2982 matches found
Rare Interviews with Enigma Cryptanalyst Marian Rejewski
The Polish Embassy has posted a series of short interview segments with Marian Rejewski, the first person to crack the Enigma. Details from his biography...
Friday Squid Blogging: The Geopolitics of Eating Squid
New York Times op-ed on the Chinese dominance of the squid industry: Chinas domination in seafood has raised deep concerns among American fishermen, policymakers and human rights activists. They warn that China is expanding its maritime reach in ways that are putting domestic fishermen around the...
Friday Squid Blogging: Protecting Cephalopods in Medical Research
From Nature: Cephalopods such as octopuses and squid could soon receive the same legal protection as mice and monkeys do when they are used in research. On 7 September, the US National Institutes of Health NIH asked for feedback on proposed guidelines that, for the first time in the United States...
Bots Are Better than Humans at Solving CAPTCHAs
Interesting research: "An Empirical Study & Evaluation of Modern CAPTCHAs": Abstract: For nearly two decades, CAPTCHAS have been widely used as a means of protection against bots. Throughout the years, as their use grew, techniques to defeat or bypass CAPTCHAS have continued to improve. Meanwhile...
Political Milestones for AI
ChatGPT was released just nine months ago, and we are still learning how it will affect our daily lives, our careers, and even our systems of self-governance. But when it comes to how AI may threaten our democracy, much of the public conversation lacks imagination. People talk about the danger of...
The FBI Identified a Tor User
No details, though: According to the complaint against him, Al-Azhari allegedly visited a dark web site that hosts "unofficial propaganda and photographs related to ISIS" multiple times on May 14, 2019. In virtue of being a dark web site--that is, one hosted on the Tor anonymity network--it...
Obligatory ChatGPT Post
Seems like absolutely everyone everywhere is playing with Chat GPT. So I did, too…. Write an essay in the style of Bruce Schneier on how ChatGPT will affect cybersecurity. As with any new technology, the development and deployment of ChatGPT is likely to have a significant impact on the field of...
Facebook Is Down
Facebook -- along with Instagram and WhatsApp -- went down globally today. Basically, someone deleted their BGP records, which made their DNS fall apart. …at approximately 11:39 a.m. ET today 15:39 UTC, someone at Facebook caused an update to be made to the companys Border Gateway Protocol BGP...
Check What Information Your Browser Leaks
These two sites tell you what sorts of information youre leaking from your browser...
History of the HX-63 Rotor Machine
Jon D. Paul has written the fascinating story of the HX-63, a super-complicated electromechanical rotor cipher machine made by Crypto AG...
More on Apple’s iPhone Backdoor
In this post, Ill collect links on Apples iPhone backdoor for scanning CSAM images. Previous links are here and here. Apple says that hash collisions in its CSAM detection system were expected, and not a concern. Im not convinced that this secondary system was originally part of the design, since...
The Story of Colossus
Nice video of a talk by Chris Shore on the history of Colossus...
Determining Key Shape from Sound
Its not yet very accurate or practical, but under ideal conditions it is possible to figure out the shape of a house key by listening to it being used. Listen to Your Key: Towards Acoustics-based Physical Key Inference Abstract: Physical locks are one of the most prevalent mechanisms for securing...
The Security Failures of Online Exam Proctoring
Proctoring an online exam is hard. Its hard to be sure that the student isnt cheating, maybe by having reference materials at hand, or maybe by substituting someone else to take the exam for them. There are a variety of companies that provide online proctoring services, but theyre uniformly...
Detecting Phishing Emails
Research paper: Rick Wash, "How Experts Detect Phishing Scam Emails": Abstract: Phishing scam emails are emails that pretend to be something they are not in order to get the recipient of the email to undertake some action they normally would not. While technical protections against phishing reduc...
Friday Squid Blogging: Squid-like Nebula
Pretty astronomical photo. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Read my blog posting guidelines here...
Hacking Apple for Profit
Five researchers hacked Apple Computers networks -- not their products -- and found fifty-five vulnerabilities. So far, they have received $289K. One of the worst of all the bugs they found would have allowed criminals to create a worm that would automatically steal all the photos, videos, and...
Iranian Government Hacking Android
The New York Times wrote about a still-unreleased report from Chckpoint and the Miaan Group: The reports, which were reviewed by The New York Times in advance of their release, say that the hackers have successfully infiltrated what were thought to be secure mobile phones and computers belonging ...
Former NSA Director Keith Alexander Joins Amazon’s Board of Directors
This sounds like a bad idea...
Friday Squid Blogging: Nano-Sized SQUIDS
SQUID news: Physicists have developed a small, compact superconducting quantum interference device SQUID that can detect magnetic fields. The team l focused on the instruments core, which contains two parallel layers of graphene. As usual, you can also use this squid post to talk about the securi...
iPhone Apps Stealing Clipboard Data
iOS apps are repeatedly reading clipboard data, which can include all sorts of sensitive information. While Haj Bakry and Mysk published their research in March, the invasive apps made headlines again this week with the developer beta release of iOS 14. A novel feature Apple added provides a bann...
New Hacking-for-Hire Company in India
Citizen Lab has a new report on Dark Basin, a large hacking-for-hire company in India. Key Findings: Dark Basin is a hack-for-hire group that has targeted thousands of individuals and hundreds of institutions on six continents. Targets include advocacy groups and journalists, elected and senior...
Security Analysis of the Democracy Live Online Voting System
New research: "Security Analysis of the Democracy Live Online Voting System": Abstract: Democracy Live's OmniBallot platform is a web-based system for blank ballot delivery, ballot marking, and optionally online voting. Three states -- Delaware, West Virginia, and New Jersey -- recently announced...
Malware in Google Apps
Interesting story of malware hidden in Google Apps. This particular campaign is tied to the government of Vietnam. At a remote virtual version of its annual Security Analyst Summit, researchers from the Russian security firm Kaspersky today plan to present research about a hacking campaign they...
Clarifying the Computer Fraud and Abuse Act
A federal court has ruled that violating a website's terms of service is not "hacking" under the Computer Fraud and Abuse Act. The plaintiffs wanted to investigate possible racial discrimination in online job markets by creating accounts for fake employers and job seekers. Leading job sites have...
The Insecurity of WordPress and Apache Struts
Interesting data: A study that analyzed all the vulnerability disclosures between 2010 and 2019 found that around 55% of all the security bugs that have been weaponized and exploited in the wild were for two major application frameworks, namely WordPress and Apache Struts. The Drupal content...
On Security Tokens
Mark Risher of Google extols the virtues of security keys: I'll say it again for the people in the back: with Security Keys, instead of the user needing to verify the site, the site has to prove itself to the key. Good security these days is about human factors; we have to take the onus off of th...
Defeating the "Deal or No Deal" Arcade Game
Two teenagers figured out how to beat the "Deal or No Deal" arcade game by filming the computer animation and then slowing it down enough to determine where the big prize was hidden...
Facebook Is Using Your Two-Factor Authentication Phone Number to Target Advertising
From Kashmir Hill: Facebook is not content to use the contact information you willingly put into your Facebook profile for advertising. It is also using contact information you handed over for security purposes and contact information you didn't hand over at all, but that was collected from other...
Counting People Through a Wall with WiFi
Interesting research: In the team's experiments, one WiFi transmitter and one WiFi receiver are behind walls, outside a room in which a number of people are present. The room can get very crowded with as many as 20 people zigzagging each other. The transmitter sends a wireless signal whose receiv...
Future Cyberwar
A report for the Center for Strategic and International Studies looks at surprise and war. One of the report's cyberwar scenarios is particularly compelling. It doesn't just map cyber onto today's tactics, but completely reimagines future tactics that include a cyber component quote starts on pag...
How the US Military Can Better Keep Hackers
Interesting commentary: The military is an impossible place for hackers thanks to antiquated career management, forced time away from technical positions, lack of mission, non-technical mid- and senior-level leadership, and staggering pay gaps, among other issues. It is possible the military need...
Beating Facial Recognition Software with Face Makeup
At least right now, facial recognition algorithms don't work with Juggalo makeup...
Regulating Bitcoin
Ross Anderson has a new paper on cryptocurrency exchanges. From his blog: Bitcoin Redux explains what's going wrong in the world of cryptocurrencies. The bitcoin exchanges are developing into a shadow banking system, which do not give their customers actual bitcoin but rather display a "balance"...
DARPA Funding in AI-Assisted Cybersecurity
DARPA is launching a program aimed at vulnerability discovery via human-assisted AI. The new DARPA program is called CHESS Computers and Humans Exploring Software Security, and they're holding a proposers day in a week and a half. This is the kind of thing that can dramatically change the...
Water Utility Infected by Cryptocurrency Mining Software
A water utility in Europe has been infected by cryptocurrency mining software. This is a relatively new attack: hackers compromise computers and force them to mine cryptocurrency for them. This is the first time I've seen it infect SCADA systems, though. It seems that this mining software is...
Fingerprinting Digital Documents
In this era of electronic leakers, remember that zero-width spaces and homoglyph substitution can fingerprint individual instances of files...
Denuvo DRM Cracked within a Day of Release
Denuvo is probably the best digital-rights management system, used to protect computer games. It's regularly cracked within a day. If Denuvo can no longer provide even a single full day of protection from cracks, though, that protection is going to look a lot less valuable to publishers. But that...
Securing a Raspberry Pi
A Raspberry Pi is a tiny computer designed for makers and all sorts of Internet-of-Things types of projects. Make magazine has an article about securing it. Reading it, I am struck by how much work it is to secure. I fear that this is beyond the capabilities of most tinkerers, and the result will...
Inmates Secretly Build and Network Computers while in Prison
This is kind of amazing: Inmates at a medium-security Ohio prison secretly assembled two functioning computers, hid them in the ceiling, and connected them to the Marion Correctional Institution's network. The hard drives were loaded with pornography, a Windows proxy server, VPN, VOIP and...
Tainted Leaks
Last year, I wrote about the potential for doxers to alter documents before they leaked them. It was a theoretical threat when I wrote it, but now Citizen Lab has documented this technique in the wild: This report describes an extensive Russia-linked phishing and disinformation campaign. It...
Using Wi-Fi to Get 3D Images of Surrounding Location
Interesting research: The radio signals emitted by a commercial Wi-Fi router can act as a kind of radar, providing images of the transmitter's environment, according to new experiments. Two researchers in Germany borrowed techniques from the field of holography to demonstrate Wi-Fi imaging. They...
Perfectl Malware
Perfectl in an impressive piece of malware: The malware has been circulating since at least 2021. It gets installed by exploiting more than 20,000 common misconfigurations, a capability that may make millions of machines connected to the Internet potential targets, researchers from Aqua Security...
How AI Will Change Democracy
I dont think its an exaggeration to predict that artificial intelligence will affect every aspect of our society. Not by doing new things. But mostly by doing things that are already being done by humans, perfectly competently. Replacing humans with AIs isnt necessarily interesting. But when an A...
Surveillance by the New Microsoft Outlook App
The ProtonMail people are accusing Microsofts new Outlook for Windows app of conducting extensive surveillance on its users. It shares data with advertisers, a lot of data: The window informs users that Microsoft and those 801 third parties use their data for a number of purposes, including to:...
Bounty to Recover NIST’s Elliptic Curve Seeds
This is a fun challenge: The NIST elliptic curves that power much of modern cryptography were generated in the late 90s by hashing seeds provided by the NSA. How were the seeds generated? Rumor has it that they are in turn hashes of English sentences, but the person who picked them, Dr. Jerry...
The Need for Trustworthy AI
If you ask Alexa, Amazons voice assistant AI system, whether Amazon is a monopoly, it responds by saying it doesnt know. It doesnt take much to make it lambaste the other tech giants, but its silent about its own corporate parents misdeeds. When Alexa responds in this way, its obvious that it is...
Security Risks of New .zip and .mov Domains
Researchers are worried about Googles .zip and .mov domains, because they are confusing. Mistaking a URL for a filename could be a security vulnerability...
Cyberweapons Manufacturer QuaDream Shuts Down
Following a report on its activities, the Israeli spyware company QuaDream has shut down. This was QuadDream: Key Findings Based on an analysis of samples shared with us by Microsoft Threat Intelligence, we developed indicators that enabled us to identify at least five civil society victims of...
US Cyber Command Operations During the 2022 Midterm Elections
The head of both US Cyber Command and the NSA, Gen. Paul Nakasone, broadly discussed that first organizations offensive cyber operations during the runup to the 2022 midterm elections. He didnt name names, of course: We did conduct operations persistently to make sure that our foreign adversaries...