2979 matches found
Friday Squid Blogging: Squid Werewolf Hacking Group
In another rare squid/cybersecurity intersection, APT37 is also known as "Squid Werewolf." As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered...
Report on Paragon Spyware
Citizen Lab has a new report on Paragon's spyware: Key Findings: Introducing Paragon Solutions. Paragon Solutions was founded in Israel in 2019 and sells spyware called Graphite. The company differentiates itself by claiming it has safeguards to prevent the kinds of spyware abuses that NSO Group...
Friday Squid Blogging: A New Explanation of Squid Camouflage
New research: An associate professor of chemistry and chemical biology at Northeastern University, Deravi’s recently published paper in the Journal of Materials Chemistry C sheds new light on how squid use organs that essentially function as organic solar cells to help power their camouflage...
Improvements in Brute Force Attacks
New paper: "GPU Assisted Brute Force Cryptanalysis of GPRS, GSM, RFID, and TETRA: Brute Force Cryptanalysis of KASUMI, SPECK, and TEA3." Abstract: Key lengths in symmetric cryptography are determined with respect to the brute force attacks with current technology. While nowadays at least 128-bit...
Friday Squid Blogging: On Squid Brains
Interesting. Blog moderation policy...
Zero-Day Vulnerability in Ivanti VPN
It's being actively exploited...
Casino Players Using Hidden Cameras for Cheating
The basic strategy is to place a device with a hidden camera in a position to capture normally hidden card values, which are interpreted by an accomplice off-site and fed back to the player via a hidden microphone. Miniaturization is making these devices harder to detect. Presumably AI will soon...
Hacking Digital License Plates
Not everything needs to be digital and "smart." License plates, for example: Josep Rodriguez, a researcher at security firm IOActive, has revealed a technique to “jailbreak” digital license plates sold by Reviver, the leading vendor of those plates in the US with 65,000 plates already sold. By...
Jailbreaking LLM-Controlled Robots
Surprising no one, it's easy to trick an LLM-controlled robot into ignoring its safety instructions...
AI and the 2024 Elections
It's been the biggest year for elections in human history: 2024 is a "super-cycle" year in which 3.7 billion eligible voters in 72 countries had the chance to go the polls. These are also the first AI elections, where many feared that deepfakes and artificial intelligence-generated misinformation...
Remotely Exploding Pagers
Wow. It seems they all exploded simultaneously, which means they were triggered. Were they each tampered with physically, or did someone figure out how to trigger a thermal runaway remotely? Supply chain attack? Malicious code update, or natural vulnerability? I have no idea, but I expect we will...
Matthew Green on Telegram’s Encryption
Matthew Green wrote a really good blog post on what Telegrams encryption is and is not. EDITED TO ADD 8/28: Another good explainer from Kaspersky...
Texas Sues GM for Collecting Driving Data without Consent
Texas is suing General Motors for collecting driver data without consent and then selling it to insurance companies: From CNN: In car models from 2015 and later, the Detroit-based car manufacturer allegedly used technology to "collect, record, analyze, and transmit highly detailed driving data...
The CrowdStrike Outage and Market-Driven Brittleness
Fridays massive internet outage, caused by a mid-sized tech company called CrowdStrike, disrupted major airlines, hospitals, and banks. Nearly 7,000 flights were canceled. It took down 911 systems and factories, courthouses, and television stations. Tallying the total cost will take time. The...
Hacking Scientific Citations
Some scholars are inflating their reference counts by sneaking them into metadata: Citations of scientific work abide by a standardized referencing system: Each reference explicitly mentions at least the title, authors names, publication year, journal or conference name, and page numbers of the...
Breaking the M-209
Interesting paper about a German cryptanalysis machine that helped break the US M-209 mechanical ciphering machine. The paper contains a good description of how the M-209 works...
Exploiting Mistyped URLs
Interesting research: "Hyperlink Hijacking: Exploiting Erroneous URL Links to Phantom Domains": Abstract: Web users often follow hyperlinks hastily, expecting them to be correctly programmed. However, it is possible those links contain typos or other mistakes. By discovering active but erroneous...
Espionage with a Drone
The US is using a World War II law that bans aircraft photography of military installations to charge someone with doing the same thing with a drone...
Friday Squid Blogging: Dana Squid Attacking Camera
Fantastic footage of a Dana squid attacking a camera at a depth of about a kilometer. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Read my blog posting guidelines here...
IBM Sells Cybersecurity Group
IBM is selling its QRadar product suite to Palo Alto Networks, for an undisclosed--but probably surprisingly small--sum. I have a personal connection to this. In 2016, IBM bought Resilient Systems, the startup I was a part of. It became part if IBMs cybersecurity offerings, mostly and weirdly...
Friday Squid Blogging: Searching for the Colossal Squid
A cruise ship is searching for the colossal squid. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Read my blog posting guidelines here...
Lessons from a Ransomware Attack against the British Library
You might think that libraries are kind of boring, but this self-analysis of a 2023 ransomware and extortion attack against the British Library is anything but...
Teaching LLMs to Be Deceptive
Interesting research: "Sleeper Agents: Training Deceptive LLMs that Persist Through Safety Training": Abstract: Humans are capable of strategically deceptive behavior: behaving helpfully in most situations, but then behaving very differently in order to pursue alternative objectives when given th...
Upcoming Speaking Engagements
This is a current list of where and when I am scheduled to speak: I’m speaking at the International PolCampaigns Expo IPE24 in Cape Town, South Africa, January 25-26, 2024. The list is maintained on this page...
A Robot the Size of the World
In 2016, I wrote about an Internet that affected the world in a direct, physical manner. It was connected to your smartphone. It had sensors like cameras and thermostats. It had actuators: Drones, autonomous cars. And it had smarts in the middle, using sensor data to figure out what to do and the...
Security Analysis of a Thirteenth-Century Venetian Election Protocol
Interesting analysis: This paper discusses the protocol used for electing the Doge of Venice between 1268 and the end of the Republic in 1797. We will show that it has some useful properties that in addition to being interesting in themselves, also suggest that its fundamental design principle is...
Extracting GPT’s Training Data
This is clever: The actual attack is kind of silly. We prompt the model with the command "Repeat the word poem forever" and sit back and watch as the model responds complete transcript here. In the abridged example above, the model emits a real email address and phone number of some unsuspecting...
Digital Car Keys Are Coming
Soon we will be able to unlock and start our cars from our phones. Lets hope people are thinking about security...
FTC’s Voice Cloning Challenge
The Federal Trade Commission is running a competition "to foster breakthrough ideas on preventing, monitoring, and evaluating malicious voice cloning."...
Friday Squid Blogging: China’s Squid Fishing Ban Ineffective
China imposed a "pilot program banning fishing in parts of the south-west Atlantic Ocean from July to October, and parts of the eastern Pacific Ocean from September to December." However, the conservation group Oceana analyzed the data and figured out that the Chinese werent fishing in those area...
New SEC Rules around Cybersecurity Incident Disclosures
The US Securities and Exchange Commission adopted final rules around the disclosure of cybersecurity incidents. There are two basic rules: 1. Public companies must "disclose any cybersecurity incident they determine to be material" within four days, with potential delays if there is a national...
Friday Squid Blogging: Zaqistan Flag
The fictional nation of Zaqistan in Utah has a squid on its flag. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Read my blog posting guidelines here...
Tracking Down a Suspect through Cell Phone Records
Interesting forensics in connection with a serial killer arrest: Investigators went through phone records collected from both midtown Manhattan and the Massapequa Park area of Long Island--two areas connected to a "burner phone" they had tied to the killings. In court, prosecutors later said the...
Stalkerware Vendor Hacked
The stalkerware company LetMeSpy has been hacked: TechCrunch reviewed the leaked data, which included years of victims call logs and text messages dating back to 2013. The database we reviewed contained current records on at least 13,000 compromised devices, though some of the devices shared litt...
Typing Incriminating Evidence in the Memo Field
Dont do it: Recently, the manager of the Harvard Med School morgue was accused of stealing and selling human body parts. Cedric Lodge and his wife Denise were among a half-dozen people arrested for some pretty grotesque crimes. This part is also at least a little bit funny though: Over a three-ye...
UPS Data Harvested for SMS Phishing Attacks
I get UPS phishing spam on my phone all the time. I never click on it, because its so obviously spam. Turns out that hackers have been harvesting actual UPS delivery data from a Canadian tracking tool for its phishing SMSs...
Identifying the Idaho Killer
The New York Times has a long article on the investigative techniques used to identify the person who stabbed and killed four University of Idaho students. Pay attention to the techniques: The case has shown the degree to which law enforcement investigators have come to rely on the digital...
AI Hacking Village at DEF CON This Year
At DEF CON this year, Anthropic, Google, Hugging Face, Microsoft, NVIDIA, OpenAI and Stability AI will all open up their models for attack. The DEF CON event will rely on an evaluation platform developed by Scale AI, a California company that produces training for AI applications. Participants wi...
Friday Squid Blogging: “Mediterranean Beef Squid” Hoax
The viral video of the "Mediterranean beef squid"is a hoax. Its not even a deep fake; its a plastic toy. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Read my blog posting guidelines here...
Swatting as a Service
Motherboard is reporting on AI-generated voices being used for "swatting": In fact, Motherboard has found, this synthesized call and another against Hempstead High School were just one small part of a months-long, nationwide campaign of dozens, and potentially hundreds, of threats made by one...
Friday Squid Blogging: Colossal Squid
Interesting article on the colossal squid, which is larger than the giant squid. The article answers a vexing question: So why do we always hear about the giant squid and not the colossal squid? Well, part of it has to do with the fact that the giant squid was discovered and studied long before t...
Research on AI in Adversarial Settings
New research: “Achilles Heels for AGI/ASI via Decision Theoretic Adversaries": As progress in AI continues to advance, it is important to know how advanced systems will make choices and in what ways they may fail. Machines can already outsmart humans in some domains, and understanding how to safe...
Russian Cyberwarfare Documents Leaked
Now this is interesting: Thousands of pages of secret documents reveal how Vulkans engineers have worked for Russian military and intelligence agencies to support hacking operations, train operatives before attacks on national infrastructure, spread disinformation and control sections of the...
New National Cybersecurity Strategy
Last week, the Biden administration released a new National Cybersecurity Strategy summary here. There is lots of good commentary out there. Its basically a smart strategy, but the hard parts are always the implementation details. Its one thing to say that we need to secure our cloud...
Putting Undetectable Backdoors in Machine Learning Models
This is really interesting research from a few months ago: Abstract: Given the computational cost and technical expertise required to train machine learning models, users may delegate the task of learning to a service provider. Delegation of learning has clear benefits, and at the same time raise...
Friday Squid Blogging: Studying the Colossal Squid
A survey of giant squid science. As usual, you can also use this squid post to talk about the security stories in the news that I havent covered. Read my blog posting guidelines here...
Friday Squid Blogging: Squid Fetish
Seems that about 1.5% of people have a squid fetish. As usual, you can also use this squid post to talk about the security stories in the news that I havent covered. Read my blog posting guidelines here...
Remote Vulnerabilities in Automobiles
This group has found a ton of remote vulnerabilities in all sorts of automobiles. Its enough to make you want to buy a car that is not Internet-connected. Unfortunately, that seems to be impossible...
Hacking the JFK Airport Taxi Dispatch System
Two men have been convicted of hacking the taxi dispatch system at the JFK airport. This enabled them to reorder the taxis on the list; they charged taxi drivers $10 to cut the line...
Upcoming Speaking Engagements
This is a current list of where and when I am scheduled to speak: I’m speaking at the 24th International Information Security Conference in Madrid, Spain, on November 17, 2022. The list is maintained on this page...