2980 matches found
Backdoor in XZ Utils That Almost Happened
Last week, the Internet dodged a major nation-state attack that would have had catastrophic cybersecurity repercussions worldwide. It’s a catastrophe that didn’t happen, so it won’t get much attention--but it should. There’s an important moral to the story of the attack and its discovery: The...
Security Vulnerability of HTML Emails
This is a newly discovered email vulnerability: The email your manager received and forwarded to you was something completely innocent, such as a potential customer asking a few questions. All that email was supposed to achieve was being forwarded to you. However, the moment the email appeared in...
Magic Security Dust
Adam Shostack is selling magic security dust. Its about time someone is commercializing this essential technology...
Deepfake Fraud
A deepfake video conference call--with everyone else on the call a fake--fooled a finance worker into sending $25M to the criminals account...
Friday Squid Blogging: New Foods from Squid Fins
We only eat about half of a squid, ignoring the fins. A group of researchers is working to change that. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Read my blog posting guidelines here...
Ben Rothke’s Review of A Hacker’s Mind
Ben Rothke chose A Hackers Mind as "the best information security book of 2023."...
The Privacy Disaster of Modern Smart Cars
Article based on a Mozilla report...
Child Exploitation and the Crypto Wars
Susan Landau published an excellent essay on the current justification for the government breaking end-to-end-encryption: child sexual abuse and exploitation CSAE. She puts the debate into historical context, discusses the problem of CSAE, and explains why breaking encryption isnt the solution...
New Revelations from the Snowden Documents
Jake Appelbaums PhD thesis contains several new revelations from the classified NSA documents provided to journalists by Edward Snowden. Nothing major, but a few more tidbits. Kind of amazing that that all happened ten years ago. At this point, those documents are more historical than anything...
Applying AI to License Plate Surveillance
License plate scanners arent new. Neither is using them for bulk surveillance. Whats new is that AI is being used on the data, identifying "suspicious" vehicle behavior: Typically, Automatic License Plate Recognition ALPR technology is used to search for plates linked to specific crimes. But in...
Zoom Can Spy on Your Calls and Use the Conversation to Train AI, But Says That It Won’t
This is why we need regulation: Zoom updated its Terms of Service in March, spelling out that the company reserves the right to train AI on user data with no mention of a way to opt out. On Monday, the company said in a blog post that theres no need to worry about that. Zoom execs swear the compa...
SolarWinds Detected Six Months Earlier
New reporting from Wired reveals that the Department of Justice detected the SolarWinds attack six months before Mandiant detected it in December 2020, but didnt realize what it detected--and so ignored it. WIRED can now confirm that the operation was actually discovered by the DOJ six months...
Another Malware with Persistence
Heres a piece of Chinese malware that infects SonicWall security appliances and survives firmware updates. On Thursday, security firm Mandiant published a report that said threat actors with a suspected nexus to China were engaged in a campaign to maintain long-term persistence by running malware...
Banning TikTok
Congress is currently debating bills that would ban TikTok in the United States. We are here as technologists to tell you that this is a terrible idea and the side effects would be intolerable. Details matter. There are several ways Congress might ban TikTok, each with different efficacies and si...
Leaked Signing Keys Are Being Used to Sign Malware
A bunch of Android OEM signing keys have been leaked or stolen, and they are actively being used to sign malware. Łukasz Siewierski, a member of Googles Android Security Team, has a post on the Android Partner Vulnerability Initiative AVPI issue tracker detailing leaked platform certificate keys...
Successful Hack of Time-Triggered Ethernet
Time-triggered Ethernet TTE is used in spacecraft, basically to use the same hardware to process traffic with different timing and criticality. Researchers have defeated it: On Tuesday, researchers published findings that, for the first time, break TTEs isolation guarantees. The result is PCspooF...
NSA on Supply Chain Security
The NSA together with CISA has published a long report on supply-chain security: "Securing the Software Supply Chain: Recommended Practices Guide for Suppliers.": Prevention is often seen as the responsibility of the software developer, as they are required to securely develop and deliver code,...
Upcoming Speaking Engagements
This is a current list of where and when I am scheduled to speak: Im speaking as part of a Geneva Centre for Security Policy course on Cyber Security in the Context of International Security, online, on September 22, 2022. Im speaking at IT-Security INSIDE 2022 in Zurich, Switzerland, on Septembe...
Friday Squid Blogging: The Language of the Jumbo Flying Squid
The jumbo flying squid Dosidicus gigas uses its color-changing ability as a language: In 2020, however, marine biologists discovered that jumbo flying squid are surprisingly coordinated. Despite their large numbers, the squid rarely bumped into each other or competed for the same prey. The...
Friday Squid Blogging: Bathyteuthis berryi Holding Eggs
Image and video of a Bathyteuthis berryi carrying a few hundred eggs, taken at a depth of 4,650 feet. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Read my blog posting guidelines here...
Security Vulnerabilities in Honda’s Keyless Entry System
Honda vehicles from 2021 to 2022 are vulnerable to this attack: On Thursday, a security researcher who goes by Kevin2600 published a technical report and videos on a vulnerability that he claims allows anyone armed with a simple hardware device to steal the code to unlock Honda vehicles. Kevin260...
Samsung Encryption Flaw
Researchers have found a major encryption flaw in 100 million Samsung Galaxy phones. From the abstract: In this work, we expose the cryptographic design and implementation of Androids Hardware-Backed Keystore in Samsungs Galaxy S8, S9, S10, S20, and S21 flagship devices. We reversed-engineered an...
More on NSO Group and Cytrox: Two Cyberweapons Arms Manufacturers
Citizen Lab published another report on the spyware used against two Egyptian nationals. One was hacked by NSO Groups Pegasus spyware. The other was hacked both by Pegasus and by the spyware from another cyberweapons arms manufacturer: Cytrox. We havent heard a lot about Cytrox and its Predator...
Friday Squid Blogging: Bobtail Squid and Vibrio Bacteria
Research on the Vibrio bacteria and its co-evolution with its bobtail squid hosts. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Read my blog posting guidelines here...
Upcoming Speaking Engagements
This is a current list of where and when I am scheduled to speak: Im speaking on "Securing a World of Physically Capable Computers" at @Hack on November 29, 2021. The list is maintained on this page...
Upcoming Speaking Engagements
This is a current list of where and when I am scheduled to speak: I’m keynoting CIISec Live—an all-online event—September 15-16, 2021. I’m speaking at the Infosecurity Magazine EMEA Autumn Online Summit on September 21, 2021. I’m speaking at the Cybersecurity and Data Privacy Law Conference in...
Designing Contact-Tracing Apps
Susan Landau wrote an essay on the privacy, efficacy, and equity of contract-tracing smartphone apps. Also see her excellent book on the topic...
Tetris: Chinese Espionage Tool
Im starting to see writings about a Chinese espionage tool that exploits website vulnerabilities to try and identify Chinese dissidents...
More Biden Cybersecurity Nominations
News: President Biden announced key cybersecurity leadership nominations Monday, proposing Jen Easterly as the next head of the Cybersecurity and Infrastructure Security Agency and John "Chris" Inglis as the first ever national cyber director NCD. I know them both, and think theyre both good...
Undermining Democracy
Last Thursday, Rudy Giuliani, a Trump campaign lawyer, alleged a widespread voting conspiracy involving Venezuela, Cuba, and China. Another lawyer, Sidney Powell, argued that Mr. Trump won in a landslide, the entire election in swing states should be overturned and the legislatures should make su...
Determining What Video Conference Participants Are Typing from Watching Shoulder Movements
Accuracy isnt great, but that it can be done at all is impressive. Murtuza Jadiwala, a computer science professor heading the research project, said his team was able to identify the contents of texts by examining body movement of the participants. Specifically, they focused on the movement of...
Google Responds to Warrants for “About” Searches
One of the things we learned from the Snowden documents is that the NSA conducts "about" searches. That is, searches based on activities and not identifiers. A normal search would be on a name, or IP address, or phone number. An about search would something like "show me anyone that has used this...
Ranking National Cyber Power
Harvard Kennedy Schools Belfer Center published the "National Cyber Power Index 2020: Methodology and Analytical Considerations." The rankings: 1. US, 2. China, 3. UK, 4. Russia, 5. Netherlands, 6. France, 7. Germany, 8. Canada, 9. Japan, 10. Australia, 11. Israel. More countries are in the...
Hacking AI-Graded Tests
The company Edgenuity sells AI systems for grading tests. Turns out that they just search for keywords without doing any actual semantic analysis...
Security and Human Behavior (SHB) 2020
Today is the second day of the thirteenth Workshop on Security and Human Behavior. It's being hosted by the University of Cambridge, which in today's world means we're all meeting on Zoom. SHB is a small, annual, invitational workshop of people studying various aspects of the human side of...
New US Electronic Warfare Platform
The Army is developing a new electronic warfare pod capable of being put on drones and on trucks. ...the Silent Crow pod is now the leading contender for the flying flagship of the Army's rebuilt electronic warfare force. Army EW was largely disbanded after the Cold War, except for short-range...
Friday Squid Blogging: Piglet Squid Video
Really neat. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here...
Yubico Security Keys with a Crypto Flaw
Wow, is this an embarrassing bug: Yubico is recalling a line of security keys used by the U.S. government due to a firmware flaw. The company issued a security advisory today that warned of an issue in YubiKey FIPS Series devices with firmware versions 4.4.2 and 4.4.4 that reduced the randomness ...
The DoJ's Secret Legal Arguments to Break Cryptography
Earlier this year, the US Department of Justice made a series of legal arguments as to why Facebook should be forced to help the government wiretap Facebook Messenger. Those arguments are still sealed. The ACLU is suing to make them public...
That Bloomberg Supply-Chain-Hack Story
Back in October, Bloomberg reported that China has managed to install backdoors into server equipment that ended up in networks belonging to -- among others -- Apple and Amazon. Pretty much everybody has denied it including the US DHS and the UK NCSC. Bloomberg has stood by its story -- and is...
Privacy and Security of Data at Universities
Interesting paper: "Open Data, Grey Data, and Stewardship: Universities at the Privacy Frontier," by Christine Borgman: Abstract: As universities recognize the inherent value in the data they collect and hold, they encounter unforeseen challenges in stewarding those data in ways that balance...
Detecting Credit Card Skimmers
Interesting research paper: "Fear the Reaper: Characterization and Fast Detection of Card Skimmers": Abstract: Payment card fraud results in billions of dollars in losses annually. Adversaries increasingly acquire card data using skimmers, which are attached to legitimate payment devices includin...
Cheating in Bird Racing
I've previously written about people cheating in marathon racing by driving -- or otherwise getting near the end of the race by faster means than running. In China, two people were convicted of cheating in a pigeon race: The essence of the plan involved training the pigeons to believe they had tw...
John Mueller and Mark Stewart on the Risks of Terrorism
Another excellent paper by the Mueller/Stewart team: "Terrorism and Bathtubs: Comparing and Assessing the Risks": Abstract: The likelihood that anyone outside a war zone will be killed by an Islamist extremist terrorist is extremely small. In the United States, for example, some six people have...
1Password's Travel Mode
The 1Password password manager has just introduced "travel mode," which allows you to delete your stored passwords when you're in other countries or crossing borders: Your vaults aren't just hidden; they're completely removed from your devices as long as Travel Mode is on. That includes every ite...
Hijacking Emergency Sirens
Turns out it's easy to hijack emergency sirens with a radio transmitter...
DARPA Funding in AI-Assisted Cybersecurity
DARPA is launching a program aimed at vulnerability discovery via human-assisted AI. The new DARPA program is called CHESS Computers and Humans Exploring Software Security, and they're holding a proposers day in a week and a half. This is the kind of thing that can dramatically change the...
Israeli Security Attacks AMD by Publishing Zero-Day Exploits
Last week, the Israeli security company CTS Labs published a series of exploits against AMD chips. The publication came with the flashy website, detailed whitepaper, cool vulnerability names -- RYZENFALL, MASTERKEY, FALLOUT, and CHIMERA -- and logos we've come to expect from these sorts of things...
Two New Papers on the Encryption Debate
Seems like everyone is writing about encryption and backdoors this season. "Policy Approaches to the Encryption Debate," R Street Policy Study 133, by Charles Duan, Arthur Rizer, Zach Graves and Mike Godwin. "Encryption Policy in Democratic Regimes," East West Institute. I recently blogged about...
Internet Security Threats at the Olympics
There are a lot: The cybersecurity company McAfee recently uncovered a cyber operation, dubbed Operation GoldDragon, attacking South Korean organizations related to the Winter Olympics. McAfee believes the attack came from a nation state that speaks Korean, although it has no definitive proof tha...