2979 matches found
On Secure Voting Systems
Andrew Appel shepherded a public comment--signed by twenty election cybersecurity experts, including myself--on best practices for ballot marking devices and vote tabulation. It was written for the Pennsylvania legislature, but its general in nature. From the executive summary: We believe that no...
AIs Hacking Websites
New research: LLM Agents can Autonomously Hack Websites Abstract: In recent years, large language models LLMs have become increasingly capable and can now interact with tools i.e., call functions, read documents, and recursively call themselves. As a result, these LLMs can now function autonomous...
Upcoming Speaking Engagements
This is a current list of where and when I am scheduled to speak: I’m speaking at the Munich Security Conference MSC 2024 in Munich, Germany, on Friday, February 16, 2024. I’m giving a keynote on “AI and Trust” at Generative AI, Free Speech, & Public Discourse. The symposium will be held at...
Canadian Citizen Gets Phone Back from Police
After 175 million failed password guesses, a judge rules that the Canadian police must return a suspects phone. Judge Carter said the investigation can continue without the phones, and he noted that Ottawa police have made a formal request to obtain more data from Google. "This strikes me as a...
Police Get Medical Records without a Warrant
More unconstrained surveillance: Lawmakers noted the pharmacies policies for releasing medical records in a letter dated Tuesday to the Department of Health and Human Services HHS Secretary Xavier Becerra. The letter--signed by Sen. Ron Wyden D-Ore., Rep. Pramila Jayapal D-Wash., and Rep. Sara...
Friday Squid Blogging: Influencer Accidentally Posts Restaurant Table QR Ordering Code
Another rare security + squid story: The woman--who has only been identified by her surname, Wang--was having a meal with friends at a hotpot restaurant in Kunming, a city in southwest China. When everyone’s selections arrived at the table, she posted a photo of the spread on the Chinese social...
Spying through Push Notifications
When you get a push notification on your Apple or Google phone, those notifications go through Apple and Google servers. Which means that those companies can spy on them--either for their own reasons or in response to government demands. Sen. Wyden is trying to get to the bottom of this: In a...
Cars Have Terrible Data Privacy
A new Mozilla Foundation report concludes that cars, all of them, have terrible data privacy. All 25 car brands we researched earned our Privacy Not Included warning label--making cars the official worst category of products for privacy that we have ever reviewed. Theres a lot of details in the...
Own Your Own Government Surveillance Van
A used government surveillance van is for sale in Chicago: So how was this van turned into a mobile spying center? Well, lets start with how it has more LCD monitors than a Counterstrike LAN party. They can be used to monitor any of six different video inputs including a videoscope camera. A...
Google Is Using Its Vast Data Stores to Train AI
No surprise, but Google just changed its privacy policy to reflect broader uses of all the surveillance data it has captured over the years: Research and development: Google uses information to improve our services and to develop new products, features and technologies that benefit our users and...
Friday Squid Blogging: Giant Squid Nebula
Pretty: A mysterious squid-like cosmic cloud, this nebula is very faint, but also very large in planet Earths sky. In the image, composed with 30 hours of narrowband image data, it spans nearly three full moons toward the royal constellation Cepheus. Discovered in 2011 by French astro-imager...
Self-Driving Cars Are Surveillance Cameras on Wheels
Police are already using self-driving car footage as video evidence: While security cameras are commonplace in American cities, self-driving cars represent a new level of access for law enforcement and a new method for encroachment on privacy, advocates say. Crisscrossing the city on their...
Friday Squid Blogging: Squid Can Edit Their RNA
This is just crazy: Scientists dont yet know for sure why octopuses, and other shell-less cephalopods including squid and cuttlefish, are such prolific editors. Researchers are debating whether this form of genetic editing gave cephalopods an evolutionary leg or tentacle up or whether the editing...
Friday Squid Blogging: Light-Emitting Squid
Its a Taningia danae: Their arms are lined with two rows of sharp retractable hooks. And, like most deep-sea squid, they are adorned with light organs called photophores. They have some on the underside of their mantle. There are more facing upward, near one of their eyes. But it’s the photophore...
Brute-Forcing a Fingerprint Reader
Its neither hard nor expensive: Unlike password authentication, which requires a direct match between what is inputted and whats stored in a database, fingerprint authentication determines a match using a reference threshold. As a result, a successful fingerprint brute-force attack requires only...
Friday Squid Blogging: More Squid Camouflage Research
Heres a research group trying to replicate squid cell transparency in mammalian cells. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Read my blog posting guidelines here...
The Insecurity of Photo Cropping
The Intercept has a long article on the insecurity of photo cropping: One of the hazards lies in the fact that, for some of the programs, downstream crop reversals are possible for viewers or readers of the document, not just the files creators or editors. Official instruction manuals, help pages...
Ukraine Intercepting Russian Soldiers’ Cell Phone Calls
Theyre using commercial phones, which go through the Ukrainian telecom network: "You still have a lot of soldiers bringing cellphones to the frontline who want to talk to their families and they are either being intercepted as they go through a Ukrainian telecommunications provider or intercepted...
CAPTCHA
This is an actual CAPTCHA I was shown when trying to log into PayPal. As an actual human and not a bot, I had no idea how to answer. Is this a joke? Seems not. Is it a Magritte-like existential question? Its not a bicycle. Its a drawing of a bicycle. Actually, its a photograph of a drawing of a...
Charles V of Spain Secret Code Cracked
Diplomatic code cracked after 500 years: In painstaking work backed by computers, Pierrot found "distinct families" of about 120 symbols used by Charles V. "Whole words are encrypted with a single symbol" and the emperor replaced vowels coming after consonants with marks, she said, an inspiration...
A Digital Red Cross
The International Committee of the Red Cross wants some digital equivalent to the iconic red cross, to alert would-be hackers that they are accessing a medical network. The emblem wouldn’t provide technical cybersecurity protection to hospitals, Red Cross infrastructure or other medical providers...
An Untrustworthy TLS Certificate in Browsers
The major browsers natively trust a whole bunch of certificate authorities, and some of them are really sketchy: Googles Chrome, Apples Safari, nonprofit Firefox and others allow the company, TrustCor Systems, to act as whats known as a root certificate authority, a powerful spot in the internets...
The Conviction of Uber’s Chief Security Officer
I have been meaning to write about Joe Sullivan, Ubers former Chief Security Officer. He was convicted of crimes related to covering up a cyberattack against Uber. Its a complicated case, and Im not convinced that he deserved a guilty ruling or that its a good thing for the industry. I may still...
Friday Squid Blogging: Mayfly Squid
This is surprisingly funny. As usual, you can also use this squid post to talk about the security stories in the news that I havent covered. Read my blog posting guidelines here...
Massive Data Breach at Uber
Its big: The breach appeared to have compromised many of Ubers internal systems, and a person claiming responsibility for the hack sent images of email, cloud storage and code repositories to cybersecurity researchers and The New York Times. "They pretty much have full access to Uber," said Sam...
Attacking the Performance of Machine Learning Systems
Interesting research: "Sponge Examples: Energy-Latency Attacks on Neural Networks": Abstract: The high energy costs of neural network training and inference led to the use of acceleration hardware such as GPUs and TPUs. While such devices enable us to train large-scale neural networks in...
Websites that Collect Your Data as You Type
A surprising number of websites include JavaScript keyloggers that collect everything you type as you type it, not just when you submit a form. Researchers from KU Leuven, Radboud University, and University of Lausanne crawled and analyzed the top 100,000 websites, looking at scenarios in which a...
Corporate Involvement in International Cybersecurity Treaties
The Paris Call for Trust and Stability in Cyberspace is an initiative launched by French President Emmanuel Macron during the 2018 UNESCO’s Internet Governance Forum. It’s an attempt by the worlds governments to come together and create a set of international norms and standards for a reliable,...
White House Warns of Possible Russian Cyberattacks
News: The White House has issued its starkest warning that Russia may be planning cyberattacks against critical-sector U.S. companies amid the Ukraine invasion. … Context: The alert comes after Russia has lobbed a series of digital attacks at the Ukrainian government and critical industry sectors...
Finding Vulnerabilities in Open Source Projects
The Open Source Security Foundation announced $10 million in funding from a pool of tech and financial companies, including $5 million from Microsoft and Google, to find vulnerabilities in open source projects: The "Alpha" side will emphasize vulnerability testing by hand in the most popular...
San Francisco Police Illegally Spying on Protesters
Last summer, the San Francisco police illegally used surveillance cameras at the George Floyd protests. The EFF is suing the police: This surveillance invaded the privacy of protesters, targeted people of color, and chills and deters participation and organizing for future protests. The SFPD also...
On the Log4j Vulnerability
Its serious: The range of impacts is so broad because of the nature of the vulnerability itself. Developers use logging frameworks to keep track of what happens in a given application. To exploit Log4Shell, an attacker only needs to get the system to log a strategically crafted string of code. Fr...
NSO Group’s Pegasus Spyware Used Against US State Department Officials
NSO Groups descent into Internet pariah status continues. Its Pegasus spyware was used against nine US State Department employees. We dont know which NSO Group customer trained the spyware on the US. But the company does: NSO Group said in a statement on Thursday that it did not have any indicati...
Google Shuts Down Glupteba Botnet, Sues Operators
Google took steps to shut down the Glupteba botnet, at least for now. The botnet uses the bitcoin blockchain as a backup command-and-control mechanism, making it hard to get rid of it permanently. So Google is also suing the botnets operators. Its an interesting strategy. Lets see if its successf...
Airline Passenger Mistakes Vintage Camera for a Bomb
I feel sorry for the accused: The "security incident" that forced a New-York bound flight to make an emergency landing at LaGuardia Airport on Saturday turned out to be a misunderstanding -- after an airline passenger mistook another travelers camera for a bomb, sources said Sunday. American...
The European Parliament Voted to Ban Remote Biometric Surveillance
Its not actually banned in the EU yet -- the legislative process is much more complicated than that -- but its a step: a total ban on biometric mass surveillance. To respect "privacy and human dignity," MEPs said that EU lawmakers should pass a permanent ban on the automated recognition of...
Tracking People by their MAC Addresses
Yet another article on the privacy risks of static MAC addresses and always-on Bluetooth connections. This one is about wireless headphones. The good news is that product vendors are fixing this: Several of the headphones which could be tracked over time are for sale in electronics stores, but...
Friday Squid Blogging: Squid Communication
Interesting article on squid communication. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Read my blog posting guidelines here...
Excellent Write-up of the SolarWinds Security Breach
Robert Chesney wrote up the Solar Winds story as a case study, and its a really good summary...
Seny Kamara on "Crypto for the People"
Seny Kamara gave an excellent keynote talk this year at the online CRYPTO Conference. He talked about solving real-world crypto problems for marginalized communities around the world, instead of crypto problems for governments and corporations. Well worth watching and listening to...
US Postal Service Files Blockchain Voting Patent
The US Postal Service has filed a patent on a blockchain voting method: Abstract: A voting system can use the security of blockchain and the mail to provide a reliable voting system. A registered voter receives a computer readable code in the mail and confirms identity and confirms correct ballot...
Friday Squid Blogging: New Squid Species off the New Zealand Coast
There's a new diversity of species. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here...
DARPA Wants Research into Resilient Anonymous Communications
DARPA is funding research into resilient anonymous communications systems...
Living in a Smart Home
In "The House that Spied on Me," Kashmir Hill outfits her home to be as "smart" as possible and writes about the results...
Poor Security at the UK National Health Service
The Guardian is reporting that "every NHS trust assessed for cyber security vulnerabilities has failed to meet the standard required." This is the same NHS that was debilitated by WannaCry. EDITED TO ADD 2/13: More news. And don't think that US hospitals are much better...
New Internet Explorer Bug
There's a newly discovered bug in Internet Explorer that allows any currently visited website to learn the contents of the address bar when the user hits enter. This feels important; the site I am at now has no business knowing where I go next...
NSA Links WannaCry to North Korea
There's evidence: Though the assessment is not conclusive, the preponderance of the evidence points to Pyongyang. It includes the range of computer Internet protocol addresses in China historically used by the RGB, and the assessment is consistent with intelligence gathered recently by other...
Cybersecurity Mission Creep in the US
Interesting paper: "Cybersecurity Mission Creep." Abstract: Cybersecurity is experiencing mission creep. Policymakers are casting more and more problems as issues of cybersecurity. So reframed, wildly different policy issues, from misinformation, to child social media safety laws, to antitrust...
The Realities of AI Video Surveillance
The Financial Times has a good article on how AI is changing the capabilities of video surveillance, with information from both Israel/Iran and Russia. I wrote about this sort of thing a few years ago, how AI enables mass spying in the way that computers and networks enabled mass surveillance. Th...
Interesting Paper Exploring Prompt Injection
This is a fascinating explotation of how LLMs fall for prompt injection attacks. It turns out that they learn to recognize the style of text in different role/instruction blocks, and not just the tags. Their conclusion: Role tags were a formatting trick that became the security architecture and t...