2979 matches found
Friday Squid Blogging: The Effect of Noise on Squid
Two articles. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here...
Let's Encrypt Vulnerability
The BBC is reporting a vulnerability in the Let's Encrypt certificate service: In a notification email to its clients, the organisation said: "We recently discovered a bug in the Let's Encrypt certificate authority code. "Unfortunately, this means we need to revoke the certificates that were...
Inrupt, Tim Berners-Lee's Solid, and Me
For decades, I have been talking about the importance of individual privacy. For almost as long, I have been using the metaphor of digital feudalism to describe how large companies have become central control points for our data. And for maybe half a decade, I have been talking about the...
Friday Squid Blogging: Streamlined Quick Unfolding Investigation Drone
Yet another squid acronym. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here...
More on Law Enforcement Backdoor Demands
The Carnegie Endowment for International Peace and Princeton University's Center for Information Technology Policy convened an Encryption Working Group to attempt progress on the "going dark" debate. They have released their report: "Moving the Encryption Policy Conversation Forward. The main...
Bypassing Apple FaceID's Liveness Detection Feature
Apple's FaceID has a liveness detection feature, which prevents someone from unlocking a victim's phone by putting it in front of his face while he's sleeping. That feature has been hacked: Researchers on Wednesday during Black Hat USA 2019 demonstrated an attack that allowed them to bypass a...
Science Fiction Writers Helping Imagine Future Threats
The French army is going to put together a team of science fiction writers to help imagine future threats. Leaving aside the question of whether science fiction writers are better or worse at envisioning nonfictional futures, this isn't new. The US Department of Homeland Security did the same thi...
El Chapo's Encryption Defeated by Turning His IT Consultant
Impressive police work: In a daring move that placed his life in danger, the I.T. consultant eventually gave the F.B.I. his system's secret encryption keys in 2011 after he had moved the network's servers from Canada to the Netherlands during what he told the cartel's leaders was a routine upgrad...
Back Issues of the NSA's Cryptolog
Five years ago, the NSA published 23 years of its internal magazine, Cryptolog. There were lots of redactions, of course. What's new is a nice user interface for the issues, noting highlights and levels of redaction...
Hidden Cameras in Streetlights
Both the US Drug Enforcement Administration DEA and Immigration and Customs Enforcement ICE are hiding surveillance cameras in streetlights. According to government procurement data, the DEA has paid a Houston, Texas company called Cowboy Streetlight Concealments LLC roughly $22,000 since June 20...
Conspiracy Theories around the "Presidential Alert"
Noted conspiracy theorist John McAfee tweeted: The "Presidential alerts": they are capable of accessing the E911 chip in your phones -- giving them full access to your location, microphone, camera and every function of your phone. This not a rant, this is from me, still one of the leading...
Security Risks of Government Hacking
Some of us -- myself included -- have proposed lawful government hacking as an alternative to backdoors. A new report from the Center of Internet and Society looks at the security risks of allowing government hacking. They include: Disincentive for vulnerability disclosure Cultivation of a market...
SpiderOak's Warrant Canary Died
BoingBoing has the story. I have never quite trusted the idea of a warrant canary. But here it seems to have worked. Presumably, if SpiderOak wanted to replace the warrant canary with a transparency report, they would have written something explaining their decision. To have it simply disappear i...
The Poor Cybersecurity of US Space Assets
Good policy paper summary here on the threats, current state, and potential policy solutions for the poor security of US space systems...
Apple's FaceID
This is a good interview with Apple's SVP of Software Engineering about FaceID. Honestly, I don't know what to think. I am confident that Apple is not collecting a photo database, but not optimistic that it can't be hacked with fake faces. I dislike the fact that the police can point the phone at...
Hacking Voice Assistant Systems with Inaudible Voice Commands
Turns out that all the major voice assistants -- Siri, Google Now, Samsung S Voice, Huawei HiVoice, Cortana and Alexa -- listen at audio frequencies the human ear can't hear. Hackers can hijack those systems with inaudible commands that their owners can't hear. News articles...
A Man-in-the-Middle Attack against a Password Reset System
This is nice work: "The Password Reset MitM Attack," by Nethanel Gelerntor, Senia Kalma, Bar Magnezi, and Hen Porcilan: Abstract: We present the password reset MitM PRMitM attack and show how it can be used to take over user accounts. The PRMitM attack exploits the similarity of the registration...
Browser Tracking Using Favicons
Interesting research on persistent web tracking using favicons. For those who dont know, favicons are those tiny icons that appear in browser tabs next to the page name. Abstract: The privacy threats of online tracking have garnered considerable attention in recent years from researchers and...
US Cyber Command Valentine’s Day Cryptography Puzzles
The US Cyber Command has released a series of ten Valentines Day "Cryptography Challenge Puzzles." Slashdot thread. Reddit thread. And heres the archived link, in case Cyber Command takes the page down...
Friday Squid Blogging: Jurassic Squid Attack
It's the oldest squid attack on record: An ancient squid-like creature with 10 arms covered in hooks had just crushed the skull of its prey in a vicious attack when disaster struck, killing both predator and prey, according to a Jurassic period fossil of the duo found on the southern coast of...
Eavesdropping on SMS Messages inside Telco Networks
Fireeye reports on a Chinese-sponsored espionage effort to eavesdrop on text messages: FireEye Mandiant recently discovered a new malware family used by APT41 a Chinese APT group that is designed to monitor and save SMS traffic from specific phone numbers, IMSI numbers and keywords for subsequent...
Tracking by Smart TVs
Long Twitter thread about the tracking embedded in modern digital televisions. The thread references three academic papers...
The Latest in Creepy Spyware
The Nest home alarm system shipped with a secret microphone, which -- according to the company -- was only an accidental secret: On Tuesday, a Google spokesperson told Business Insider the company had made an "error." "The on-device microphone was never intended to be a secret and should have bee...
I Am Not Associated with Swift Recovery Ltd.
It seems that someone from a company called Swift Recovery Ltd. is impersonating me -- at least on Telegram. The person is using a photo of me, and is using details of my life available on Wikipedia to convince people that they are me. They are not. If anyone has any more information -- stories,...
China's APT10
Wired has an excellent article on China's APT10 hacking group. Specifically, on how they hacked managed service providers in order to get to their customers' networks. I am reminded of the NSA's "I Hunt Sysadmins" presentation, published by the Intercept. EDITED TO ADD 1/5: Another article on the...
Sophisticated Voice Phishing Scams
Brian Krebs is reporting on some new and sophisticated phishing scams over the telephone. I second his advice: "never give out any information about yourself in response to an unsolicited phone call." Always call them back, and not using the number offered to you by the caller. Always. EDITED TO...
New Findings About Prime Number Distribution Almost Certainly Irrelevant to Cryptography
Lots of people are e-mailing me about this new result on the distribution of prime numbers. While interesting, it has nothing to do with cryptography. Cryptographers aren't interested in how to find prime numbers, or even in the distribution of prime numbers. Public-key cryptography algorithms li...
California Passes New Privacy Law
The California legislature unanimously passed the strongest data privacy law in the nation. This is great news, but I have a lot of reservations. The Internet tech companies pressed to get this law passed out of self-defense. A ballot initiative was already going to be voted on in November, one...
Vulnerabilities in Car Washes
Articles about serious vulnerabilities in IoT devices and embedded systems are now dime-a-dozen. This one concerns Internet-connected car washes: A group of security researchers have found vulnerabilities in internet-connected drive-through car washes that would let hackers remotely hijack the...
Hiding Vulnerabilities in Source Code
Really interesting research demonstrating how to hide vulnerabilities in source code by manipulating how Unicode text is displayed. Its really clever, and not the sort of attack one would normally think about. From Ross Andersons blog: We have discovered ways of manipulating the encoding of sourc...
Second Click Here to Kill Everybody Sale
For a limited time, I am selling signed copies of Click Here to Kill Everybody in hardcover for just $6, plus shipping. I have 600 copies of the book available. When theyre gone, the sale is over and the price will revert to normal. Order here. Please be patient on delivery. Its a lot of work to...
Click Here to Kill Everybody Sale
For a limited time, I am selling signed copies of Click Here to Kill Everybody in hardcover for just $6, plus shipping. Note that I have had occasional problems with international shipping. The book just disappears somewhere in the process. At this price, international orders are at the buyers...
Friday Squid Blogging: The Pterosaur Ate Squid
New research: "Pterosaurs ate soft-bodied cephalopods Coleiodea." News article. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here...
Friday Squid Blogging: More Materials Science from Squid Skin
Article: "How a Squid's Color-Changing Skin Inspired a New Material That Can Trap or Release Heat." As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here...
How Political Campaigns Use Personal Data
Really interesting report from Tactical Tech. Data-driven technologies are an inevitable feature of modern political campaigning. Some argue that they are a welcome addition to politics as normal and a necessary and modern approach to democratic processes; others say that they are corrosive and...
Personal Data Left on Used Laptops
A recent experiment found all sorts of personal data left on used laptops and smartphones. This should come as no surprise. Simson Garfinkel performed the same experiment in 2003, with similar results...
Enigma, Typex, and Bombe Simulators
GCHQ has put simulators for the Enigma, Typex, and Bombe on the Internet. News article...
The Evolution of Darknets
This is interesting: To prevent the problems of customer binding, and losing business when darknet markets go down, merchants have begun to leave the specialized and centralized platforms and instead ventured to use widely accessible technology to build their own communications and operational...
Friday Squid Blogging: Japanese Squid-Fishing Towns in Decline
It's a problem: But now, fluctuations in ocean temperatures, years of overfishing and lax regulatory oversight have drastically depleted populations of the translucent squid in waters around Japan. As usual, you can also use this squid post to talk about the security stories in the news that I...
Upcoming Speaking Engagements
This is a current list of where and when I am scheduled to speak: I'm speaking at Data in Smarter Cities in New York City on October 23, 2018. I'm speaking at the Cyber Security Summit in Minneapolis, Minnesota on October 24, 2018. I'm speaking at ISF's 29th Annual World Congress in Las Vegas,...
Eavesdropping on Computer Screens through the Webcam Mic
Yet another way of eavesdropping on someone's computer activity: using the webcam microphone to "listen" to the computer's screen...
Friday Squid Blogging: Peru and Chile Address Squid Overfishing
Peru and Chile have a new plan. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here...
New iPhone Exploit Uses Four Zero-Days
Kaspersky researchers are detailing "an attack that over four years backdoored dozens if not thousands of iPhones, many of which belonged to employees of Moscow-based security firm Kaspersky." Its a zero-click exploit that makes use of four iPhone zero-days. The most intriguing new detail is the...
Friday Squid Blogging: Diplomoceras Maximum
Diplomoceras maximum is an ancient squid-like creature. It lived about 68 million years ago, looked kind of like a giant paperclip, and may have had a lifespan of 200 years. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Read my...
Former FBI General Counsel Jim Baker Chooses Encryption Over Backdoors
In an extraordinary essay, the former FBI general counsel Jim Baker makes the case for strong encryption over government-mandated backdoors: In the face of congressional inaction, and in light of the magnitude of the threat, it is time for governmental authorities -- including law enforcement -...
Revisiting Software Vulnerabilities in the Boeing 787
I previously blogged about a Black Hat talk that disclosed security vulnerabilities in the Boeing 787 software. Ben Rothke concludes that the vulnerabilities are real, but not practical...
Evaluating the NSA's Telephony Metadata Program
Interesting analysis: "Examining the Anomalies, Explaining the Value: Should the USA FREEDOM Act's Metadata Program be Extended?" by Susan Landau and Asaf Lubin. Abstract: The telephony metadata program which was authorized under Section 215 of the PATRIOT Act, remains one of the most controversi...
Another Intel Chip Flaw
Remember the Spectre and Meltdown attacks from last year? They were a new class of attacks against complex CPUs, finding subliminal channels in optimization techniques that allow hackers to steal information. Since their discovery, researchers have found additional similar vulnerabilities. A whol...
Malicious MS Office Macro Creator
Evil Clippy is a tool for creating malicious Microsoft Office macros: At BlackHat Asia we released Evil Clippy, a tool which assists red teamers and security testers in creating malicious MS Office documents. Amongst others, Evil Clippy can hide VBA macros, stomp VBA code via p-code and confuse...
Triton
Good article on the Triton malware which targets industrial control systems...