2981 matches found
NCSC Guidance on “Advanced Cryptography”
The UK's National Cyber Security Centre just released its white paper on "Advanced Cryptography," which it defines as "cryptographic techniques for processing encrypted data, providing enhanced functionality over and above that provided by traditional cryptography." It includes things like...
China Sort of Admits to Being Behind Volt Typhoon
The Wall Street Journal has the story: Chinese officials acknowledged in a secret December meeting that Beijing was behind a widespread series of alarming cyberattacks on U.S. infrastructure, according to people familiar with the matter, underscoring how hostilities between the two superpowers ar...
Friday Squid Blogging: Squid Loyalty Cards
Squid is a loyalty card platform in Ireland. Blog moderation policy...
Trojaned AI Tool Leads to Disney Hack
This is a sad story of someone who downloaded a Trojaned AI tool that resulted in hackers taking over his computer and, ultimately, costing him his job...
Device Code Phishing
This isn't new, but it's increasingly popular: The technique is known as device code phishing. It exploits "device code flow," a form of authentication formalized in the industry-wide OAuth standard. Authentication through device code flow is designed for logging printers, smart TVs, and similar...
Upcoming Speaking Engagements
This is a current list of where and when I am scheduled to speak: I’m speaking at Boskone 62 in Boston, Massachusetts, USA, which runs from February 14-16, 2025. My talk is at 4:00 PM ET on the 15th. I’m speaking at the Rossfest Symposium in Cambridge, UK, on March 25, 2025. The list is maintaine...
Journalists and Civil Society Members Using WhatsApp Targeted by Paragon Spyware
This is yet another story of commercial spyware being used against journalists and civil society members. The journalists and other civil society members were being alerted of a possible breach of their devices, with WhatsApp telling the Guardian it had "high confidence" that the 90 users in...
AI Will Write Complex Laws
Artificial intelligence AI is writing law today. This has required no changes in legislative procedure or the rules of legislative bodies--all it takes is one legislator, or legislative assistant, to use generative AI in the process of drafting a bill. In fact, the use of AI by legislators is onl...
Microsoft Takes Legal Action Against AI “Hacking as a Service” Scheme
Not sure this will matter in the end, but it's a positive move: Microsoft is accusing three individuals of running a "hacking-as-a-service" scheme that was designed to allow the creation of harmful and illicit content using the company's platform for AI-generated content. The foreign-based...
US Treasury Department Sanctions Chinese Company Over Cyberattacks
From the Washington Post: The sanctions target Beijing Integrity Technology Group, which U.S. officials say employed workers responsible for the Flax Typhoon attacks which compromised devices including routers and internet-enabled cameras to infiltrate government and industrial targets in the...
Google Is Allowing Device Fingerprinting
Lukasz Olejnik writes about device fingerprinting, and why Google's policy change to allow it in 2025 is a major privacy setback. EDITED TO ADD 1/12: Shashdot thread...
Gift Card Fraud
It's becoming an organized crime tactic: Card draining is when criminals remove gift cards from a store display, open them in a separate location, and either record the card numbers and PINs or replace them with a new barcode. The crooks then repair the packaging, return to a store and place the...
Salt Typhoon’s Reach Continues to Grow
The US government has identified a ninth telecom that was successfully hacked by Salt Typhoon...
New Advances in the Understanding of Prime Numbers
Really interesting research into the structure of prime numbers. Not immediately related to the cryptanalysis of prime-number-based public-key algorithms, but every little bit matters...
Short-Lived Certificates Coming to Let’s Encrypt
Starting next year: Our longstanding offering won't fundamentally change next year, but we are going to introduce a new offering that's a big shift from anything we've done before--short-lived certificates. Specifically, certificates with a lifetime of six days. This is a big upgrade for the...
Why Italy Sells So Much Spyware
Interesting analysis: Although much attention is given to sophisticated, zero-click spyware developed by companies like Israel’s NSO Group, the Italian spyware marketplace has been able to operate relatively under the radar by specializing in cheaper tools. According to an Italian Ministry of...
Most of 2023’s Top Exploited Vulnerabilities Were Zero-Days
Zero-day vulnerabilities are more commonly used, according to the Five Eyes: Key Findings In 2023, malicious cyber actors exploited more zero-day vulnerabilities to compromise enterprise networks compared to 2022, allowing them to conduct cyber operations against higher-priority targets. In 2023,...
New iOS Security Feature Makes It Harder for Police to Unlock Seized Phones
Everybody is reporting about a new security iPhone security feature with iOS 18: if the phone hasn't been used for a few days, it automatically goes into its "Before First Unlock" state and has to be rebooted. This is a really good security feature. But various police departments don't like it,...
Sophos Versus the Chinese Hackers
Really interesting story of Sophos's five-year war against Chinese hackers...
Tracking World Leaders Using Strava
Way back in 2018, people noticed that you could find secret military bases using data published by the Strava fitness app. Soldiers and other military personal were using them to track their runs, and you could look at the public data and find places where there should be no people running. Six...
Are Automatic License Plate Scanners Constitutional?
An advocacy groups is filing a Fourth Amendment challenge against automatic license plate readers. "The City of Norfolk, Virginia, has installed a network of cameras that make it functionally impossible for people to drive anywhere without having their movements tracked, photographed, and stored ...
Justice Department Indicts Tech CEO for Falsifying Security Certifications
The Wall Street Journal is reporting that the CEO of a still unnamed company has been indicted for creating a fake auditing company to falsify security certifications in order to win government business...
Friday Squid Blogging: Map of All Colossal Squid Sightings
Interesting map, from this paper. Blog moderation policy...
Squid Fishing in Japan
Fishermen are catching more squid as other fish are depleted. Blog moderation policy...
Python Developers Targeted with Malware During Fake Job Interviews
Interesting social engineering attack: luring potential job applicants with fake recruiting pitches, trying to convince them to download malware. From a news article These particular attacks from North Korean state-funded hacking team Lazarus Group are new, but the overall malware campaign agains...
Legacy Ivanti Cloud Service Appliance Being Exploited
CISA wants everyone--and government agencies in particular--to remove or upgrade an Ivanti Cloud Service Appliance CSA that is no longer being supported. Welcome to the security nightmare that is the Internet of Things...
Problems with Georgia’s Voter Registration Portal
Its possible to cancel other peoples voter registrations: On Friday, four days after Georgia Democrats began warning that bad actors could abuse the states new online portal for canceling voter registrations, the Secretary of States Office acknowledged to ProPublica that it had identified multipl...
New Patent Application for Car-to-Car Surveillance
Ford has a new patent application for a system where cars monitor each others speeds, and then report then to some central authority. Slashdot thread...
Providing Security Updates to Automobile Software
Auto manufacturers are just starting to realize the problems of supporting the software in older models: Today’s phones are able to receive updates six to eight years after their purchase date. Samsung and Google provide Android OS updates and security updates for seven years. Apple halts servici...
Friday Squid Blogging: New Squid Species
A new squid species--of the Gonatidae family--was discovered. The video shows her holding a brood of very large eggs. Research paper...
Friday Squid Blogging: Strawberry Squid in the Galápagos
Scientists have found Strawberry Squid, "whose mismatched eyes help them simultaneously search for prey above and below them," among the coral reefs in the Galápagos Islands. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Read my...
Breaking Laptop Fingerprint Sensors
Theyre not that good: Security researchers Jesse DAguanno and Timo Teräs write that, with varying degrees of reverse-engineering and using some external hardware, they were able to fool the Goodix fingerprint sensor in a Dell Inspiron 15, the Synaptic sensor in a Lenovo ThinkPad T14, and the ELAN...
French Police Will Be Able to Spy on People through Their Cell Phones
The French police are getting new surveillance powers: French police should be able to spy on suspects by remotely activating the camera, microphone and GPS of their phones and other devices, lawmakers agreed late on Wednesday, July 5. … Covering laptops, cars and other connected objects as well ...
UK Threatens End-to-End Encryption
In an open letter, seven secure messaging apps--including Signal and WhatsApp--point out that the UKs Online Safety Bill could destroy end-to-end encryption: As currently drafted, the Bill could break end-to-end encryption,opening the door to routine, general and indiscriminate surveillance of...
Defeating Phishing-Resistant Multifactor Authentication
CISA is now pushing phishing-resistant multifactor authentication. Roger Grimes has an excellent post reminding everyone that "phishing-resistant" is not "phishing proof," and that everyone needs to stop pretending otherwise. His list of different attacks is particularly useful...
Complex Impersonation Story
This is a story of one piece of what is probably a complex employment scam. Basically, real programmers are having their resumes copied and co-opted by scammers, who apply for jobs or, I suppose, get recruited from various job sites, then hire other people with Western looks and language skills a...
Friday Squid Blogging: Multiplexing SQUIDs for X-ray Telescopes
NASA is researching new techniques for multiplexing SQUIDs--thats superconducting quantum interference devices--for X-ray observatories. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Read my blog posting guidelines here...
SMS Phishing Attacks are on the Rise
SMS phishing attacks -- annoyingly called "smishing" -- are becoming more common. I know that I have been receiving a lot of phishing SMS messages over the past few months. I am not getting the "Fedex package delivered" messages the article talks about. Mine are usually of the form: "Thank you fo...
John Oliver on Data Brokers
John Oliver has an excellent segment on data brokers and surveillance capitalism...
Iranian Cyberespionage Tools Leaked Online
The source code of a set of Iranian cyberespionage tools was leaked online...
Jumping Airgaps with a Laser and a Scanner
Researchers have configured two computers to talk to each other using a laser and a scanner. Scanners work by detecting reflected light on their glass pane. The light creates a charge that the scanner translates into binary, which gets converted into an image. But scanners are sensitive to any...
Hong Kong Police Can Force You to Reveal Your Encryption Keys
According to a new law, the Hong Kong police can demand that you reveal the encryption keys protecting your computer, phone, hard drives, etc.--even if you are just transiting the airport. In a security alert dated March 26, the U.S. Consulate General said that, on March 23, 2026, Hong Kong...
Company that Secretly Records and Publishes Zoom Meetings
WebinarTV searches the internet for public Zoom invites, joins the meetings, secretly records them, and publishes alternate link the recordings. It doesn't use the Zoom record feature, so Zoom can't do anything about it...
Possible US Government iPhone Hacking Tool Leaked
Wired writes alternate source: Security researchers at Google on Tuesday released a report describing what they're calling "Coruna," a highly sophisticated iPhone hacking toolkit that includes five complete hacking techniques capable of bypassing all the defenses of an iPhone to silently install...
Inventors of Quantum Cryptography Win Turing Award
Charles Bennett and Gilles Brassard have won the 2026 Turing Award for inventing quantum cryptography. I am incredibly pleased to see them get this recognition. I have always thought the technology to be fantastic, even though I think it's largely unnecessary. I wrote up my thoughts back in 2008,...
Apple’s Camera Indicator Lights
A thoughtful review of Apple's system to alert users that the camera is on. It's really well-designed, and important in a world where malware could surreptitiously start recording. The reason it's tempting to think that a dedicated camera indicator light is more secure than an on-display indicato...
Sen. Wyden Warns of Another Section 702 Abuse
Sen. Ron Wyden is warning us of an abuse of Section 702: Wyden took to the Senate floor to deliver a lengthy speech, ostensibly about the since approved with support of many Democrats nomination of Joshua Rudd to lead the NSA. Wyden was protesting that nomination, but in the context of Rudd being...
Team Mirai and Democracy
Japan’s election last month and the rise of the country’s newest and most innovative political party, Team Mirai, illustrates the viability of a different way to do politics. In this model, technology is used to make democratic processes stronger, instead of undermining them. It is harnessed to...
Friday Squid Blogging: Jumbo Flying Squid in the South Pacific
The population needs better conservation. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Blog moderation policy...
New Attack Against Wi-Fi
It's called AirSnitch: Unlike previous Wi-Fi attacks, AirSnitch exploits core features in Layers 1 and 2 and the failure to bind and synchronize a client across these and higher layers, other nodes, and other network names such as SSIDs Service Set Identifiers. This cross-layer identity...