2980 matches found
The AI Dividend
For four decades, Alaskans have opened their mailboxes to find checks waiting for them, their cut of the black gold beneath their feet. This is Alaskas Permanent Fund, funded by the states oil revenues and paid to every Alaskan each year. Were now in a different sort of resource rush, with...
Belgian Tax Hack
Heres a fascinating tax hack from Belgium listen to the details here, episode 484 of "No Such Thing as a Fish," at 28:00. Basically, its about a music festival on the border between Belgium and Holland. The stage was in Holland, but the crowd was in Belgium. When the copyright collector came...
Bypassing a Theft Threat Model
Thieves cut through the wall of a coffee shop to get to an Apple store, bypassing the alarms in the process. I wrote about this kind of thing in 2000, in Secrets and Lies page 318: My favorite example is a band of California art thieves that would break into peoples houses by cutting a hole in...
FBI Advising People to Avoid Public Charging Stations
The FBI is warning people against using public phone-charging stations, worrying that the combination power-data port can be used to inject malware onto the devices: Avoid using free charging stations in airports, hotels, or shopping centers. Bad actors have figured out ways to use public USB por...
US Citizen Hacked by Spyware
The New York Times is reporting that a US citizens phone was hacked by the Predator spyware. A U.S. and Greek national who worked on Meta’s security and trust team while based in Greece was placed under a yearlong wiretap by the Greek national intelligence service and hacked with a powerful...
Friday Squid Blogging: Thermal Batteries from Squid Proteins
Researchers are making thermal batteries from "a synthetic material thats derived from squid ring teeth protein." As usual, you can also use this squid post to talk about the security stories in the news that I havent covered. Read my blog posting guidelines here...
Hacked Cellebrite and MSAB Software Released
Cellebrite is an cyberweapons arms manufacturer that sells smartphone forensic software to governments around the world. MSAB is a Swedish company that does the same thing. Someone has released software and documentation from both companies...
Existential Risk and the Fermi Paradox
We know that complexity is the worst enemy of security, because it makes attack easier and defense harder. This becomes catastrophic as the effects of that attack become greater. In A Hackers Mind coming in February 2023, I write: Our societal systems, in general, may have grown fairer and more...
Weird Fallout from Peiter Zatko’s Twitter Whistleblowing
People are trying to dig up dirt on Peiter Zatko, better known as Mudge. For the record, I have not been contacted. Im not sure if I should feel slighted...
Friday Squid Blogging: 14-foot Giant Squid Washes Ashore in Cape Town
Its an Architeuthis dux, the second this year. As usual, you can also use this squid post to talk about the security stories in the news that I havent covered. Read my blog posting guidelines here...
New UFEI Rootkit
Kaspersky is reporting on a new UFEI rootkit that survives reinstalling the operating system and replacing the hard drive. From an article: The firmware compromises the UEFI, the low-level and highly opaque chain of firmware required to boot up nearly every modern computer. As the software that...
NSO Group’s Pegasus Spyware Used against Thailand Pro-Democracy Activists and Leaders
Yet another basic human rights violation, courtesy of NSO Group: Citizen Lab has the details: Key Findings We discovered an extensive espionage campaign targeting Thai pro-democracy protesters, and activists calling for reforms to the monarchy. We forensically confirmed that at least 30 individua...
NIST Announces First Four Quantum-Resistant Cryptographic Algorithms
NISTs post-quantum computing cryptography standard process is entering its final phases. It announced the first four algorithms: For general encryption, used when we access secure websites, NIST has selected the CRYSTALS-Kyber algorithm. Among its advantages are comparatively small encryption key...
Ecuador’s Attempt to Resettle Edward Snowden
Someone hacked the Ecuadorian embassy in Moscow and found a document related to Ecuadors 2013 efforts to bring Edward Snowden there. If you remember, Snowden was traveling from Hong Kong to somewhere when the US revoked his passport, stranding him in Russia. In the document, Ecuador asks Russia t...
Twitter Used Two-Factor Login Details for Ad Targeting
Twitter was fined $150 million for using phone numbers and email addresses collected for two-factor authentication for ad targeting...
Manipulating Machine-Learning Systems through the Order of the Training Data
Yet another adversarial ML attack: Most deep neural networks are trained by stochastic gradient descent. Now “stochastic” is a fancy Greek word for “random”; it means that the training data are fed into the model in random order. So what happens if the bad guys can cause the order to be not rando...
iPhone Malware that Operates Even When the Phone Is Turned Off
Researchers have demonstrated iPhone malware that works even when the phone is fully shut down. t turns out that the iPhone’s Bluetooth chip--which is key to making features like Find My work--has no mechanism for digitally signing or even encrypting the firmware it runs. Academics at Germany’s...
Vulnerability in Stalkerware Apps
TechCrunch is reporting -- but not describing in detail -- a vulnerability in a series of stalkerware apps that exposes personal information of the victims. The vulnerability isnt in the apps installed on the victims phones, but in the website the stalker goes to view the information the app...
Friday Squid Blogging: Squid Videos
Here are six beautiful squid videos. I know nothing more about them. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Read my blog posting guidelines here. EDITED TO ADD 2/25: This post accidentally went live on Wednesday, two days...
Bypassing Apple’s AirTag Security
A Berlin-based company has developed an AirTag clone that bypasses Apples anti-stalker security systems. Source code for these AirTag clones is available online. So now we have several problems with the system. Apples anti-stalker security only works with iPhones. Apple wrote an Android app that...
Friday Squid Blogging: South American Squid Stocks Threatened by Chinese Fishing
Theres a lot of fishing going on: The number of Chinese-flagged vessels in the south Pacific has surged 13-fold from 54 active vessels in 2009 to 707 in 2020, according to the SPRFMO. Meanwhile, the size of Chinas squid catch has grown from 70,000 tons in 2009 to 358,000. As usual, you can also u...
On the Irish Health Services Executive Hack
A detailed report of the 2021 ransomware attack against Ireland’s Health Services Executive lists some really bad security practices: The report notes that: The HSE did not have a Chief Information Security Officer CISO or a “single responsible owner for cybersecurity at either senior executive o...
Bunnie Huang’s Plausibly Deniable Database
Bunnie Huang has created a Plausibly Deniable Database. Most security schemes facilitate the coercive processes of an attacker because they disclose metadata about the secret data, such as the name and size of encrypted files. This allows specific and enforceable demands to be made: “Give us the...
Breaking 256-bit Elliptic Curve Encryption with a Quantum Computer
Researchers have calculated the quantum computer size necessary to break 256-bit elliptic curve public-key cryptography: Finally, we calculate the number of physical qubits required to break the 256-bit elliptic curve encryption of keys in the Bitcoin network within the small available time frame...
Book Sale: Click Here to Kill Everybody and Data and Goliath
For a limited time, I am selling signed copies of Click Here to Kill Everybody and Data and Goliath, both in paperback, for just $6 each plus shipping. I have 500 copies of each book available. When theyre gone, the sale is over and the price will revert to normal. Order here and here. Please be...
Ransomware Attacks against Water Treatment Plants
According to a report from CISA last week, there were three ransomware attacks against water treatment plants last year. WWS Sector cyber intrusions from 2019 to early 2021 include: In August 2021, malicious cyber actors used Ghost variant ransomware against a California-based WWS facility. The...
Security Risks of Client-Side Scanning
Even before Apple made its announcement, law enforcement shifted their battle for backdoors to client-side scanning. The idea is that they wouldnt touch the cryptography, but instead eavesdrop on communications and systems before encryption or after decryption. Its not a cryptographic backdoor, b...
FBI Had the REvil Decryption Key
The Washington Post reports that the FBI had a decryption key for the REvil ransomware, but didnt pass it along to victims because it would have disrupted an ongoing operation. The key was obtained through access to the servers of the Russia-based criminal gang behind the July attack. Deploying i...
Lightning Cable with Embedded Eavesdropping
Normal-looking cables USB-C, Lightning, and so on that exfiltrate data over a wireless network. I blogged about a previous prototype here...
California Proposition 24 Passes
Californias Proposition 24, aimed at improving the California Consumer Privacy Act, passed this week. Analyses are very mixed. I was very mixed on the proposition, but on the whole I supported it. The proposition has some serious flaws, and was watered down by industry, but voting for privacy fee...
Tracking Users on Waze
A security researcher discovered a wulnerability in Waze that breaks the anonymity of users: I found out that I can visit Waze from any web browser at waze.com/livemap so I decided to check how are those driver icons implemented. What I found is that I can ask Waze API for data on a location by...
Using Disinformation to Cause a Blackout
Interesting paper: "How weaponizing disinformation can bring down a city's power grid": Abstract: Social media has made it possible to manipulate the masses via disinformation and fake news at an unprecedented scale. This is particularly alarming from a security perspective, as humans have proven...
Hacking a Power Supply
This hack targets the firmware on modern power supplies. Yes, power supplies are also computers. Normally, when a phone is connected to a power brick with support for fast charging, the phone and the power adapter communicate with each other to determine the proper amount of electricity that can ...
Traffic Analysis of Home Security Cameras
Interesting research on home security cameras with cloud storage. Basically, attackers can learn very basic information about what's going on in front of the camera, and infer when there is someone home. News article. Slashdot thread...
Securing the International IoT Supply Chain
Together with Nate Kim former student and Trey Herr Atlantic Council Cyber Statecraft Initiative, I have written a paper on IoT supply chain security. The basic problem we try to solve is: how to you enforce IoT security regulations when most of the stuff is made in other countries? And our...
Upcoming Speaking Engagements
This is a current list of where and when I am scheduled to speak: I'm speaking at Indiana University Bloomington on January 30, 2020. I'll be at RSA Conference 2020 in San Francisco. On Wednesday, February 26, at 2:50 PM, I'll be part of a panel on "How to Reduce Supply Chain Risk: Lessons from...
What Happened to Cyber 9/11?
A recent article in the Atlantic asks why we haven't seen a"cyber 9/11" in the past fifteen or so years. I, too, remember the increasingly frantic and fearful warnings of a "cyber Peal Harbor," "cyber Katrina" -- when that was a thing -- or "cyber 9/11." I made fun of those warnings back then. Th...
Quantum Computing and Cryptography
Quantum computing is a new way of computing -- one that could allow humankind to perform computations that are simply impossible using today's computing technologies. It allows for very fast searching, something that would break some of the encryption algorithms we use today. And it allows us to...
NIST Issues Call for "Lightweight Cryptography" Algorithms
This is interesting: Creating these defenses is the goal of NIST's lightweight cryptography initiative, which aims to develop cryptographic algorithm standards that can work within the confines of a simple electronic device. Many of the sensors, actuators and other micromachines that will functio...
Spectre and Meltdown Attacks Against Microprocessors
The security of pretty much every computer on the planet has just gotten a lot worse, and the only real solution -- which of course is not a solution -- is to throw them all away and buy new ones. On Wednesday, researchers just announced a series of major security vulnerabilities in the...
FBI Increases Its Anti-Encryption Rhetoric
Earlier this month, Deputy Attorney General Rod Rosenstein gave a speech warning that a world with encryption is a world without law -- or something like that. The EFF's Kurt Opsahl takes it apart pretty thoroughly. Last week, FBI Director Christopher Wray said much the same thing. This is an ide...
Websites Grabbing User-Form Data Before It's Submitted
Websites are sending information prematurely: ...we discovered NaviStone's code on sites run by Acurian, Quicken Loans, a continuing education center, a clothing store for plus-sized women, and a host of other retailers. Using Javascript, those sites were transmitting information from people as...
Girl Scouts to Offer Merit Badges in Cybersecurity
The Girl Scouts are going to be offering 18 merit badges in cybersecurity, to scouts as young as five years old...
Article on the DAO Ethereum Hack
This is good...
The Dangers of Secret Law
Last week, the Department of Justice released 18 new FISC opinions related to Section 702 as part of an EFF FOIA lawsuit. Of course, they don't mention EFF or the lawsuit. They make it sound as if it was their idea. There's probably a lot in these opinions. In one Kafkaesque ruling, a defendant w...
Security Flaws in 4G VoLTE
Research paper: "Subscribers remote geolocation and tracking using 4G VoLTE enabled Android phone," by Patrick Ventuzelo, Olivier Le Moal, and Thomas Coudray. Abstract: VoLTE Voice over LTE is a technology implemented by many operators over the world. Unlike previous 2G/3G technologies, VoLTE...
Ransomware and the Internet of Things
As devastating as the latest widespread ransomware attacks have been, it's a problem with a solution. If your copy of Windows is relatively current and you've kept it updated, your laptop is immune. It's only older unpatched systems on your computer that are vulnerable. Patching is how the comput...
Stealing Browsing History Using Your Phone's Ambient Light Sensor
There has been a flurry of research into using the various sensors on your phone to steal data in surprising ways. Here's another: using the phone's ambient light sensor to detect what's on the screen. It's a proof of concept, but the paper's general conclusions are correct: There is a lesson her...
Anthropic’s Fable and the State of AI
On June 9th, Anthropic released its Fable generative AI model. Three days later, the US government classified it as a dangerous munition, and used its export-control authority to prohibit any foreign nationals from accessing it. Unable to differentiate between Americans and foreigners, the compan...
Vulnerability Disclosure in the Age of AI
New article: "Responsible Disclosure in the Age of AI: A Call for Urgent Action," by Melissa Hathaway. Abstract: Artificial intelligence is fundamentally reshaping the balance between vulnerability discovery and remediation. Frontier AI models are now capable of autonomously identifying exploitab...