2981 matches found
Interview with the Author of the 2000 Love Bug Virus
No real surprises, but we finally have the story. The story he went on to tell is strikingly straightforward. De Guzman was poor, and internet access was expensive. He felt that getting online was almost akin to a human right a view that was ahead of its time. Getting access required a password, ...
How the FIN7 Cybercrime Gang Operates
The Grugq has written an excellent essay on how the Russian cybercriminal gang FIN7 operates. An excerpt: The secret of FIN7’s success is their operational art of cyber crime. They managed their resources and operations effectively, allowing them to successfully attack and exploit hundreds of...
Cory Doctorow on The Age of Surveillance Capitalism
Cory Doctorow has writtten an extended rebuttal of The Age of Surveillance Capitalism by Shoshana Zuboff. He summarized the argument on Twitter. Shorter summary: it's not the surveillance part, it's the fact that these companies are monopolies. I think it's both. Surveillance capitalism has some...
Images in Eye Reflections
In Japan, a cyberstalker located his victim by enhancing the reflections in her eye, and using that information to establish a location. Reminds me of the image enhancement scene in Blade Runner. That was science fiction, but now image resolution is so good that we have to worry about it...
Adversarial Machine Learning and the CFAA
I just co-authored a paper on the legal risks of doing machine learning research, given the current state of the Computer Fraud and Abuse Act: Abstract: Adversarial Machine Learning is booming with ML researchers increasingly targeting commercial ML systems such as those used in Facebook, Tesla,...
Friday Squid Blogging: China Closing Its Squid Spawning Grounds
China is prohibiting squid fishing in two areas -- both in international waters -- for two seasons, to give squid time to recover and reproduce. This is the first time China has voluntarily imposed a closed season on the high seas. Some experts regard it as an important step forward in China's...
iPhone Apps Stealing Clipboard Data
iOS apps are repeatedly reading clipboard data, which can include all sorts of sensitive information. While Haj Bakry and Mysk published their research in March, the invasive apps made headlines again this week with the developer beta release of iOS 14. A novel feature Apple added provides a bann...
Another Intel Speculative Execution Vulnerability
Remember Spectre and Meltdown? Back in early 2018, I wrote: Spectre and Meltdown are pretty catastrophic vulnerabilities, but they only affect the confidentiality of data. Now that they -- and the research into the Intel ME vulnerability -- have shown researchers where to look, more is coming --...
Wallpaper that Crashes Android Phones
This is interesting: The image, a seemingly innocuous sunset or dawn sky above placid waters, may be viewed without harm. But if loaded as wallpaper, the phone will crash. The fault does not appear to have been maliciously created. Rather, according to developers following Ice Universe's Twitter...
California Needlessly Reduces Privacy During COVID-19 Pandemic
This one isn't even related to contact tracing: On March 17, 2020, the federal government relaxed a number of telehealth-related regulatory requirements due to COVID-19. On April 3, 2020, California Governor Gavin Newsom issued Executive Order N-43-20 the Order, which relaxes various telehealth...
The Insecurity of WordPress and Apache Struts
Interesting data: A study that analyzed all the vulnerability disclosures between 2010 and 2019 found that around 55% of all the security bugs that have been weaponized and exploited in the wild were for two major application frameworks, namely WordPress and Apache Struts. The Drupal content...
Distributing Malware By Becoming an Admin on an Open-Source Project
The module "event-stream" was infected with malware by an anonymous someone who became an admin on the project. Cory Doctorow points out that this is a clever new attack vector: Many open source projects attain a level of "maturity" where no one really needs any new features and there aren't a lo...
Defeating the "Deal or No Deal" Arcade Game
Two teenagers figured out how to beat the "Deal or No Deal" arcade game by filming the computer animation and then slowing it down enough to determine where the big prize was hidden...
Security Vulnerability in Smart Electric Outlets
A security vulnerability in Belkin's Wemo Insight "smartplugs" allows hackers to not only take over the plug, but use it as a jumping-off point to attack everything else on the network. From the Register: The bug underscores the primary risk posed by IoT devices and connected appliances. Because...
Don't Fear the TSA Cutting Airport Security. Be Glad That They're Talking about It.
Last week, CNN reported that the Transportation Security Administration is considering eliminating security at U.S. airports that fly only smaller planes -- 60 seats or fewer. Passengers connecting to larger planes would clear security at their destinations. To be clear, the TSA has put forth no...
Ridiculously Insecure Smart Lock
Tapplock sells an "unbreakable" Internet-connected lock that you can open with your fingerprint. It turns out that: 1. The lock broadcasts its Bluetooth MAC address in the clear, and you can calculate the unlock key from it. 2. Any Tapplock account an unlock every lock. 3. You can open the lock...
Skygofree: New Government Malware for Android
Kaspersky Labs is reporting on a new piece of sophisticated malware: We observed many web landing pages that mimic the sites of mobile operators and which are used to spread the Android implants. These domains have been registered by the attackers since 2015. According to our telemetry, that was...
Denuvo DRM Cracked within a Day of Release
Denuvo is probably the best digital-rights management system, used to protect computer games. It's regularly cracked within a day. If Denuvo can no longer provide even a single full day of protection from cracks, though, that protection is going to look a lot less valuable to publishers. But that...
Securing a Raspberry Pi
A Raspberry Pi is a tiny computer designed for makers and all sorts of Internet-of-Things types of projects. Make magazine has an article about securing it. Reading it, I am struck by how much work it is to secure. I fear that this is beyond the capabilities of most tinkerers, and the result will...
Hacking the Galaxy S8's Iris Biometric
It was easy: The hackers took a medium range photo of their subject with a digital camera's night mode, and printed the infrared image. Then, presumably to give the image some depth, the hackers placed a contact lens on top of the printed picture...
The Quick vs. the Strong: Commentary on Cory Doctorow's Walkaway
Technological advances change the world. That's partly because of what they are, but even more because of the social changes they enable. New technologies upend power balances. They give groups new capabilities, increased effectiveness, and new defenses. The Internet decades have been a...
Rigged Poker Games
The Department of Justice has indicted thirty-one people over the high-tech rigging of high-stakes poker games. In a typical legitimate poker game, a dealer uses a shuffling machine to shuffle the cards randomly before dealing them to all the players in a particular order. As set forth in the...
LLMs Acting Deceptively
New research: "Deception abilities emerged in large language models": Abstract: Large language models LLMs are currently at the forefront of intertwining AI systems with human communication and everyday life. Thus, aligning them with human values is of great importance. However, given the steady...
Online Privacy and Overfishing
Microsoft recently caught state-backed hackers using its generative AI tools to help with their attacks. In the security community, the immediate questions werent about how hackers were using the tools that was utterly predictable, but about how Microsoft figured it out. The natural conclusion wa...
Ross Anderson
Ross Anderson unexpectedly passed away Thursday night in, I believe, his home in Cambridge. I cant remember when I first met Ross. Of course it was before 2008, when we created the Security and Human Behavior workshop. It was well before 2001, when we created the Workshop on Economics and...
Using LLMs to Unredact Text
Initial results in using LLMs to unredact text based on the size of the individual-word redaction rectangles. This feels like something that a specialized ML system could be trained on...
EPA Won’t Force Water Utilities to Audit Their Cybersecurity
The industry pushed back: Despite the EPAs willingness to provide training and technical support to help states and public water system organizations implement cybersecurity surveys, the move garnered opposition from both GOP state attorneys and trade groups. Republican state attorneys that were...
Apple Is Finally Encrypting iCloud Backups
After way too many years, Apple is finally encrypting iCloud backups: Based on a screenshot from Apple, these categories are covered when you flip on Advanced Data Protection: device backups, messages backups, iCloud Drive, Notes, Photos, Reminders, Safari bookmarks, Siri Shortcuts, Voice Memos,...
Leaked Signing Keys Are Being Used to Sign Malware
A bunch of Android OEM signing keys have been leaked or stolen, and they are actively being used to sign malware. Łukasz Siewierski, a member of Googles Android Security Team, has a post on the Android Partner Vulnerability Initiative AVPI issue tracker detailing leaked platform certificate keys...
Qatar Spyware
Everyone visiting Qatar for the World Cup needs to install spyware on their phone. Everyone travelling to Qatar during the football World Cup will be asked to download two apps called Ehteraz and Hayya. Briefly, Ehteraz is an covid-19 tracking app, while Hayya is an official World Cup app used to...
Levels of Assurance for DoD Microelectronics
The NSA has has published criteria for evaluating levels of assurance required for DoD microelectronics. The introductory report in a DoD microelectronics series outlines the process for determining levels of hardware assurance for systems and custom microelectronic components, which include...
NIST’s Post-Quantum Cryptography Standards
Quantum computing is a completely new paradigm for computers. A quantum computer uses quantum properties such as superposition, which allows a qubit a quantum bit to be neither 0 nor 1, but something much more complicated. In theory, such a computer can solve problems too complex for conventional...
On the Dangers of Cryptocurrencies and the Uselessness of Blockchain
Earlier this month, I and others wrote a letter to Congress, basically saying that cryptocurrencies are an complete and total disaster, and urging them to regulate the space. Nothing in that letter is out of the ordinary, and is in line with what I wrote about blockchain in 2019. In response,...
Iranian State-Sponsored Hacking Attempts
Interesting attack: Masquerading as UK scholars with the University of Londons School of Oriental and African Studies SOAS, the threat actor TA453 has been covertly approaching individuals since at least January 2021 to solicit sensitive information. The threat actor, an APT who we assess with hi...
Web Credit Card Skimmer Steals Data from Another Credit Card Skimmer
MalwareBytes is reporting a weird software credit card skimmer. It harvests credit card data stolen by another, different skimmer: Even though spotting multiple card skimmer scripts on the same online shop is not unheard of, this one stood out due to its highly specialized nature. "The threat...
Upcoming Speaking Engagements
This is a current list of where and when I am scheduled to speak: Im speaking online at Western Washington University on January 20, 2021. Details to come. I’ll be speaking at an Informa event on February 28, 2021. Details to come. The list is maintained on this page...
Interesting Attack on the EMV Smartcard Payment Standard
Its complicated, but its basically a man-in-the-middle attack that involves two smartphones. The first phone reads the actual smartcard, and then forwards the required information to a second phone. That second phone actually conducts the transaction on the POS terminal. That second phone is able...
US Space Cybersecurity Directive
The Trump Administration just published "Space Policy Directive - 5": "Cybersecurity Principles for Space Systems." Its pretty general: Principles. a Space systems and their supporting infrastructure, including software, should be developed and operated using risk-based, cybersecurity-informed...
US Postal Service Files Blockchain Voting Patent
The US Postal Service has filed a patent on a blockchain voting method: Abstract: A voting system can use the security of blockchain and the mail to provide a reliable voting system. A registered voter receives a computer readable code in the mail and confirms identity and confirms correct ballot...
On the Twitter Hack
Twitter was hacked this week. Not a few people's Twitter accounts, but all of Twitter. Someone compromised the entire Twitter network, probably by stealing the log-in credentials of one of Twitter's system administrators. Those are the people trusted to ensure that Twitter functions smoothly. The...
Nation-State Espionage Campaigns against Middle East Defense Contractors
Report on espionage attacks using LinkedIn as a vector for malware, with details and screenshots. They talk about "several hints suggesting a possible link" to the Lazarus group aka North Korea, but that's by no means definite. As part of the initial compromise phase, the Operation Interception...
Gene Spafford on Internet Voting
Good interview...
ILOVEYOU Virus
It's the twentieth anniversary of the ILOVEYOU virus, and here are three interesting articles about it and its effects on software design...
Story of Gus Weiss
This is a long and fascinating article about Gus Weiss, who masterminded a long campaign to feed technical disinformation to the Soviet Union, which may or may not have caused a massive pipeline explosion somewhere in Siberia in the 1980s, if in fact there even was a massive pipeline explosion...
A US Data Protection Agency
The United States is one of the few democracies without some formal data protection agency, and we need one. Senator Gillibrand just proposed creating one...
Details of an Airbnb Fraud
This is a fascinating article about a bait-and-switch Airbnb fraud. The article focuses on one particular group of scammers and how they operate, using the fact that Airbnb as a company doesn't do much to combat fraud on its platform. But I am more interested in how the fraudsters essentially...
I'm Looking to Hire a Strategist to Help Figure Out Public-Interest Tech
I am in search of a strategic thought partner: a person who can work closely with me over the next 9 to 12 months in assessing what's needed to advance the practice, integration, and adoption of public-interest technology. All of the details are in the RFP. The selected strategist will work close...
Public Shaming of Companies for Bad Security
Troy Hunt makes some good points, with good examples...
1Password's Travel Mode
The 1Password password manager has just introduced "travel mode," which allows you to delete your stored passwords when you're in other countries or crossing borders: Your vaults aren't just hidden; they're completely removed from your devices as long as Travel Mode is on. That includes every ite...
Hijacking Emergency Sirens
Turns out it's easy to hijack emergency sirens with a radio transmitter...