2978 matches found
Friday Squid Blogging: New Squid Species
An ancient squid: New research on fossils has revealed that a vampire-like ancient squid haunted Earths oceans 165 million years ago. The study, published in June edition of the journal Papers in Palaeontology, says the creature had a bullet-shaped body with luminous organs, eight arms and sucker...
Detecting AI-Generated Text
There are no reliable ways to distinguish text written by a human from text written by an large language model. OpenAI writes: Do AI detectors work? In short, no. While some including OpenAI have released tools that purport to detect AI-generated content, none of these have proven to reliably...
Friday Squid Blogging: Cleaning Squid
Two links on how to properly clean squid. I learned a few years ago, in Spain, and got pretty good at it. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Read my blog posting guidelines here...
China Hacked Japan’s Military Networks
The NSA discovered the intrusion in 2020--we dont know how--and alerted the Japanese. The Washington Post has the story: The hackers had deep, persistent access and appeared to be after anything they could get their hands on--plans, capabilities, assessments of military shortcomings, according to...
New York Using AI to Detect Subway Fare Evasion
The details are scant--the article is based on a "heavily redacted" contract--but the New York subway authority is using an "AI system" to detect people who dont pay the subway fare. Joana Flores, an MTA spokesperson, said the AI system doesnt flag fare evaders to New York police, but she decline...
Commentary on the Implementation Plan for the 2023 US National Cybersecurity Strategy
The Atlantic Council released a detailed commentary on the White Houses new "Implementation Plan for the 2023 US National Cybersecurity Strategy." Lots of interesting bits. So far, at least three trends emerge: First, the plan contains a somewhat more concrete list of actions than its parent...
Friday Squid Blogging: Balloon Squid
Masayoshi Matsumoto is a "master balloon artist," and he made a squid and other animals. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Read my blog posting guidelines here...
The Password Game
Amusing parody of password rules. BoingBoing: For example, at a certain level, your password must include todays Wordle answer. And then theres rule 27: "At least 50% of your password must be in the Wingdings font." EDITED TO ADD 7/13: Here are all the rules...
Security and Human Behavior (SHB) 2023
Im just back from the sixteenth Workshop on Security and Human Behavior, hosted by Alessandro Acquisti at Carnegie Mellon University in Pittsburgh. SHB is a small, annual, invitational workshop of people studying various aspects of the human side of security, organized each year by Alessandro...
How Attorneys Are Harming Cybersecurity Incident Response
New paper: "Lessons Lost: Incident Response in the Age of Cyber Insurance and Breach Attorneys": Abstract: Incident Response IR allows victim firms to detect, contain, and recover from security incidents. It should also help the wider community avoid similar attacks in the future. In pursuit of...
Chinese Hacking of US Critical Infrastructure
Everyone is writing about an interagency and international report on Chinese hacking of US critical infrastructure. Lots of interesting details about how the group, called Volt Typhoon, accesses target networks and evades detection...
Friday Squid Blogging: Peruvian Squid-Fishing Regulation Drives Chinese Fleets Away
A Peruvian oversight law has the opposite effect: Peru in 2020 began requiring any foreign fishing boat entering its ports to use a vessel monitoring system allowing its activities to be tracked in real time 24 hours a day. The equipment, which tracks a vessels geographic position and fishing...
Building Trustworthy AI
We will all soon get into the habit of using AI tools for help with everyday problems and tasks. We should get in the habit of questioning the motives, incentives, and capabilities behind them, too. Imagine youre using an AI chatbot to plan a vacation. Did it suggest a particular resort because i...
FBI Disables Russian Malware
Reuters is reporting that the FBI "had identified and disabled malware wielded by Russias FSB security service against an undisclosed number of American computers, a move they hoped would deal a death blow to one of Russias leading cyber spying programs." The headline says that the FBI "sabotaged...
Large Language Models and Elections
Earlier this week, the Republican National Committee released a video that it claims was "built entirely with AI imagery." The content of the ad isnt especially novel--a dystopian vision of America under a second term with President Joe Biden--but the deliberate emphasis on the technology used to...
Friday Squid Blogging: More on Squid Fishing
The squid you eat most likely comes from unregulated waters. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Read my blog posting guidelines here...
Hacking Pickleball
My latest book, A Hackers Mind, has a lot of sports stories. Sports are filled with hacks, as players look for every possible advantage that doesnt explicitly break the rules. Heres an example from pickleball, which nicely explains the dilemma between hacking as a subversion and hacking as...
NetWire Remote Access Trojan Maker Arrested
From Brian Krebs: A Croatian national has been arrested for allegedly operating NetWire, a Remote Access Trojan RAT marketed on cybercrime forums since 2012 as a stealthy way to spy on infected systems and siphon passwords. The arrest coincided with a seizure of the NetWire sales website by the...
Friday Squid Blogging: Chinese Squid Fishing in the Southeast Pacific
Chinese squid fishing boats are overwhelming Ecuador and Peru. As usual, you can also use this squid post to talk about the security stories in the news that I havent covered. Read my blog posting guidelines here...
Fines as a Security System
Tile has an interesting security solution to make its tracking tags harder to use for stalking: The Anti-Theft Mode feature will make the devices invisible to Scan and Secure, the companys in-app feature that lets you know if any nearby Tiles are following you. But to activate the new Anti-Theft...
Bulk Surveillance of Money Transfers
Just another obscure warrantless surveillance program. US law enforcement can access details of money transfers without a warrant through an obscure surveillance program the Arizona attorney generals office created in 2014. A database stored at a nonprofit, the Transaction Record Analysis Center...
No-Fly List Exposed
I cant remember the last time I thought about the US no-fly list: the list of people so dangerous they should never be allowed to fly on an airplane, yet so innocent that we cant arrest them. Back when I thought about it a lot, I realized that the TSAs practice of giving it to every airline meant...
Decarbonizing Cryptocurrencies through Taxation
Maintaining bitcoin and other cryptocurrencies causes about 0.3 percent of global CO2 emissions. That may not sound like a lot, but its more than the emissions of Switzerland, Croatia, and Norway combined. As many cryptocurrencies crash and the FTX bankruptcy moves into the litigation stage,...
Recovering Smartphone Voice from the Accelerometer
Yet another smartphone side-channel attack: "EarSpy: Spying Caller Speech and Identity through Tiny Vibrations of Smartphone Ear Speakers": Abstract: Eavesdropping from the users smartphone is a well-known threat to the users safety and privacy. Existing studies show that loudspeaker reverberatio...
Reimagining Democracy
Last week, I hosted a two-day workshop on reimagining democracy. The idea was to bring together people from a variety of disciplines who are all thinking about different aspects of democracy, less from a "what we need to do today" perspective and more from a blue-sky future perspective. My remit ...
CryWiper Data Wiper Targeting Russian Sites
Kaspersky is reporting on a data wiper masquerading as ransomware that is targeting local Russian government networks. The Trojan corrupts any data thats not vital for the functioning of the operating system. It doesnt affect files with extensions .exe, .dll, .lnk, .sys or .msi, and ignores sever...
Hacking Automobile Keyless Entry Systems
Suspected members of a European car-theft ring have been arrested: The criminals targeted vehicles with keyless entry and start systems, exploiting the technology to get into the car and drive away. As a result of a coordinated action carried out on 10 October in the three countries involved, 31...
Detecting Deepfake Audio by Modeling the Human Acoustic Tract
This is interesting research: In this paper, we develop a new mechanism for detecting audio deepfakes using techniques from the field of articulatory phonetics. Specifically, we apply fluid dynamics to estimate the arrangement of the human vocal tract during speech generation and show that...
New Linux Cryptomining Malware
Its pretty nasty: The malware was dubbed "Shikitega" for its extensive use of the popular Shikata Ga Nai polymorphic encoder, which allows the malware to "mutate" its code to avoid detection. Shikitega alters its code each time it runs through one of several decoding loops that AT&T said each...
Clever Phishing Scam Uses Legitimate PayPal Messages
Brian Krebs is reporting on a clever PayPal phishing scam that uses legitimate PayPal messaging. Basically, the scammers use the PayPal invoicing system to send the email. The email lists a phone number to dispute the charge, which is not PayPal and quickly turns into a request to download and...
Mudge Files Whistleblower Complaint against Twitter
Peiter Zatko, aka Mudge, has filed a whistleblower complaint with the SEC against Twitter, claiming that they violated an eleven-year-old FTC settlement by having lousy security. And he should know; he was Twitters chief security officer until he was fired in January. The Washington Post has the...
A Taxonomy of Access Control
My personal definition of a brilliant idea is one that is immediately obvious once its explained, but no one has thought of it before. I cant believe that no one has described this taxonomy of access control before Ittay Eyal laid it out in this paper. The paper is about cryptocurrency wallet...
Apple’s Lockdown Mode
I havent written about Apples Lockdown Mode yet, mostly because I havent delved into the details. This is how Apple describes it: Lockdown Mode offers an extreme, optional level of security for the very few users who, because of who they are or what they do, may be personally targeted by some of...
Facebook Is Now Encrypting Links to Prevent URL Stripping
Some sites, including Facebook, add parameters to the web address for tracking purposes. These parameters have no functionality that is relevant to the user, but sites rely on them to track users across pages and properties. Mozilla introduced support for URL stripping in Firefox 102, which it...
Friday Squid Blogging: Squid Inks Fisherman
Short video. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Read my blog posting guidelines here...
Post-Roe Privacy
This is an excellent essay outlining the post-Roe privacy threat model. Summary: period tracking apps are largely a red herring. Taken together, this means the primary digital threat for people who take abortion pills is the actual evidence of intention stored on your phone, in the form of texts,...
Analyzing the Swiss E-Voting System
Andrew Appel has a long analysis of the Swiss online voting system. Its a really good analysis of both the system and the official analyses...
2022 Workshop on Economics and Information Security (WEIS)
I did not attend WEIS this year, but Ross Anderson was there and liveblogged all the talks...
Friday Squid Blogging: Squid Cubes
Researchers thaw squid frozen into a cube and often make interesting discoveries. Okay, this is a weird story. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Read my blog posting guidelines here...
Smartphones and Civilians in Wartime
Interesting article about civilians using smartphones to assist their militaries in wartime, and how that blurs the important legal distinction between combatants and non-combatants: The principle of distinction between the two roles is a critical cornerstone of international humanitarian law--t...
Video Conferencing Apps Sometimes Ignore the Mute Button
New research: "Are You Really Muted?: A Privacy Analysis of Mute Buttons in Video Conferencing Apps": Abstract: In the post-pandemic era, video conferencing apps VCAs have converted previously private spaces -- bedrooms, living rooms, and kitchens -- into semi-public extensions of the office. And...
Long Article on NSO Group
Ronan Farrow has a long article in the New Yorker on NSO Group, which includes the news that someone -- probably Spain -- used the software to spy on domestic Catalonian separatists...
Undetectable Backdoors in Machine-Learning Models
New paper: "Planting Undetectable Backdoors in Machine Learning Models": Abstract: Given the computational cost and technical expertise required to train machine learning models, users may delegate the task of learning to a service provider. We show how a malicious learner can plant an undetectab...
Industrial Control System Malware Discovered
The Department of Energy, CISA, the FBI, and the NSA jointly issued an advisory describing a sophisticated piece of malware called Pipedream thats designed to attack a wide range of industrial control systems. This is clearly from a government, but no attribution is given. Theres also no indicati...
Cyberweapons Arms Manufacturer FinFisher Shuts Down
FinFisher has shut down operations. This is the spyware company whose products were used, among other things, to spy on Turkish and Bahraini political opposition...
A Detailed Look at the Conti Ransomware Gang
Based on two years of leaked messages, 60,000 in all: The Conti ransomware gang runs like any number of businesses around the world. It has multiple departments, from HR and administrators to coders and researchers. It has policies on how its hackers should process their code, and shares best...
Vendors are Fixing Security Flaws Faster
Googles Project Zero is reporting that software vendors are patching their code faster. tl;dr In 2021, vendors took an average of 52 days to fix security vulnerabilities reported from Project Zero. This is a significant acceleration from an average of about 80 days 3 years ago. In addition to the...
An Examination of the Bug Bounty Marketplace
Heres a fascinating report: "Bounty Everything: Hackers and the Making of the Global Bug Marketplace." From a summary: …researchers Ryan Ellis and Yuan Stevens provide a window into the working lives of hackers who participate in “bug bounty” programs -- programs that hire hackers to discover an...
Using Foreign Nationals to Bypass US Surveillance Restrictions
Remember when the US and Australian police surreptitiously owned and operated the encrypted cell phone app ANOM? They arrested 800 people in 2021 based on that operation. New documents received by Motherboard show that over 100 of those phones were shipped to users in the US, far more than...
Friday Squid Blogging: Squid Prices Are Rising
The price of squid in Korea is rising due to limited supply. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Read my blog posting guidelines here...