT Passwords Leaked
It is amazing that this sort of thing can still happen: ...the list was compiled by scanning the entire internet for devices that were exposing their Telnet port. The hacker then tried using 1 factory-set default usernames and passwords, or 2 custom, but easy-to-guess password combinations. Telne...
Cryptocurrency Pump and Dump Scams
Really interesting research: "An examination of the cryptocurrency pump and dump ecosystem": Abstract: The surge of interest in cryptocurrencies has been accompanied by a proliferation of fraud. This paper examines pump and dump schemes. The recent explosion of nearly 2,000 cryptocurrencies in an...
Fooling NLP Systems Through Word Swapping
MIT researchers have built a system that fools natural-language processing systems by swapping words with synonyms: The software, developed by a team at MIT, looks for the words in a sentence that are most important to an NLP classifier and replaces them with a synonym that a human would find...
Another Story of Bad 1970s Encryption
This one is from the Netherlands. It seems to be clever cryptanalysis rather than a backdoor. The Dutch intelligence service has been able to read encrypted communications from dozens of countries since the late 1970s thanks to a microchip, according to research by de Volkskrant on Thursday. The...
Internet of Things Candle
There's a Kickstarter for an actual candle, with real fire, that you can control over the Internet. What could possibly go wrong?...
Massive Ad Fraud Scheme Relied on BGP Hijacking
This is a really interesting story of an ad fraud scheme that relied on hijacking the Border Gateway Protocol: Members of 3ve pronounced "eve" used their large reservoir of trusted IP addresses to conceal a fraud that otherwise would have been easy for advertisers to detect. The scheme employed a...
Your Personal Data is Already Stolen
In an excellent blog post, Brian Krebs makes clear something I have been saying for a while: Likewise for individuals, it pays to accept two unfortunate and harsh realities: Reality 1: Bad guys already have access to personal data points that you may believe should be secret but which nevertheles...
ID Systems Throughout the 50 States
Jim Harper at CATO has a good survey of state ID systems in the US...
Terahertz Millimeter-Wave Scanners
Interesting article on terahertz millimeter-wave scanners and their uses to detect terrorist bombers. The heart of the device is a block of electronics about the size of a 1990s tower personal computer. It comes housed in a musician's black case, akin to the one Spinal Tap might use on tour. At t...
The US Is Unprepared for Election-Related Hacking in 2018
This survey and report is not surprising: The survey of nearly forty Republican and Democratic campaign operatives, administered through November and December 2017, revealed that American political campaign staff -- primarily working at the state and congressional levels -- are not only unprepare...
Impersonating iOS Password Prompts
This is an interesting security vulnerability: because it is so easy to impersonate iOS password prompts, a malicious app can steal your password just by asking. Why does this work? iOS asks the user for their iTunes password for many reasons, the most common ones are recently installed iOS...
Friday Squid Blogging: Squid as Prey
There's lots of video of squid as undersea predators. This is one of the few instances of squid as prey from a deep submersible in the Pacific: "We saw brittle stars capturing a squid from the water column while it was swimming. I didn't know that was possible. And then there was a tussle among t...
Ransomware Gang Files SEC Complaint
A ransomware gang, annoyed at not being paid, filed an SEC complaint against its victim for not disclosing its security breach within the required four days. This is over the top, but is just another example of the extreme pressure ransomware gangs put on companies after seizing their data. Gangs...
AI and US Election Rules
If an AI breaks the rules for you, does that count as breaking the rules? This is the essential question being taken up by the Federal Election Commission this month, and public input is needed to curtail the potential for AI to take US campaigns even more off the rails. At issue is whether...
USB “Rubber Ducky” Attack Tool
The USB Rubber Ducky is getting better and better. Already, previous versions of the Rubber Ducky could carry out attacks like creating a fake Windows pop-up box to harvest a users login credentials or causing Chrome to send all saved passwords to an attackers webserver. But these attacks had to ...
Bypassing Two-Factor Authentication
These techniques are not new, but theyre increasingly popular: …some forms of MFA are stronger than others, and recent events show that these weaker forms arent much of a hurdle for some hackers to clear. In the past few months, suspected script kiddies like the Lapsus$ data extortion gang and...
ROT8000
ROT8000 is the Unicode equivalent of ROT13. Whats clever about it is that normal English looks like Chinese, and not like ciphertext to a typical Westerner, that is...
Andrew Appel on New Hampshire’s Election Audit
Really interesting two part analysis of the audit conducted after the 2020 election in Windham, New Hampshire. Based on preliminary reports published by the team of experts that New Hampshire engaged to examine an election discrepancy, it appears that a buildup of dust in the read heads of...
Upcoming Speaking Engagements
This is a current list of where and when I am scheduled to speak: I’m keynoting the all-virtual RSA Conference 2021, May 17-20, 2021. I’m keynoting the 5th International Symposium on Cyber Security Cryptology and Machine Learning via Zoom, July 8-9, 2021. I’ll be speaking at an Informa event on...
Newly Declassified NSA Document on Cryptography in the 1970s
This is a newly unclassified NSA history of its reaction to academic cryptography in the 1970s: "NSA Comes Out of the Closet: The Debate over Public Cryptography in the Inman Era," Cryptographic Quarterly, Spring 1996, author still classified...
Phone Cloning Scam
A newspaper in Malaysia is reporting on a cell phone cloning scam. The scammer convinces the victim to lend them their cell phone, and the scammer quickly clones it. Whats clever about this scam is that the victim is an Uber driver and the scammer is the passenger, so the driver is naturally busy...
Friday Squid Blogging: Flying Squid
How squid fly. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Read my blog posting guidelines here...
New iMessage Security Features
Apple has added added security features to mitigate the risk of zero-click iMessage attacks. Apple did not document the changes but Groß said he fiddled around with the newest iOS 14 and found that Apple shipped a "significant refactoring of iMessage processing" that severely cripples the usual...
More on the SolarWinds Breach
The New York Times has more details. About 18,000 private and government users downloaded a Russian tainted software update - a Trojan horse of sorts - that gave its hackers a foothold into victims systems, according to SolarWinds, the company whose software was compromised. Among those who use...
How the SolarWinds Hackers Bypassed Duo’s Multi-Factor Authentication
This is interesting: Toward the end of the second incident that Volexity worked involving Dark Halo, the actor was observed accessing the e-mail account of a user via OWA. This was unexpected for a few reasons, not least of which was the targeted mailbox was protected by MFA. Logs from the Exchan...
FireEye Hacked
FireEye was hacked by -- they believe -- "a nation with top-tier offensive capabilities": During our investigation to date, we have found that the attacker targeted and accessed certain Red Team assessment tools that we use to test our customers’ security. These tools mimic the behavior of many...
On Blockchain Voting
Blockchain voting is a spectacularly dumb idea for a whole bunch of reasons. I have generally quoted Matt Blaze: Why is blockchain voting a dumb idea? Glad you asked. For starters: It doesnt solve any problems civil elections actually have. Its basically incompatible with "software independence",...