2979 matches found
Tracking People via Bluetooth on Their Phones
Weve always known that phones--and the people carrying them--can be uniquely identified from their Bluetooth signatures, and that we need security techniques to prevent that. This new research shows that thats not enough. Computer scientists at the University of California San Diego proved in a...
Hacking Tesla’s Remote Key Cards
Interesting vulnerability in Teslas NFC key cards: Martin Herfurt, a security researcher in Austria, quickly noticed something odd about the new feature: Not only did it allow the car to automatically start within 130 seconds of being unlocked with the NFC card, but it also put the car in a state...
Remotely Controlling Touchscreens
Researchers have demonstrated controlling touchscreens at a distance, at least in a laboratory setting: The core idea is to take advantage of the electromagnetic signals to execute basic touch events such as taps and swipes into targeted locations of the touchscreen with the goal of taking over...
Attacks on Managed Service Providers Expected to Increase
CISA, NSA, FBI, and similar organizations in the other Five Eyes countries are warning that attacks on MSPs--as a vector to their customers--are likely to increase. No details about what this prediction is based on. Makes sense, though. The SolarWinds attack was incredibly successful for the...
15.3 Million Request-Per-Second DDoS Attack
Cloudflare is reporting a large DDoS attack against an unnamed company "operating a crypto launchpad." While this isnt the largest application-layer attack weve seen, it is the largest weve seen over HTTPS. HTTPS DDoS attacks are more expensive in terms of required computational resources because...
Using Pupil Reflection in Smartphone Camera Selfies
Researchers are using the reflection of the smartphone in the pupils of faces taken as selfies to infer information about how the phone is being used: For now, the research is focusing on six different ways a user can hold a device like a smartphone: with both hands, just the left, or just the...
De-anonymizing Bitcoin
Andy Greenberg wrote a long article -- an excerpt from his new book -- on how law enforcement de-anonymized bitcoin transactions to take down a global child porn ring. Within a few years of Bitcoins arrival, academic security researchers -- and then companies like Chainalysis -- began to tear...
US Critical Infrastructure Companies Will Have to Report When They Are Hacked
This will be law soon: Companies critical to U.S. national interests will now have to report when theyre hacked or they pay ransomware, according to new rules approved by Congress. … The reporting requirement legislation was approved by the House and the Senate on Thursday and is expected to be...
Vulnerability in Stalkerware Apps
TechCrunch is reporting -- but not describing in detail -- a vulnerability in a series of stalkerware apps that exposes personal information of the victims. The vulnerability isnt in the apps installed on the victims phones, but in the website the stalker goes to view the information the app...
Stealing Bicycles by Swapping QR Codes
This is a clever hack against those bike-rental kiosks: Theyre stealing Citi Bikes by switching the QR scan codes on two bicycles near each other at a docking station, then waiting for an unsuspecting cyclist to try to unlock a bike with his or her smartphone app. The app doesnt work for the ride...
Upcoming Speaking Engagements
This is a current list of where and when I am scheduled to speak: I’m speaking at IT-S Now 2022 in Vienna on June 2, 2022. I’m speaking at the 14th International Conference on Cyber Conflict, CyCon 2022, in Tallinn, Estonia on June 3, 2022. I’m speaking at the RSA Conference 2022 in San Francisco...
Linux-Targeted Malware Increased by 35%
Crowdstrike is reporting that malware targeting Linux has increased considerably in 2021: Malware targeting Linux systems increased by 35% in 2021 compared to 2020. XorDDoS, Mirai and Mozi malware families accounted for over 22% of Linux-targeted threats observed by CrowdStrike in 2021. Ten times...
China’s Olympics App Is Horribly Insecure
China is mandating that athletes download and use a health and travel app when they attend the Winter Olympics next month. Citizen Lab examined the app and found it riddled with security holes. Key Findings: MY2022, an app mandated for use by all attendees of the 2022 Olympic Games in Beijing, ha...
Upcoming Speaking Engagements
This is a current list of where and when I am scheduled to speak: I’m giving an online-only talk on “Securing a World of Physically Capable Computers” as part of Teleport’s Security Visionaries 2022 series, on January 18, 2022. I’m speaking at IT-S Now 2022 in Vienna on June 2, 2022. I’m speaking...
Friday Squid Blogging: Squid Eating Maine Shrimp
Squid are eating Maine shrimp, causing a collapse of the ecosystem. This seems to be a result of climate change. Maines shrimp fishery has been closed for nearly a decade since the stocks collapse in 2013. Scientists are now saying a species of squid that came into the Gulf of Maine during a...
A Death Due to Ransomware
The Wall Street Journal is reporting on a babys death at an Alabama hospital in 2019, which they argue was a direct result of the ransomware attack the hospital was undergoing. Amid the hack, fewer eyes were on the heart monitors -- normally tracked on a large screen at the nurses station, in...
Friday Squid Blogging: Person in Squid Suit Takes Dog for a Walk
No, I dont understand it, either. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Read my blog posting guidelines here...
More Detail on the Juniper Hack and the NSA PRNG Backdoor
We knew the basics of this story, but its good to have more detail. Heres me in 2015 about this Juniper hack. Heres me in 2007 on the NSA backdoor...
Hacker-Themed Board Game
Black Hat is a hacker-themed board game...
Cellebrite Can Break Signal
Cellebrite announced that it can break Signal. Note that the company has heavily edited its blog post, but the original -- with lots of technical details -- was saved by the Wayback Machine. News article. Slashdot post. The whole story is puzzling. Cellebrites details will make it easier for the...
Cryptanalysis of an Old Zip Encryption Algorithm
Mike Stay broke an old zipfile encryption algorithm to recover $300,000 in bitcoin. DefCon talk here...
The Security Value of Inefficiency
For decades, we have prized efficiency in our economy. We strive for it. We reward it. In normal times, that's a good thing. Running just at the margins is efficient. A single just-in-time global supply chain is efficient. Consolidation is efficient. And that's all profitable. Inefficiency, on th...
Yet Another IoT Cybersecurity Document
This one is from NIST: "Considerations for Managing Internet of Things IoT Cybersecurity and Privacy Risks." It's still in draft. Remember, there are many others...
The DMCA and its Chilling Effects on Research
The Center for Democracy and Technology has a good summary of the current state of the DMCA's chilling effects on security research. To underline the nature of chilling effects on hacking and security research, CDT has worked to describe how tinkerers, hackers, and security researchers of all typ...
E-Mailing Private HTTPS Keys
I don't know what to make of this story: The email was sent on Tuesday by the CEO of Trustico, a UK-based reseller of TLS certificates issued by the browser-trusted certificate authorities Comodo and, until recently, Symantec. It was sent to Jeremy Rowley, an executive vice president at DigiCert,...
Can Consumers' Online Data Be Protected?
Everything online is hackable. This is true for Equifax's data and the federal Office of Personal Management's data, which was hacked in 2015. If information is on a computer connected to the Internet, it is vulnerable. But just because everything is hackable doesn't mean everything will be hacke...
Daniel Miessler on My Writings about IoT Security
Daniel Miessler criticizes my writings about IoT security: I know it's super cool to scream about how IoT is insecure, how it's dumb to hook up everyday objects like houses and cars and locks to the internet, how bad things can get, and I know it's fun to be invited to talk about how everything i...
Friday Squid Blogging: Squids from Space Video Game
An early preview. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here...
Friday Squid Blogging: Sex Is Traumatic for the Female Dumpling Squid
The more they mate, the sooner they die. Academic paper paywall. News article. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here...
Safety and Security and the Internet of Things
Ross Anderson blogged about his new paper on security and safety concerns about the Internet of Things. See also this short video. It's very much along the lines of what I've been writing...
WannaCry and Vulnerabilities
There is plenty of blame to go around for the WannaCry ransomware that spread throughout the Internet earlier this month, disrupting work at hospitals, factories, businesses, and universities. First, there are the writers of the malicious software, which blocks victims' access to their computers...
Interview with Ross Anderson
Cybersecurity researcher Ross Anderson has a good interview on edge.org...
One Million Passports Leaked Online
A database of almost a million passports from around the world was leaked online. Note what happened. A high-value credential--a passport--was used in an ancillary low-value authentication system: ID verification for cannabis dispensaries. And it's the low-value system that got hacked, putting th...
The NSA’s “Fifty Years of Mathematical Cryptanalysis (1937–1987)”
In response to a FOIA request, the NSA released "Fifty Years of Mathematical Cryptanalysis 1937-1987," by Glenn F. Stahly, with a lot of redactions. Weirdly, this is the second time the NSA has declassified the document. John Young got a copy in 2019. This one has a few less redactions. And nothi...
Windscribe Acquitted on Charges of Not Collecting Users’ Data
The company doesn't keep logs, so couldn't turn over data: Windscribe, a globally used privacy-first VPN service, announced today that its founder, Yegor Sak, has been fully acquitted by a court in Athens, Greece, following a two-year legal battle in which Sak was personally charged in connection...
Arguing Against CALEA
At a Congressional hearing earlier this week, Matt Blaze made the point that CALEA, the 1994 law that forces telecoms to make phone calls wiretappable, is outdated in today's threat environment and should be rethought: In other words, while the legally-mandated CALEA capability requirements have...
Security and Human Behavior (SHB) 2024
This week, I hosted the seventeenth Workshop on Security and Human Behavior at the Harvard Kennedy School. This is the first workshop since our co-founder, Ross Anderson, died unexpectedly. SHB is a small, annual, invitational workshop of people studying various aspects of the human side of...
Upcoming Speaking Engagements
This is a current list of where and when I am scheduled to speak: Im giving a webinar via Zoom on Wednesday, May 22, at 11:00 AM ET. The topic is "Should the USG Establish a Publicly Funded AI Option?" The list is maintained on this page...
Smuggling Gold by Disguising it as Machine Parts
Someone got caught trying to smuggle 322 pounds of gold thats about a quarter of a cubic foot out of Hong Kong. It was disguised as machine parts: On March 27, customs officials x-rayed two air compressors and discovered that they contained gold that had been "concealed in the integral parts" of...
US Cyber Safety Review Board on the 2023 Microsoft Exchange Hack
The US Cyber Safety Review Board released a report on the summer 2023 hack of Microsoft Exchange by China. It was a serious attack by the Chinese government that accessed the emails of senior US government officials. From the executive summary: The Board finds that this intrusion was preventable...
Friday Squid Blogging: SqUID Bots
Theyre AI warehouse robots. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Read my blog posting guidelines here...
Automakers Are Sharing Driver Data with Insurers without Consent
Kasmir Hill has the story: Modern cars are internet-enabled, allowing access to services like navigation, roadside assistance and car apps that drivers can connect to their vehicles to locate them or unlock them remotely. In recent years, automakers, including G.M., Honda, Kia and Hyundai, have...
EU Court of Human Rights Rejects Encryption Backdoors
The European Court of Human Rights has ruled that breaking end-to-end encryption by adding backdoors violates human rights: Seemingly most critically, the Russian government told the ECHR that any intrusion on private lives resulting from decrypting messages was "necessary" to combat terrorism in...
Friday Squid Blogging: A Penguin Named “Squid”
Amusing story about a penguin named "Squid." As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Read my blog posting guidelines here...
CFPB’s Proposed Data Rules
In October, the Consumer Financial Protection Bureau CFPB proposed a set of rules that if implemented would transform how financial institutions handle personal data about their customers. The rules put control of that data back in the hands of ordinary Americans, while at the same time undermini...
Quantum Computing Skeptics
Interesting article. I am also skeptical that we are going to see useful quantum computers anytime soon. Since at least 2019, I have been saying that this is hard. And that we dont know if its "land a person on the surface of the moon" hard, or "land a person on the surface of the sun" hard. They...
Side Channels Are Common
Really interesting research: "Lend Me Your Ear: Passive Remote Physical Side Channels on PCs." Abstract: We show that built-in sensors in commodity PCs, such as microphones, inadvertently capture electromagnetic side-channel leakage from ongoing computation. Moreover, this information is often...
Speaking to the CIA’s Creative Writing Group
This is a fascinating story. Last spring, a friend of a friend visited my office and invited me to Langley to speak to Invisible Ink, the CIAs creative writing group. I asked Vivian not her real name what she wanted me to talk about. She said that the topic of the talk was entirely up to me. I...
Facial Scanning by Burger King in Brazil
In 2000, I wrote: "If McDonalds offered three free Big Macs for a DNA sample, there would be lines around the block." Burger King in Brazil is almost there, offering discounts in exchange for a facial scan. From a marketing video: "At the end of the year, its Friday every day, and the hangover...
Friday Squid Blogging: Squid Nebula
Pretty photograph. The Squid Nebula is shown in blue, indicating doubly ionized oxygen--which is when you ionize your oxygen once and then ionize it again just to make sure. In all seriousness, it likely indicates a low-mass star nearing the end of its life. As usual, you can also use this squid...