2981 matches found
Amazon Delivery Drivers Hacking Scheduling System
Amazon drivers -- all gig workers who dont work for the company -- are hanging cell phones in trees near Amazon delivery stations, fooling the system into thinking that they are closer than they actually are: The phones in trees seem to serve as master devices that dispatch routes to multiple...
2017 Tesla Hack
Interesting story of a class break against the entire Tesla fleet...
Seny Kamara on "Crypto for the People"
Seny Kamara gave an excellent keynote talk this year at the online CRYPTO Conference. He talked about solving real-world crypto problems for marginalized communities around the world, instead of crypto problems for governments and corporations. Well worth watching and listening to...
Smart Lock Vulnerability
Yet another Internet-connected door lock is insecure: Sold by retailers including Amazon, Walmart, and Home Depot, U-Tec's $139.99 UltraLoq is marketed as a "secure and versatile smart deadbolt that offers keyless entry via your Bluetooth-enabled smartphone and code." Users can share temporary...
Update on NIST's Post-Quantum Cryptography Program
NIST has posted an update on their post-quantum cryptography program: After spending more than three years examining new approaches to encryption and data protection that could defeat an assault from a quantum computer, the National Institute of Standards and Technology NIST has winnowed the 69...
NSA on Securing VPNs
The NSA's Central Security Service -- that's the part that's supposed to work on defense -- has released two documents a full and an abridged version on securing virtual private networks. Some of it is basic, but it contains good information. Maintaining a secure VPN tunnel can be complex and...
Analyzing IoT Security Best Practices
New research: "Best Practices for IoT Security: What Does That Even Mean?" by Christopher Bellman and Paul C. van Oorschot: Abstract: Best practices for Internet of Things IoT security have recently attracted considerable attention worldwide from industry and governments, while academic research...
Eavesdropping on Sound Using Variations in Light Bulbs
New research is able to recover sound waves in a room by observing minute changes in the room's light bulbs. This technique works from a distance, even from a building across the street through a window. Details: In an experiment using three different telescopes with different lens diameters from...
Defending Democracies Against Information Attacks
To better understand influence attacks, we proposed an approach that models democracy itself as an information system and explains how democracies are vulnerable to certain forms of information attacks that autocracies naturally resist. Our model combines ideas from both international security an...
A "Department of Cybersecurity"
Presidential candidate John Delaney has announced a plan to create a Department of Cybersecurity. I have long been in favor of a new federal agency to deal with Internet -- and especially Internet of Things -- security. The devil is in the details, of course, and it's really easy to get this wron...
Installing a Credit Card Skimmer on a POS Terminal
Watch how someone installs a credit card skimmer in just a couple of seconds. I don't know if the skimmer just records the data and is collected later, or if it transmits the data back to some base station...
IoT Cybersecurity: What's Plan B?
In August, four US Senators introduced a bill designed to improve Internet of Things IoT security. The IoT Cybersecurity Improvement Act of 2017 is a modest piece of legislation. It doesn't regulate the IoT market. It doesn't single out any industries for particular attention, or force any...
New KRACK Attack Against Wi-Fi Encryption
Mathy Vanhoef has just published a devastating attack against WPA2, the 14-year-old encryption protocol used by pretty much all wi-fi systems. Its an interesting attack, where the attacker forces the protocol to reuse a key. The authors call this attack KRACK, for Key Reinstallation Attacks This ...
CIA Exploits Against Wireless Routers
WikiLeaks has published CherryBlossom, the CIA's program to hack into wireless routers. The program is about a decade old. Four good news articles. Five. And a list of vulnerable routers...
Is Continuing to Patch Windows XP a Mistake?
Last week, Microsoft issued a security patch for Windows XP, a 16-year-old operating system that Microsoft officially no longer supports. Last month, Microsoft issued a Windows XP patch for the vulnerability used in WannaCry. Is this a good idea? This 2014 essay argues that it's not: The zero-day...
Extending the Airplane Laptop Ban
The Department of Homeland Security is rumored to be considering extending the current travel ban on large electronics for Middle Eastern flights to European ones as well. The likely reaction of airlines will be to implement new traveler programs, effectively allowing wealthier and more frequent...
Securing Elections
Technology can do a lot more to make our elections more secure and reliable, and to ensure that participation in the democratic process is available to all. There are three parts to this process. First, the voter registration process can be improved. The whole process can be streamlined. People...
Friday Squid Blogging: Squid Communications
In the oval squid Sepioteuthis lessoniana, males use body patterns to communicate with both females and other males: To gain insight into the visual communication associated with each behavior in terms of the body patterning's key components, the co-expression frequencies of two or more component...
Friday Squid Blogging: Video of Squid Attacking Another Squid
Wow, is this cool. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here...
Factoring RSA Keys with Many Zeros
Interesting research on a new class of weak RSA keys: keys with lots of zeros. It turns out that these keys are out in the wild. The badkeys project is an open-source service that checks public keys for known vulnerabilities. While developing this tool, Hanno collected a massive number of...
The FCC Wants to Eliminate Burner Phones
A proposed FCC rule would kill burner phones: phones whose accounts are not attached to a particular person. The FCC plans to do this by legally forcing the country's telecoms to store a wealth of personal information about essentially all phone customers, including a government issued...
Zero-Day Exploit Against Windows BitLocker
It's nasty, but it requires physical access to the computer: The exploit, named YellowKey, was published earlier this week by a researcher who goes by the alias Nightmare-Eclipse. It reliably bypasses default Windows 11 deployments of BitLocker, the full-volume encryption protection Microsoft...
OpenAI’s GPT-5.5 is as Good as Mythos at Finding Security Vulnerabilities
The UK's AI Security Institute evaluated GPT-5.5's ability to find security vulnerabilities, and found that it is comparable to Claude Mythos. Note that the OpenAI model is generally available. Here is the Institute's evaluation of Mythos. And here is an analysis of a smaller, cheaper model. It...
Full-Face Masks to Frustrate Identification
This is going to be interesting. It's a video of someone trying on a variety of printed full-face masks. They won't fool anyone for long, but will survive casual scrutiny. And they're cheap and easy to swap...
AI and the Indian Election
As India concluded the worlds largest election on June 5, 2024, with over 640 million votes counted, observers could assess how the various parties and factions used artificial intelligence technologies--and what lessons that holds for the rest of the world. The campaigns made extensive use of AI...
Friday Squid Blogging: Squid Mating Strategies
Some squids are "consorts," others are "sneakers." The species is healthiest when individuals have different strategies randomly. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Read my blog posting guidelines here...
New Lattice Cryptanalytic Technique
A new paper presents a polynomial-time quantum algorithm for solving certain hard lattice problems. This could be a big deal for post-quantum cryptographic algorithms, since many of them base their security on hard lattice problems. A few things to note. One, this paper has not yet been peer...
Hardware Vulnerability in Apple’s M-Series Chips
Its yet another hardware side-channel attack: The threat resides in the chips’ data memory-dependent prefetcher, a hardware optimization that predicts the memory addresses of data that running code is likely to access in the near future. By loading the contents into the CPU cache before it’s...
Google Pays $10M in Bug Bounties in 2023
BleepingComputer has the details. Its $2M less than in 2022, but its still a lot. The highest reward for a vulnerability report in 2023 was $113,337, while the total tally since the programs launch in 2010 has reached $59 million. For Android, the worlds most popular and widely used mobile...
The Story of the Mirai Botnet
Over at Wired, Andy Greenberg has an excellent story about the creators of the 2016 Mirai botnet...
Friday Squid Blogging: Sqids
Theyre short unique strings: Sqids pronounced "squids" is an open-source library that lets you generate YouTube-looking IDs from numbers. These IDs are short, can be generated from a custom alphabet and are guaranteed to be collision-free. I havent dug into the details enough to know how they can...
AI Is Scarily Good at Guessing the Location of Random Photos
Wow: To test PIGEONs performance, I gave it five personal photos from a trip I took across America years ago, none of which have been published online. Some photos were snapped in cities, but a few were taken in places nowhere near roads or other easily recognizable landmarks. That didnt seem to...
New SSH Vulnerability
This is interesting: For the first time, researchers have demonstrated that a large portion of cryptographic keys used to protect data in computer-to-server SSH traffic are vulnerable to complete compromise when naturally occurring computational errors occur while the connection is being...
How .tk Became a TLD for Scammers
Sad story of Tokelau, and how its top-level domain "became the unwitting host to the dark underworld by providing a never-ending supply of domain names that could be weaponized against internet users. Scammers began using .tk websites to do everything from harvesting passwords and payment...
Friday Squid Blogging: The History and Morality of US Squid Consumption
Really interesting article. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Read my blog posting guidelines here...
Cisco Can’t Stop Using Hard-Coded Passwords
Theres a new Cisco vulnerability in its Emergency Responder product: This vulnerability is due to the presence of static user credentials for the root account that are typically reserved for use during development. An attacker could exploit this vulnerability by using the account to log in to an...
Google Reportedly Disconnecting Employees from the Internet
Supposedly Google is starting a pilot program of disabling Internet connectivity from employee computers: The company will disable internet access on the select desktops, with the exception of internal web-based tools and Google-owned websites like Google Drive and Gmail. Some workers who need th...
Kevin Mitnick Died
Obituary...
Using the iPhone Recovery Key to Lock Owners Out of Their iPhones
This a good example of a security feature that can sometimes harm security: Apple introduced the optional recovery key in 2020 to protect users from online hackers. Users who turn on the recovery key, a unique 28-digit code, must provide it when they want to reset their Apple ID password. iPhone...
Car Thieves Hacking the CAN Bus
Car thieves are injecting malicious software into a cars network through wires in the headlights or taillights that fool the car into believing that the electronic key is nearby. News articles...
Exploding USB Sticks
In case you dont have enough to worry about, people are hiding explosives--actual ones--in USB sticks: In the port city of Guayaquil, journalist Lenin Artieda of the Ecuavisa private TV station received an envelope containing a pen drive which exploded when he inserted it into a computer, his...
Prompt Injection Attacks on Large Language Models
This is a good survey on prompt injection attacks on large language models like ChatGPT. Abstract: We are currently witnessing dramatic advances in the capabilities of Large Language Models LLMs. They are already being adopted in practice and integrated into many systems, including integrated...
A Device to Turn Traffic Lights Green
Heres a story about a hacker who reprogrammed a device called "Flipper Zero" to mimic Opticom transmitters--to turn traffic lights in his path green. As mentioned earlier, the Flipper Zero has a built-in sub-GHz radio that lets the device receive data or transmit it, with the right firmware in...
A Hacker’s Mind Is Now Published
Tuesday was the official publication date of A Hackers Mind: How the Powerful Bend Societys Rules, and How to Bend them Back. It broke into the 2000s on the Amazon best-seller list. Reviews in the New York Times, Cory Doctorows blog, Science, and the Associated Press. I wrote essays related to th...
Friday Squid Blogging: Squid-Inspired Hydrogel
Scientists have created a hydrogel "using squid mantle and creative chemistry." As usual, you can also use this squid post to talk about the security stories in the news that I havent covered. Read my blog posting guidelines here...
Kevin Mitnick Hacked California Law in 1983
Early in his career, Kevin Mitnick successfully hacked California law. He told me the story when he heard about my new book, which he partially recounts his 2012 book, Ghost in the Wires. The setup is that he just discovered that theres warrant for his arrest by the California Youth Authority, an...
Friday Squid Blogging: Another Giant Squid Captured on Video
Heres a new video of a giant squid, filmed in the Sea of Japan. I believe its injured. Its so close to the surface, and not really moving very much. "We didnt see the kinds of agile movements that many fish and marine creatures normally show," he said. "Its tentacles and fins were moving very...
QR Code Scam
An enterprising individual made fake parking tickets with a QR code for easy payment...
Man-in-the-Middle Phishing Attack
Heres a phishing campaign that uses a man-in-the-middle attack to defeat multi-factor authentication: Microsoft observed a campaign that inserted an attacker-controlled proxy site between the account users and the work server they attempted to log into. When the user entered a password into the...
Friday Squid Blogging: SQUID Acronym for Making Conscious Choices
I think the U is forced: SQUID consists of five steps: Stop, Question, Understand, Imagine, and Decide. As usual, you can also use this squid post to talk about the security stories in the news that I havent covered. Read my blog posting guidelines here...