2988 matches found
ICT Supply-Chain Security
The Carnegie Endowment for Peace published a comprehensive report on ICT information and communication technologies supply-chain security and integrity. It's a good read, but nothing that those who are following this issue don't already know...
Friday Squid Blogging: New Squid Species off the New Zealand Coast
There's a new diversity of species. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here...
Lessons Learned from the Estonian National ID Security Flaw
Estonia recently suffered a major flaw in the security of their national ID card. This article discusses the fix and the lessons learned from the incident: In the future, the infrastructure dependency on one digital identity platform must be decreased, the use of several alternatives must be...
Friday Squid Blogging: Baby Sea Otters Prefer Shrimp to Squid
At least, this one does. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here...
NSA Links WannaCry to North Korea
There's evidence: Though the assessment is not conclusive, the preponderance of the evidence points to Pyongyang. It includes the range of computer Internet protocol addresses in China historically used by the RGB, and the assessment is consistent with intelligence gathered recently by other...
AI Data Centers and the Concentration of Wealth
This essay was written with Nathan E. Sanders, and originally appeared inThe Guardian. Opposition to AI data centers has emerged as a primary theme in US politics, one that--surprisingly--doesn't fall along party lines. We applaud people coming together for constructive debate on any issue, and...
Google Is Suing Chinese Scammers Who Are Using Gemini
Not sure this will have any effect, but I support the effort: According to Google's legal filing, Outsider Enterprise operates through Telegram. The group offers phishing-as-a-service to individuals who may not be technically savvy enough to set up fraudulent websites and text campaigns on their...
Interesting Paper Exploring Prompt Injection
This is a fascinating explotation of how LLMs fall for prompt injection attacks. It turns out that they learn to recognize the style of text in different role/instruction blocks, and not just the tags. Their conclusion: Role tags were a formatting trick that became the security architecture and t...
Friday Squid Blogging: Regulating Squid Fishing in the South Pacific
The South Pacific Regional Fisheries Management Organization SPRFMO needs to regulate squid fishing in the South Pacific. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Blog moderation policy...
A Ransomware Negotiator Was Working for a Ransomware Gang
Someone pleaded guilty to secretly working for a ransomware gang as he negotiated ransomware payments for clients...
AI Chatbots and Trust
All the leading AI chatbots are sycophantic, and that's a problem: Participants rated sycophantic AI responses as more trustworthy than balanced ones. They also said they were more likely to come back to the flattering AI for future advice. And critically they couldn't tell the difference betwe...
Sen. Sanders Talks to Claude About AI and Privacy
Claude is actually pretty good on the issues...
On Microsoft’s Lousy Cloud Security
ProPublica has a scoop: In late 2024, the federal government's cybersecurity evaluators rendered a troubling verdict on one of Microsoft's biggest cloud computing offerings. The tech giant's "lack of proper detailed security documentation" left reviewers with a "lack of confidence in assessing th...
As the US Midterms Approach, AI Is Going to Emerge as a Key Issue Concerning Voters
In December, the Trump administration signed an executive order that neutered states' ability to regulate AI by ordering his administration to both sue and withhold funds from states that try to do so. This action pointedly supported industry lobbyists keen to avoid any constraints and consequenc...
Israel Hacked Traffic Cameras in Iran
Multiple news outlets are reporting on Israel's hacking of Iranian traffic cameras and how they assisted with the killing of that country's leadership. The New York Times has an article on the intelligence operation more generally...
LLM-Assisted Deanonymization
Turns out that LLMs are good at de-anonymization: We show that LLM agents can figure out who you are from your anonymous online posts. Across Hacker News, Reddit, LinkedIn, and anonymized interview transcripts, our method identifies users with high precision and scales to tens of thousands of...
Why Tehran’s Two-Tiered Internet Is So Dangerous
Iran is slowly emerging from the most severe communications blackout in its history and one of the longest in the world. Triggered as part of January's government crackdown against citizen protests nationwide, the regime implemented an internet shutdown that transcends the standard definition of...
Side-Channel Attacks Against LLMs
Here are three papers describing different side-channel attacks against LLMs. "Remote Timing Attacks on Efficient Language Model Inference": Abstract: Scaling up language models has significantly increased their capabilities. But larger models are slower models, and so there is now an extensive...
Friday Squid Blogging: Squid Inks Philippines Fisherman
Good video. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Blog moderation policy...
Time-of-Check Time-of-Use Attacks Against LLMs
This is a nice piece of research: "Mind the Gap: Time-of-Check to Time-of-Use Vulnerabilities in LLM-Enabled Agents".: Abstract: Large Language Model LLM-enabled agents are rapidly emerging across a wide range of applications, but their deployment introduces vulnerabilities with security...
White House Bans WhatsApp
Reuters is reporting that the White House has banned WhatsApp on all employee devices: The notice said the "Office of Cybersecurity has deemed WhatsApp a high risk to users due to the lack of transparency in how it protects user data, absence of stored data encryption, and potential security risk...
Friday Squid Blogging: Squid Run in Southern New England
Southern New England is having the best squid run in years. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered...
More AIs Are Taking Polls and Surveys
I already knew about the declining response rate for polls and surveys. The percentage of AI bots that respond to surveys is also increasing. Solutions are hard: 1. Make surveys less boring. We need to move past bland, grid-filled surveys and start designing experiences people actually want to...
Cryptocurrency Thefts Get Physical
Long story of a $250 million cryptocurrency theft that, in a complicated chain events, resulted in a pretty brutal kidnapping...
Android Improves Its Security
Android phones will soon reboot themselves after sitting idle for three days. iPhones have had this feature for a while; it's nice to see Google add it to their phones...
Troy Hunt Gets Phished
In case you need proof that anyone , even someone who does cybersecurity for a living, can fall for a phishing attack, Troy Hunt has a long, iterative story on his webpage about how he got phished. Worth reading. EDITED TO ADD 4/14: Commentary from Adam Shostack and Cory Doctorow...
AI Data Poisoning
Cloudflare has a new feature--available to free users as well--that uses AI to generate random pages to feed to AI web crawlers: Instead of simply blocking bots, Cloudflare's new system lures them into a "maze" of realistic-looking but irrelevant pages, wasting the crawler's computing resources...
North Korean Hackers Steal $1.5B in Cryptocurrency
It looks like a very sophisticated attack against the Dubai-based exchange Bybit: Bybit officials disclosed the theft of more than 400,000 ethereum and staked ethereum coins just hours after it occurred. The notification said the digital loot had been stored in a "Multisig Cold Wallet" when,...
Delivering Malware Through Abandoned Amazon S3 Buckets
Here's a supply-chain attack just waiting to happen. A group of researchers searched for, and then registered, abandoned Amazon S3 buckets for about $400. These buckets contained software libraries that are still used. Presumably the projects don't realize that they have been abandoned, and still...
Friday Squid Blogging: The Colossal Squid
Long article on the colossal squid. Blog moderation policy...
Friday Squid Blogging: Opioid Alternatives from Squid Research
Is there nothing that squid research can't solve? "If you're working with an organism like squid that can edit genetic information way better than any other organism, then it makes sense that that might be useful for a therapeutic application like deadening pain," he said. … Researchers hope to...
Friday Squid Blogging: Anniversary Post
I made my first squid post nineteen years ago this week. Between then and now, I posted something about squid every week with maybe only a few exceptions. There is a lot out there about squid, even more if you count the other meanings of the word. Blog moderation policy...
ShredOS
ShredOS is a stripped-down operating system designed to destroy data. GitHub page here...
Criminal Complaint against LockBit Ransomware Writer
The Justice Department has published the criminal complaint against Dmitry Khoroshev, for building and maintaining the LockBit ransomware...
Upcoming Speaking Events
This is a current list of where and when I am scheduled to speak: I'm speaking at a joint meeting of the Boston Chapter of the IEEE Computer Society and GBC/ACM, in Boston, Massachusetts, USA, at 7:00 PM ET on Thursday, January 9, 2025. The event will take place at the Massachusetts Institute of...
Friday Squid Blogging: Biology and Ecology of the Colossal Squid
Good survey paper. Blog moderation policy...
Detecting Pegasus Infections
This tool seems to do a pretty good job. The company's Mobile Threat Hunting feature uses a combination of malware signature-based detection, heuristics, and machine learning to look for anomalies in iOS and Android device activity or telltale signs of spyware infection. For paying iVerify...
Details about the iOS Inactivity Reboot Feature
I recently wrote about the new iOS feature that forces an iPhone to reboot after it's been inactive for a longish period of time. Here are the technical details, discovered through reverse engineering. The feature triggers after seventy-two hours of inactivity, even it is remains connected to Wi-...
Friday Squid Blogging: Transcriptome Analysis of the Indian Squid
Lots of details that are beyond me. Blog moderation policy...
Why Italy Sells So Much Spyware
Interesting analysis: Although much attention is given to sophisticated, zero-click spyware developed by companies like Israel’s NSO Group, the Italian spyware marketplace has been able to operate relatively under the radar by specializing in cheaper tools. According to an Italian Ministry of...
Friday Squid Blogging: Female Gonatus Onyx Squid Carrying Her Eggs
Fantastic video of a female Gonatus onyx squid swimming while carrying her egg sack. An earlier related post. Blog moderation policy...
Prompt Injection Defenses Against LLM Cyberattacks
Interesting research: "Hacking Back the AI-Hacker: Prompt Injection as a Defense Against LLM-driven Cyberattacks": Large language models LLMs are increasingly being harnessed to automate cyberattacks, making sophisticated exploits more accessible and scalable. In response, we propose a new defens...
Friday Squid Blogging: Squid Sculpture in Massachusetts Building
Great blow-up sculpture. Blog moderation policy. The post Friday Squid Blogging: Squid Sculpture in Massachusetts Building appeared first on Schneier on Security...
Simson Garfinkel on Spooky Cryptographic Action at a Distance
Excellent read. One example: Consider the case of basic public key cryptography, in which a person’s public and private key are created together in a single operation. These two keys are entangled, not with quantum physics, but with math. When I create a virtual machine server in the Amazon cloud...
Law Enforcement Deanonymizes Tor Users
The German police have successfully deanonymized at least four Tor users. It appears they watch known Tor relays and known suspects, and use timing analysis to figure out who is using what relay. Tor has written about this. Hacker News thread...
AI and the SEC Whistleblower Program
Tax farming is the practice of licensing tax collection to private contractors. Used heavily in ancient Rome, it’s largely fallen out of practice because of the obvious conflict of interest between the state and the contractor. Because tax farmers are primarily interested in short-term revenue,...
Friday Squid Blogging: Squid Scarf
Cute squid scarf. Blog moderation policy...
Auto-Identification Smart Glasses
Two students have created a demo of a smart-glasses app that performs automatic facial recognition and then information lookups. Kind of obvious--something similar was done in 2011--but the sort of creepy demo that gets attention. News article...
Largest Recorded DDoS Attack is 3.8 Tbps
Cloudflare just blocked the current record DDoS attack: 3.8 terabits per second. Lots of good information on the attack, and DDoS in general, at the link. News article...
Weird Zimbra Vulnerability
Hackers can execute commands on a remote computer by sending malformed emails to a Zimbra mail server. It's critical, but difficult to exploit reliably. In an email sent Wednesday afternoon, Proofpoint researcher Greg Lesnewich seemed to largely concur that the attacks weren't likely to lead to...