2978 matches found
Enigma Machine for Sale
A four-rotor Enigma machine -- with rotors -- is up for auction...
Analyzing IoT Security Best Practices
New research: "Best Practices for IoT Security: What Does That Even Mean?" by Christopher Bellman and Paul C. van Oorschot: Abstract: Best practices for Internet of Things IoT security have recently attracted considerable attention worldwide from industry and governments, while academic research...
Eavesdropping on Sound Using Variations in Light Bulbs
New research is able to recover sound waves in a room by observing minute changes in the room's light bulbs. This technique works from a distance, even from a building across the street through a window. Details: In an experiment using three different telescopes with different lens diameters from...
Using In-Game Purchases to Launder Money
Evidence that stolen credit cards are being used to purchase items in games like Clash of Clans, which are then resold for cash...
Installing a Credit Card Skimmer on a POS Terminal
Watch how someone installs a credit card skimmer in just a couple of seconds. I don't know if the skimmer just records the data and is collected later, or if it transmits the data back to some base station...
An Example of Deterrence in Cyberspace
In 2016, the US was successfully deterred from attacking Russia in cyberspace because of fears of Russian capabilities against the US. I have two citations for this. The first is from the book Russian Roulette: The Inside Story of Putin's War on America and the Election of Donald Trump, by Michae...
IoT Cybersecurity: What's Plan B?
In August, four US Senators introduced a bill designed to improve Internet of Things IoT security. The IoT Cybersecurity Improvement Act of 2017 is a modest piece of legislation. It doesn't regulate the IoT market. It doesn't single out any industries for particular attention, or force any...
New KRACK Attack Against Wi-Fi Encryption
Mathy Vanhoef has just published a devastating attack against WPA2, the 14-year-old encryption protocol used by pretty much all wi-fi systems. Its an interesting attack, where the attacker forces the protocol to reuse a key. The authors call this attack KRACK, for Key Reinstallation Attacks This ...
Ceramic Knife Used in Israel Stabbing
I have no comment on the politics of this stabbing attack, and only note that the attacker used a ceramic knife -- that will go through metal detectors. I have used a ceramic knife in the kitchen. It's sharp. EDITED TO ADD 6/22: It looks like the knife had nothing to do with the attack discussed ...
Millennials and Secret Leaking
I hesitate to blog this, because it's an example of everything that's wrong with pop psychology. Malcolm Harris writes about millennials, and has a theory of why millennials leak secrets. My guess is that you could write a similar essay about every named generation, every age group, and so on...
Spear Phishing Attacks
Really interesting research: "Unpacking Spear Phishing Susceptibility," by Zinaida Benenson, Freya Gassmann, and Robert Landwirth. Abstract: We report the results of a field experiment where we sent to over 1200 university students an email or a Facebook message with a link to non-existing party...
Extending the Airplane Laptop Ban
The Department of Homeland Security is rumored to be considering extending the current travel ban on large electronics for Middle Eastern flights to European ones as well. The likely reaction of airlines will be to implement new traveler programs, effectively allowing wealthier and more frequent...
Securing Elections
Technology can do a lot more to make our elections more secure and reliable, and to ensure that participation in the democratic process is available to all. There are three parts to this process. First, the voter registration process can be improved. The whole process can be streamlined. People...
Friday Squid Blogging: Squid Communications
In the oval squid Sepioteuthis lessoniana, males use body patterns to communicate with both females and other males: To gain insight into the visual communication associated with each behavior in terms of the body patterning's key components, the co-expression frequencies of two or more component...
Friday Squid Blogging: Video of Squid Attacking Another Squid
Wow, is this cool. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here...
Zero-Day Exploit Against Windows BitLocker
It's nasty, but it requires physical access to the computer: The exploit, named YellowKey, was published earlier this week by a researcher who goes by the alias Nightmare-Eclipse. It reliably bypasses default Windows 11 deployments of BitLocker, the full-volume encryption protection Microsoft...
Secret Service Tracking People’s Locations without Warrant
This feels important: The Secret Service has used a technology called Locate X which uses location data harvested from ordinary apps installed on phones. Because users agreed to an opaque terms of service page, the Secret Service believes it doesn't need a warrant...
AI and the Indian Election
As India concluded the worlds largest election on June 5, 2024, with over 640 million votes counted, observers could assess how the various parties and factions used artificial intelligence technologies--and what lessons that holds for the rest of the world. The campaigns made extensive use of AI...
Privacy Implications of Tracking Wireless Access Points
Brian Krebs reports on research into geolocating routers: Apple and the satellite-based broadband service Starlink each recently took steps to address new research into the potential security and privacy implications of how their services geolocate devices. Researchers from the University of...
The Rise of Large-Language-Model Optimization
The web has become so interwoven with everyday life that it is easy to forget what an extraordinary accomplishment and treasure it is. In just a few decades, much of human knowledge has been collectively written up and made available to anyone with an internet connection. But all of this is comin...
Class-Action Lawsuit against Google’s Incognito Mode
The lawsuit has been settled: Google has agreed to delete "billions of data records" the company collected while users browsed the web using Incognito mode, according to documents filed in federal court in San Francisco on Monday. The agreement, part of a settlement in a class action lawsuit file...
Google Pays $10M in Bug Bounties in 2023
BleepingComputer has the details. Its $2M less than in 2022, but its still a lot. The highest reward for a vulnerability report in 2023 was $113,337, while the total tally since the programs launch in 2010 has reached $59 million. For Android, the worlds most popular and widely used mobile...
A Taxonomy of Prompt Injection Attacks
Researchers ran a global prompt hacking competition, and have documented the results in a paper that both gives a lot of good examples and tries to organize a taxonomy of effective prompt injection strategies. It seems as if the most common successful strategy is the "compound instruction attack,...
AI Bots on X (Twitter)
You can find them by searching for OpenAI chatbot warning messages, like: "Im sorry, I cannot provide a response as it goes against OpenAIs use case policy." I hadnt thought about this before: identifying bots by searching for distinctive bot phrases...
The Story of the Mirai Botnet
Over at Wired, Andy Greenberg has an excellent story about the creators of the 2016 Mirai botnet...
AI Is Scarily Good at Guessing the Location of Random Photos
Wow: To test PIGEONs performance, I gave it five personal photos from a trip I took across America years ago, none of which have been published online. Some photos were snapped in cities, but a few were taken in places nowhere near roads or other easily recognizable landmarks. That didnt seem to...
AI and Lossy Bottlenecks
Artificial intelligence is poised to upend much of society, removing human limitations inherent in many systems. One such limitation is information and logistical bottlenecks in decision-making. Traditionally, people have been forced to reduce complex choices to a small handful of options that do...
New iPhone Security Features to Protect Stolen Devices
Apple is rolling out a new "Stolen Device Protection" feature that seems well thought out: When Stolen Device Protection is turned on, Face ID or Touch ID authentication is required for additional actions, including viewing passwords or passkeys stored in iCloud Keychain, applying for a new Apple...
LitterDrifter USB Worm
A new worm that spreads via USB sticks is infecting computers in Ukraine and beyond. The group--known by many names, including Gamaredon, Primitive Bear, ACTINIUM, Armageddon, and Shuckworm--has been active since at least 2014 and has been attributed to Russia’s Federal Security Service by the...
Using Generative AI for Surveillance
Generative AI is going to be a powerful tool for data analysis and summarization. Heres an example of it being used for sentiment analysis. My guess is that it isnt very good yet, but that it will get better...
Messaging Service Wiretap Discovered through Expired TLS Cert
Fascinating story of a covert wiretap that was discovered because of an expired TLS certificate: The suspected man-in-the-middle attack was identified when the administrator of jabber.ru, the largest Russian XMPP service, received a notification that one of the servers’ certificates had expired...
On Technologies for Automatic Facial Recognition
Interesting article on technologies that will automatically identify people: With technology like that on Mr. Leyvands head, Facebook could prevent users from ever forgetting a colleagues name, give a reminder at a cocktail party that an acquaintance had kids to ask about or help find someone at ...
Friday Squid Blogging: We’re Genetically Engineering Squid Now
Is this a good idea? The transparent squid is a genetically altered version of the hummingbird bobtail squid, a species usually found in the tropical waters from Indonesia to China and Japan. Its typically smaller than a thumb and shaped like a dumpling. And like other cephalopods, it has a...
Parmesan Anti-Forgery Protection
The Guardian is reporting about microchips in wheels of Parmesan cheese as an anti-forgery measure...
December’s Reimagining Democracy Workshop
Imagine that weve all--all of us, all of society--landed on some alien planet, and we have to form a government: clean slate. We dont have any legacy systems from the US or any other country. We dont have any special or unique interests to perturb our thinking. How would we govern ourselves? Its...
Hacking the Layoff Process
My latest book, A Hackers Mind, is filled with stories about the rich and powerful hacking systems, but it was hard to find stories of the hacking by the less powerful. Heres one I just found. An article on how layoffs at big companies work inadvertently suggests an employee hack to avoid being...
New Zero-Click Exploits against iOS
Citizen Lab has identified three zero-click exploits against iOS 15 and 16. These were used by NSO Groups Pegasus spyware in 2022, and deployed by Mexico against human rights defenders. These vulnerabilities have all been patched. One interesting bit is that Apples Lockdown Mode part of iOS 16...
Using LLMs to Create Bioweapons
Im not sure there are good ways to build guardrails to prevent this sort of thing: There is growing concern regarding the potential misuse of molecular machine learning models for harmful purposes. Specifically, the dual-use application of models for predicting cytotoxicity18 to create new poison...
A Hacker’s Mind News
A Hackers Mind will be published on Tuesday. I have done a written interview and a podcast interview about the book. Its been chosen as a "February 2023 Must-Read Book" by the Next Big Idea Club. And an "Editors Pick"--whatever that means--on Amazon. There have been three reviews so far. I am...
Ransomware Payments Are Down
Chainalysis reports that worldwide ransomware payments were down in 2022. Ransomware attackers extorted at least $456.8 million from victims in 2022, down from $765.6 million the year before. As always, we have to caveat these findings by noting that the true totals are much higher, as there are...
Friday Squid Blogging: Squid-Inspired Hydrogel
Scientists have created a hydrogel "using squid mantle and creative chemistry." As usual, you can also use this squid post to talk about the security stories in the news that I havent covered. Read my blog posting guidelines here...
AI and Political Lobbying
Launched just weeks ago, ChatGPT is already threatening to upend how we draft everyday communications like emails, college essays and myriad other forms of writing. Created by the company OpenAI, ChatGPT is a chatbot that can automatically respond to written prompts in a manner that is sometimes...
Friday Squid Blogging: China Bans Taiwanese Squid Imports
Today I have some squid geopolitical news. As usual, you can also use this squid post to talk about the security stories in the news that I havent covered. Read my blog posting guidelines here...
Cold War Bugging of Soviet Facilities
Found documents in Poland detail US spying operations against the former Soviet Union. The file details a number of bugs found at Soviet diplomatic facilities in Washington, D.C., New York, and San Francisco, as well as in a Russian government-owned vacation compound, apartments used by Russia...
Security and Cheap Complexity
Ive been saying that complexity is the worst enemy of security for a long time now. Heres me in 1999. And its been true for a long time. In 2018, Thomas Dullien of Googles Project Zero talked about "cheap complexity." Andrew Appel summarizes: The anomaly of cheap complexity. For most of human...
$23 Million YouTube Royalties Scam
Scammers were able to convince YouTube that other peoples music was their own. They successfully stole $23 million before they were caught. No one knows how common this scam is, and how much money total is being stolen in this way. Presumably this is not an uncommon fraud. While the size of the...
Cryptanalysis of ENCSecurity’s Encryption Implementation
ENCSecurity markets a file encryption system, and its used by SanDisk, Sony, Lexar, and probably others. Despite it using AES as its algorithm, its implementation is flawed in multiple ways--and breakable. The moral is, as it always is, that implementing cryptography securely is hard. Dont roll...
Me on Public-Interest Tech
Back in November 2020, in the middle of the COVID-19 pandemic, I gave a virtual talk at the International Symposium on Technology and Society: "The Story of the Internet and How it Broke Bad: A Call for Public-Interest Technologists." It was something I was really proud of, and its finally up on...
The Onion on Google Map Surveillance
"Google Maps Adds Shortcuts through Houses of People Google Knows Arent Home Right Now." Excellent satire...
Bluetooth Flaw Allows Remote Unlocking of Digital Locks
Locks that use Bluetooth Low Energy to authenticate keys are vulnerable to remote unlocking. The research focused on Teslas, but the exploit is generalizable. In a video shared with Reuters, NCC Group researcher Sultan Qasim Khan was able to open and then drive a Tesla using a small relay device...