2981 matches found
More on NIST's Post-Quantum Cryptography
Back in July, NIST selected third-round algorithms for its post-quantum cryptography standard. Recently, Daniel Apon of NIST gave a talk detailing the selection criteria. Interesting stuff. NOTE: We're in the process of moving this blog to Wordpress. Comments will be disabled until the move it...
Survey of Supply Chain Attacks
The Atlantic Council has a released a report that looks at the history of computer supply chain attacks. Key trends from their summary: 1. Deep Impact from State Actors: There were at least 27 different state attacks against the software supply chain including from Russia, China, North Korea, and...
Theft of CIA's "Vault Seven" Hacking Tools Due to Its Own Lousy Security
The Washington Post is reporting on an internal CIA report about its "Vault 7" security breach: The breach -- allegedly committed by a CIA employee -- was discovered a year after it happened, when the information was published by WikiLeaks, in March 2017. The anti-secrecy group dubbed the release...
Examining the US Cyber Budget
Jason Healey takes a detailed look at the US federal cybersecurity budget and reaches an important conclusion: the US keeps saying that we need to prioritize defense, but in fact we prioritize attack. To its credit, this budget does reveal an overall growth in cybersecurity funding of about 5...
Friday Squid Blogging: Human Cells with Squid-Like Transparency
I think we need more human organs with squid-like features. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here...
Availability Attacks against Neural Networks
New research on using specially crafted inputs to slow down machine-learning neural network systems: Sponge Examples: Energy-Latency Attacks on Neural Networks shows how to find adversarial examples that cause a DNN to burn more energy, take more time, or both. They affect a wide range of DNN...
Used Tesla Components Contain Personal Information
Used Tesla components, sold on eBay, still contain personal information, even after a factory reset. This is a decades-old problem. It's a problem with used hard drives. It's a problem with used photocopiers and printers. It will be a problem with IoT devices. It'll be a problem with everything,...
Upcoming Speaking Engagements
This is a current list of where and when I am scheduled to speak: I'm being interviewed on "Hacking in the Public Interest" as part of the Black Hat Webcast Series, on Thursday, April 16, 2020 at 2:00 PM EDT. The list is maintained on this page...
Five-Eyes Intelligence Services Choose Surveillance Over Security
The Five Eyes -- the intelligence consortium of the rich English-speaking countries the US, Canada, the UK, Australia, and New Zealand -- have issued a "Statement of Principles on Access to Evidence and Encryption" where they claim their needs for surveillance outweigh everyone's needs for securi...
Backdoors in Cisco Routers
We don't know if this is error or deliberate action, but five backdoors have been discovered already this year...
Securing Elections
Elections serve two purposes. The first, and obvious, purpose is to accurately choose the winner. But the second is equally important: to convince the loser. To the extent that an election system is not transparently and auditably accurate, it fails in that second purpose. Our election systems ar...
Dan Geer on the Dangers of Computer-Only Systems
A good warning, delivered in classic Dan Geer style...
Vulnerability in Amazon Key
Amazon Key is an IoT door lock that can enable one-time access codes for delivery people. To further secure that system, Amazon sells Cloud Cam, a camera that watches the door to ensure that delivery people don't abuse their one-time access privilege. Cloud Cam has been hacked: But now security...
The Secret Code of Beatrix Potter
Interesting: As codes go, Potter's wasn't inordinately complicated. As Wiltshire explains, it was a "mono-alphabetic substitution cipher code," in which each letter of the alphabet was replaced by a symbol -- the kind of thing they teach you in Cub Scouts. The real trouble was Potter's own fluen...
CIA's Pandemic Toolkit
WikiLeaks is still dumping CIA cyberweapons on the Internet. Its latest dump is something called "Pandemic": The Pandemic leak does not explain what the CIA's initial infection vector is, but does describe it as a persistent implant. "As the name suggests, a single computer on a local network wit...
Friday Squid Blogging: Squid and Chips
The excellent Montreal chef Marc-Olivier Frappier, of Joe Beef fame, has created a squid and chips dish for Brit & Chips restaurant. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here...
North Korean Cyberwar Capabilities
Reuters has an article on North Korea's cyberwar capabilities, specifically "Unit 180." They're still not in the same league as the US, UK, Russia, China, and Israel. But they're getting better...
The NSA Has a Long-Lost Lecture by Adm. Grace Hopper
The NSA has a video recording of a 1982 lecture by Adm. Grace Hopper titled "Future Possibilities: Data, Hardware, Software, and People." The agency is so far refusing to release it. Basically, the recording is in an obscure video format. People at the NSA cant easily watch it, so they cant redac...
FBI Seizes BreachForums Website
The FBI has seized the BreachForums website, used by ransomware criminals to leak stolen corporate data. If law enforcement has gained access to the hacking forums backend data, as they claim, they would have email addresses, IP addresses, and private messages that could expose members and be use...
LLMs’ Data-Control Path Insecurity
Back in the 1960s, if you played a 2,600Hz tone into an AT&T pay phone, you could make calls without paying. A phone hacker named John Draper noticed that the plastic whistle that came free in a box of Captain Crunch cereal worked to make the right sound. That became his hacker name, and everyone...
Declassified NSA Newsletters
Through a 2010 FOIA request yes, it took that long, we have copies of the NSAs KRYPTOS Society Newsletter, "Tales of the Krypt," from 1994 to 2003. There are many interesting things in the 800 pages of newsletter. There are many redactions. And a 1994 review of Applied Cryptography by redacted:...
PIN-Stealing Android Malware
This is an old piece of malware--the Chameleon Android banking Trojan--that now disables biometric authentication in order to steal the PIN: The second notable new feature is the ability to interrupt biometric operations on the device, like fingerprint and face unlock, by using the Accessibility...
Google Stops Collecting Location Data from Maps
Google Maps now stores location data locally on your device, meaning that Google no longer has that data to turn over to the police...
Decoupling for Security
This is an excerpt from a longer paper. You can read the whole thing complete with sidebars and illustrations here. Our message is simple: it is possible to get the best of both worlds. We can and should get the benefits of the cloud while taking security back into our own hands. Here we outline ...
Former Uber CISO Appealing His Conviction
Joe Sullivan, Ubers CEO during their 2016 data breach, is appealing his conviction. Prosecutors charged Sullivan, whom Uber hired as CISO after the 2014 breach, of withholding information about the 2016 incident from the FTC even as its investigators were scrutinizing the companys data security a...
Friday Squid Blogging: On Squid Intelligence
Article about squid intelligence. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Read my blog posting guidelines here...
Deepfake Election Interference in Slovakia
Well designed and well timed deepfake or two Slovakian politicians discussing how to rig the election: Šimečka and Denník N immediately denounced the audio as fake. The fact-checking department of news agency AFP said the audio showed signs of being manipulated using AI. But the recording was...
The Hacker Tool to Get Personal Data from Credit Bureaus
The new site 404 Media has a good article on how hackers are cheaply getting personal information from credit bureaus: This is the result of a secret weapon criminals are selling access to online that appears to tap into an especially powerful set of data: the targets credit header. This is...
Hacking Food Labeling Laws
This article talks about new Mexican laws about food labeling, and the lengths to which food manufacturers are going to ensure that they are not effective. There are the typical high-pressure lobbying tactics and lawsuits. But theres also examples of companies hacking the laws: Companies like...
Friday Squid Blogging: 2023 Squid Oil Global Market Report
I had no idea that squid contain sufficient oil to be worth extracting. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Read my blog posting guidelines here...
LLMs and Phishing
Heres an experiment being run by undergraduate computer science students everywhere: Ask ChatGPT to generate phishing emails, and test whether these are better at persuading victims to respond or click on the link than the usual spam. Its an interesting experiment, and the results are likely to...
Friday Squid Blogging: Squid Processing Facility
This video of a modern large squid processing ship is a bit gory, but also interesting. As usual, you can also use this squid post to talk about the security stories in the news that I havent covered. Read my blog posting guidelines here...
Identifying People Using Cell Phone Location Data
The two people who shut down four Washington power stations in December were arrested. This is the interesting part: Investigators identified Greenwood and Crahan almost immediately after the attacks took place by using cell phone data that allegedly showed both men in the vicinity of all four...
Friday Squid Blogging: Legend of the Indiana Oil-Pit Squid
At a GMC plant. As usual, you can also use this squid post to talk about the security stories in the news that I havent covered. Read my blog posting guidelines here...
Computer Repair Technicians Are Stealing Your Data
Laptop technicians routinely violate the privacy of the people whose computers they repair: Researchers at University of Guelph in Ontario, Canada, recovered logs from laptops after receiving overnight repairs from 12 commercial shops. The logs showed that technicians from six of the locations ha...
Regulating DAOs
In August, the US Treasurys Office of Foreign Assets Control OFAC sanctioned the cryptocurrency platform Tornado Cash, a virtual currency "mixer" designed to make it harder to trace cryptocurrency transactions--and a worldwide favorite money-laundering platform. Americans are now forbidden from...
Friday Squid Blogging: New Squid Species
Seems like they are being discovered all the time: In the past, the DEEPEND crew has discovered three new species of Bathyteuthids, a type of squid that lives in depths between 700 and 2,000 meters. The findings were validated and published in 2020. Another new squid species description is...
Hackers Using Fake Police Data Requests against Tech Companies
Brian Krebs has a detailed post about hackers using fake police data requests to trick companies into handing over data. Virtually all major technology companies serving large numbers of users online have departments that routinely review and process such requests, which are typically granted as...
Developer Sabotages Open-Source Software Package
This is a big deal: A developer has been caught adding malicious code to a popular open-source package that wiped files on computers located in Russia and Belarus as part of a protest that has enraged many users and raised concerns about the safety of free and open source software. The applicatio...
Friday Squid Blogging: Are Squid from Another Planet?
An actually serious scientific journal has published a paper speculating that octopus and squid could be of extraterrestrial origin. News article. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Read my blog posting guidelines here...
Hardening Your VPN
The NSA and CISA have released a document on how to harden your VPN...
Zero-Click iMessage Exploit
Citizen Lab released a report on a zero-click iMessage exploit that is used in NSO Groups Pegasus spyware. Apple patched the vulnerability; everyone needs to update their OS immediately. News articles on the exploit...
On US Capitol Security — By Someone Who Manages Arena-Rock-Concert Security
Smart commentary: …I was floored on Wednesday when, glued to my television, I saw police in some areas of the U.S. Capitol using little more than those same mobile gates I had the ones that look like bike racks that can hook together to try to keep the crowds away from sensitive areas and,...
Michael Ellis as NSA General Counsel
Over at Lawfare, Susan Hennessey has an excellent primer on how Trump loyalist Michael Ellis got to be the NSA General Counsel, over the objections of NSA Director Paul Nakasone, and what Biden can and should do about it. While important details remain unclear, media accounts include numerous...
2020 Was a Secure Election
Over at Lawfare: "2020 Is An Election Security Success Story So Far." What’s more, the voting itself was remarkably smooth. It was only a few months ago that professionals and analysts who monitor election administration were alarmed at how badly unprepared the country was for voting during a...
The Legal Risks of Security Research
Sunoo Park and Kendra Albert have published "A Researcher’s Guide to Some Legal Risks of Security Research." From a summary: Such risk extends beyond anti-hacking laws, implicating copyright law and anti-circumvention provisions DMCA §1201, electronic privacy law ECPA, and cryptography export...
New Privacy Features in iOS 14
A good rundown...
Detecting Deep Fakes with a Heartbeat
Researchers can detect deep fakes because they dont convincingly mimic human blood circulation in the face: In particular, video of a persons face contains subtle shifts in color that result from pulses in blood circulation. You might imagine that these changes would be too minute to detect merel...
Amazon Delivery Drivers Hacking Scheduling System
Amazon drivers -- all gig workers who dont work for the company -- are hanging cell phones in trees near Amazon delivery stations, fooling the system into thinking that they are closer than they actually are: The phones in trees seem to serve as master devices that dispatch routes to multiple...
2017 Tesla Hack
Interesting story of a class break against the entire Tesla fleet...