2981 matches found
Friday Squid Blogging: Squid Images
iStock has over 13,000 royalty-free images of squid. As usual, you can also use this squid post to talk about the security stories in the news that I havent covered. Read my blog posting guidelines here...
Remotely Controlling Touchscreens
This is more of a demonstration than a real-world vulnerability, but researchers can use electromagnetic interference to remotely control touchscreens. From a news article: Its important to note that the attack has a few key limitations. Firstly, the hackers need to know the targets phone passcod...
Hacking Starlink
This is the first--of many, I assume--hack of Starlink. Leveraging a string of vulnerabilities, attackers can access the Starlink system and run custom code on the devices...
Drone Deliveries into Prisons
Seems its now common to sneak contraband into prisons with a drone...
Apple’s Lockdown Mode
Apple has introduced lockdown mode for high-risk users who are concerned about nation-state attacks. It trades reduced functionality for increased security in a very interesting way...
When Security Locks You Out of Everything
Thought experiment story of someone who lost everything in a house fire, and now cant log into anything: But to get into my cloud, I need my password and 2FA. And even if I could convince the cloud provider to bypass that and let me in, the backup is secured with a password which is stored in--yo...
Hidden Anti-Cryptography Provisions in Internet Anti-Trust Bills
Two bills attempting to reduce the power of Internet monopolies are currently being debated in Congress: S. 2992, the American Innovation and Choice Online Act; and S. 2710, the Open App Markets Act. Reducing the power to tech monopolies would do more to "fix" the Internet than any other single...
Tracking People via Bluetooth on Their Phones
Weve always known that phones--and the people carrying them--can be uniquely identified from their Bluetooth signatures, and that we need security techniques to prevent that. This new research shows that thats not enough. Computer scientists at the University of California San Diego proved in a...
Hacking Tesla’s Remote Key Cards
Interesting vulnerability in Teslas NFC key cards: Martin Herfurt, a security researcher in Austria, quickly noticed something odd about the new feature: Not only did it allow the car to automatically start within 130 seconds of being unlocked with the NFC card, but it also put the car in a state...
Remotely Controlling Touchscreens
Researchers have demonstrated controlling touchscreens at a distance, at least in a laboratory setting: The core idea is to take advantage of the electromagnetic signals to execute basic touch events such as taps and swipes into targeted locations of the touchscreen with the goal of taking over...
Attacks on Managed Service Providers Expected to Increase
CISA, NSA, FBI, and similar organizations in the other Five Eyes countries are warning that attacks on MSPs--as a vector to their customers--are likely to increase. No details about what this prediction is based on. Makes sense, though. The SolarWinds attack was incredibly successful for the...
15.3 Million Request-Per-Second DDoS Attack
Cloudflare is reporting a large DDoS attack against an unnamed company "operating a crypto launchpad." While this isnt the largest application-layer attack weve seen, it is the largest weve seen over HTTPS. HTTPS DDoS attacks are more expensive in terms of required computational resources because...
Using Pupil Reflection in Smartphone Camera Selfies
Researchers are using the reflection of the smartphone in the pupils of faces taken as selfies to infer information about how the phone is being used: For now, the research is focusing on six different ways a user can hold a device like a smartphone: with both hands, just the left, or just the...
De-anonymizing Bitcoin
Andy Greenberg wrote a long article -- an excerpt from his new book -- on how law enforcement de-anonymized bitcoin transactions to take down a global child porn ring. Within a few years of Bitcoins arrival, academic security researchers -- and then companies like Chainalysis -- began to tear...
US Critical Infrastructure Companies Will Have to Report When They Are Hacked
This will be law soon: Companies critical to U.S. national interests will now have to report when theyre hacked or they pay ransomware, according to new rules approved by Congress. … The reporting requirement legislation was approved by the House and the Senate on Thursday and is expected to be...
Stealing Bicycles by Swapping QR Codes
This is a clever hack against those bike-rental kiosks: Theyre stealing Citi Bikes by switching the QR scan codes on two bicycles near each other at a docking station, then waiting for an unsuspecting cyclist to try to unlock a bike with his or her smartphone app. The app doesnt work for the ride...
Upcoming Speaking Engagements
This is a current list of where and when I am scheduled to speak: I’m speaking at IT-S Now 2022 in Vienna on June 2, 2022. I’m speaking at the 14th International Conference on Cyber Conflict, CyCon 2022, in Tallinn, Estonia on June 3, 2022. I’m speaking at the RSA Conference 2022 in San Francisco...
Linux-Targeted Malware Increased by 35%
Crowdstrike is reporting that malware targeting Linux has increased considerably in 2021: Malware targeting Linux systems increased by 35% in 2021 compared to 2020. XorDDoS, Mirai and Mozi malware families accounted for over 22% of Linux-targeted threats observed by CrowdStrike in 2021. Ten times...
China’s Olympics App Is Horribly Insecure
China is mandating that athletes download and use a health and travel app when they attend the Winter Olympics next month. Citizen Lab examined the app and found it riddled with security holes. Key Findings: MY2022, an app mandated for use by all attendees of the 2022 Olympic Games in Beijing, ha...
Upcoming Speaking Engagements
This is a current list of where and when I am scheduled to speak: I’m giving an online-only talk on “Securing a World of Physically Capable Computers” as part of Teleport’s Security Visionaries 2022 series, on January 18, 2022. I’m speaking at IT-S Now 2022 in Vienna on June 2, 2022. I’m speaking...
Friday Squid Blogging: Squid Eating Maine Shrimp
Squid are eating Maine shrimp, causing a collapse of the ecosystem. This seems to be a result of climate change. Maines shrimp fishery has been closed for nearly a decade since the stocks collapse in 2013. Scientists are now saying a species of squid that came into the Gulf of Maine during a...
A Death Due to Ransomware
The Wall Street Journal is reporting on a babys death at an Alabama hospital in 2019, which they argue was a direct result of the ransomware attack the hospital was undergoing. Amid the hack, fewer eyes were on the heart monitors -- normally tracked on a large screen at the nurses station, in...
Friday Squid Blogging: Person in Squid Suit Takes Dog for a Walk
No, I dont understand it, either. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Read my blog posting guidelines here...
More Detail on the Juniper Hack and the NSA PRNG Backdoor
We knew the basics of this story, but its good to have more detail. Heres me in 2015 about this Juniper hack. Heres me in 2007 on the NSA backdoor...
Hacker-Themed Board Game
Black Hat is a hacker-themed board game...
Cellebrite Can Break Signal
Cellebrite announced that it can break Signal. Note that the company has heavily edited its blog post, but the original -- with lots of technical details -- was saved by the Wayback Machine. News article. Slashdot post. The whole story is puzzling. Cellebrites details will make it easier for the...
Cryptanalysis of an Old Zip Encryption Algorithm
Mike Stay broke an old zipfile encryption algorithm to recover $300,000 in bitcoin. DefCon talk here...
The Security Value of Inefficiency
For decades, we have prized efficiency in our economy. We strive for it. We reward it. In normal times, that's a good thing. Running just at the margins is efficient. A single just-in-time global supply chain is efficient. Consolidation is efficient. And that's all profitable. Inefficiency, on th...
Yet Another IoT Cybersecurity Document
This one is from NIST: "Considerations for Managing Internet of Things IoT Cybersecurity and Privacy Risks." It's still in draft. Remember, there are many others...
Friday Squid Blogging: Squids from Space Video Game
An early preview. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here...
Friday Squid Blogging: Sex Is Traumatic for the Female Dumpling Squid
The more they mate, the sooner they die. Academic paper paywall. News article. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here...
Safety and Security and the Internet of Things
Ross Anderson blogged about his new paper on security and safety concerns about the Internet of Things. See also this short video. It's very much along the lines of what I've been writing...
WannaCry and Vulnerabilities
There is plenty of blame to go around for the WannaCry ransomware that spread throughout the Internet earlier this month, disrupting work at hospitals, factories, businesses, and universities. First, there are the writers of the malicious software, which blocks victims' access to their computers...
One Million Passports Leaked Online
A database of almost a million passports from around the world was leaked online. Note what happened. A high-value credential--a passport--was used in an ancillary low-value authentication system: ID verification for cannabis dispensaries. And it's the low-value system that got hacked, putting th...
Hacking Meta’s AI Chatbot
Hackers are convincing Meta's AI support chatbot to let them take over other peoples' accounts: A video posted on X showed the step-by-step process to hack someone's Instagram account. The hacker allegedly used a VPN to spoof the targets' presumed location to avoid triggering Instagram's automate...
LLMs and Text-in-Text Steganography
Turns out that LLMs are really good at hiding text messages in other text messages...
Friday Squid Blogging: New “Squid” Sneaker
I did not know Adidas sold a sneaker called "Squid." As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Blog moderation policy...
Generative AI as a Cybercrime Assistant
Anthropic reports on a Claude user: We recently disrupted a sophisticated cybercriminal that used Claude Code to commit large-scale theft and extortion of personal data. The actor targeted at least 17 distinct organizations, including in healthcare, the emergency services, and government and...
The NSA’s “Fifty Years of Mathematical Cryptanalysis (1937–1987)”
In response to a FOIA request, the NSA released "Fifty Years of Mathematical Cryptanalysis 1937-1987," by Glenn F. Stahly, with a lot of redactions. Weirdly, this is the second time the NSA has declassified the document. John Young got a copy in 2019. This one has a few less redactions. And nothi...
Chinese AI Submersible
A Chinese company has developed an AI-piloted submersible that can reach speeds "similar to a destroyer or a US Navy torpedo," dive "up to 60 metres underwater," and "remain static for more than a month, like the stealth capabilities of a nuclear submarine." In case you're worried about the...
Windscribe Acquitted on Charges of Not Collecting Users’ Data
The company doesn't keep logs, so couldn't turn over data: Windscribe, a globally used privacy-first VPN service, announced today that its founder, Yegor Sak, has been fully acquitted by a court in Athens, Greece, following a two-year legal battle in which Sak was personally charged in connection...
How to Leak to a Journalist
Neiman Lab has some good advice on how to leak a story to a journalist...
Arguing Against CALEA
At a Congressional hearing earlier this week, Matt Blaze made the point that CALEA, the 1994 law that forces telecoms to make phone calls wiretappable, is outdated in today's threat environment and should be rethought: In other words, while the legally-mandated CALEA capability requirements have...
Security and Human Behavior (SHB) 2024
This week, I hosted the seventeenth Workshop on Security and Human Behavior at the Harvard Kennedy School. This is the first workshop since our co-founder, Ross Anderson, died unexpectedly. SHB is a small, annual, invitational workshop of people studying various aspects of the human side of...
Upcoming Speaking Engagements
This is a current list of where and when I am scheduled to speak: Im giving a webinar via Zoom on Wednesday, May 22, at 11:00 AM ET. The topic is "Should the USG Establish a Publicly Funded AI Option?" The list is maintained on this page...
Smuggling Gold by Disguising it as Machine Parts
Someone got caught trying to smuggle 322 pounds of gold thats about a quarter of a cubic foot out of Hong Kong. It was disguised as machine parts: On March 27, customs officials x-rayed two air compressors and discovered that they contained gold that had been "concealed in the integral parts" of...
US Cyber Safety Review Board on the 2023 Microsoft Exchange Hack
The US Cyber Safety Review Board released a report on the summer 2023 hack of Microsoft Exchange by China. It was a serious attack by the Chinese government that accessed the emails of senior US government officials. From the executive summary: The Board finds that this intrusion was preventable...
Friday Squid Blogging: SqUID Bots
Theyre AI warehouse robots. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Read my blog posting guidelines here...
Automakers Are Sharing Driver Data with Insurers without Consent
Kasmir Hill has the story: Modern cars are internet-enabled, allowing access to services like navigation, roadside assistance and car apps that drivers can connect to their vehicles to locate them or unlock them remotely. In recent years, automakers, including G.M., Honda, Kia and Hyundai, have...
EU Court of Human Rights Rejects Encryption Backdoors
The European Court of Human Rights has ruled that breaking end-to-end encryption by adding backdoors violates human rights: Seemingly most critically, the Russian government told the ECHR that any intrusion on private lives resulting from decrypting messages was "necessary" to combat terrorism in...