2979 matches found
iPhone FaceTime Vulnerability
This is kind of a crazy iPhone vulnerability: it's possible to call someone on FaceTime and listen on their microphone -- and see from their camera -- before they accept the call. This is definitely an embarrassment, and Apple was right to disable Group FaceTime until it's fixed. But it's hard to...
xkcd on Voting Computers
Funny and true...
Three of My Books Are Available in DRM-Free E-Book Format
Humble Bundle sells groups of e-books at ridiculously low prices, DRM free. This month, the bundles are all Wiley titles, including three of my books: Applied Cryptography, Secrets and Lies, and Cryptography Engineering. $15 gets you everything, and they're all DRM-free. Even better, a portion of...
New Techniques in Fake Reviews
Research paper: "Automated Crowdturfing Attacks and Defenses in Online Review Systems." Abstract: Malicious crowdsourcing forums are gaining traction as sources of spreading misinformation online, but are limited by the costs of hiring and managing human workers. In this paper, we identify a new...
Measuring Vulnerability Rediscovery
New paper: "Taking Stock: Estimating Vulnerability Rediscovery," by Trey Herr, Bruce Schneier, and Christopher Morris: Abstract: How often do multiple, independent, parties discover the same vulnerability? There are ample models of vulnerability discovery, but little academic work on this issue o...
Friday Squid Blogging: Why It's Hard to Track the Squid Population
Counting squid is not easy. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here...
Professional Athletes and Wearables
I haven't thought about the privacy issues surrounding professional athletes and wearables. Wearables present serious privacy issues for "Average Joe" consumers, who are entrusting tech companies to safely store and protect their biometric data. Imagine the stakes for a professional athlete, whos...
Amazon Has Trucks Filled with Hard Drives and an Armed Guard
From an interview with an Amazon Web Services security engineer: So when you use AWS, part of what youre paying for is security. Right; its part of what we sell. Lets say a prospective customer comes to AWS. They say, "I like pay-as-you-go pricing. Tell me more about that." We say, "Okay, heres h...
Friday Squid Blogging: Stuffed Squid with Vegetables and Pancetta
A Croatian recipe. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here...
AI Emotion-Detection Arms Race
Voice systems are increasingly using AI techniques to determine emotion. A new paper describes an AI-based countermeasure to mask emotion in spoken words. Their method for masking emotion involves collecting speech, analyzing it, and extracting emotional features from the raw signal. Next, an AI...
John Paul Stevens Was a Cryptographer
I didn't know that Supreme Court Justice John Paul Stevens "was also a cryptographer for the Navy during World War II." He was a proponent of individual privacy...
Digital Signatures in PDFs Are Broken
Researchers have demonstrated spoofing of digital signatures in PDF files. This would matter more if PDF digital signatures were widely used. Still, the researchers have worked with the various companies that make PDF readers to close the vulnerabilities. You should update your software. Details...
Attacking Soldiers on Social Media
A research group at NATO's Strategic Communications Center of Excellence catfished soldiers involved in an European military exercise -- we don't know what country they were from -- to demonstrate the power of the attack technique. Over four weeks, the researchers developed fake pages and closed...
West Virginia Using Internet Voting
This is crazy and dangerous. West Virginia is allowing people to vote via a smart-phone app. Even crazier, the app uses blockchain -- presumably because they have no idea what the security issues with voting actually are...
1834: The First Cyberattack
Tom Standage has a great story of the first cyberattack against a telegraph network. The Blanc brothers traded government bonds at the exchange in the city of Bordeaux, where information about market movements took several days to arrive from Paris by mail coach. Accordingly, traders who could ge...
Friday Squid Blogging: Japanese "Dude Food" Includes Squid
This seems to be a trend. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here...
Friday Squid Blogging: "How the Squid Lost Its Shell"
Interesting essay by Danna Staaf, the author of Squid Empire. I mentioned the book two weeks ago. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here...
Military Robots as a Nature Analog
This very interesting essay looks at the future of military robotics and finds many analogs in nature: Imagine a low-cost drone with the range of a Canada goose, a bird that can cover 1,500 miles in a single day at an average speed of 60 miles per hour. Planet Earth profiled a single flock of sno...
Symantec Reports on Cicada APT Attacks against Japan
Symantec is reporting on an APT group linked to China, named Cicada. They have been attacking organizations in Japan and elsewhere. Cicada has historically been known to target Japan-linked organizations, and has also targeted MSPs in the past. The group is using living-off-the-land tools as well...
Security in 2020: Revisited
Ten years ago, I wrote an essay: "Security in 2020." Well, it's finally 2020. I think I did pretty well. Here's what I said back then: There's really no such thing as security in the abstract. Security can only be defined in relation to something else. You're secure from something or against...
Wi-Fi Hotspot Tracking
Free Wi-Fi hotspots can track your location, even if you don't connect to them. This is because your phone or computer broadcasts a unique MAC address. What distinguishes location-based marketing hotspot providers like Zenreach and Euclid is that the personal information you enter in the captive...
Edward Snowden's Memoirs
Ed Snowden has published a book of his memoirs: Permanent Record. I have not read it yet, but I want to point you all towards two pieces of writing about the book. The first is an excellent review of the book and Snowden in general by SF writer and essayist Jonathan Lethem, who helped make a shor...
NSA on the Future of National Cybersecurity
Glenn Gerstell, the General Counsel of the NSA, wrote a long and interesting op-ed for the New York Times where he outlined a long list of cyber risks facing the US. There are four key implications of this revolution that policymakers in the national security sector will need to address: The firs...
Another Attack Against Driverless Cars
In this piece of research, attackers successfully attack a driverless car system -- Renault Captur's "Level 0" autopilot Level 0 systems advise human drivers but do not directly operate cars -- by following them with drones that project images of fake road signs in 100ms bursts. The time is too...
Cell Networks Hacked by (Probable) Nation-State Attackers
A sophisticated attacker has successfuly infiltrated cell providers to collect information on specific users: The hackers have systematically broken in to more than 10 cell networks around the world to date over the past seven years to obtain massive amounts of call records -- including times and...
Vulnerabilities in the WPA3 Wi-Fi Security Protocol
Researchers have found several vulnerabilities in the WPA3 Wi-Fi security protocol: The design flaws we discovered can be divided in two categories. The first category consists of downgrade attacks against WPA3-capable devices, and the second category consists of weaknesses in the Dragonfly...
NSA-Inspired Vulnerability Found in Huawei Laptops
This is an interesting story of a serious vulnerability in a Huawei driver that Microsoft found. The vulnerability is similar in style to the NSA's DOUBLEPULSAR that was leaked by the Shadow Brokers -- believed to be the Russian government -- and it's obvious that this attack copied that techniqu...
Cybersecurity Insurance Not Paying for NotPetya Losses
This will complicate things: To complicate matters, having cyber insurance might not cover everyone's losses. Zurich American Insurance Company refused to pay out a $100 million claim from Mondelez, saying that since the U.S. and other governments labeled the NotPetya attack as an action by the...
Cybersecurity for the Public Interest
The Crypto Wars have been waging off-and-on for a quarter-century. On one side is law enforcement, which wants to be able to break encryption, to access devices and communications of terrorists and criminals. On the other are almost every cryptographer and computer security expert, repeatedly...
USB Cable with Embedded Wi-Fi Controller
It's only a prototype, but this USB cable has an embedded Wi-Fi controller. Whoever controls that Wi-Fi connection can remotely execute commands on the attached computer...
Fraudulent Tactics on Amazon Marketplace
Fascinating article about the many ways Amazon Marketplace sellers sabotage each other and defraud customers. The opening example: framing a seller for false advertising by buying fake five-star reviews for their products. Defacement: Sellers armed with the accounts of Amazon distributors sometim...
On Disguise
The former CIA Chief of Disguise has a fascinating video about her work...
The Effects of GDPR's 72-Hour Notification Rule
The EU's GDPR regulation requires companies to report a breach within 72 hours. Alex Stamos, former Facebook CISO now at Stanford University, points out how this can be a problem: Interesting impact of the GDPR 72-hour deadline: companies announcing breaches before investigations are complete. 1...
Friday Squid Blogging: Dissecting a Giant Squid
Lessons learned. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here...
Identifying Programmers by their Coding Style
Fascinating research de-anonymizing code -- from either source code or compiled code: Rachel Greenstadt, an associate professor of computer science at Drexel University, and Aylin Caliskan, Greenstadt's former PhD student and now an assistant professor at George Washington University, have found...
Router Vulnerability and the VPNFilter Botnet
On May 25, the FBI asked us all to reboot our routers. The story behind this request is one of sophisticated malware and unsophisticated home-network security, and it's a harbinger of the sorts of pervasive threats from nation-states, criminals and hackers that we should expect in coming year...
Fooling Face Recognition with Infrared Light
Yet another development in the arms race between facial recognition systems and facial-recognition-system foolers. BoingBoing post...
Security Vulnerabilities in Smart Contracts
Interesting research: "Finding The Greedy, Prodigal, and Suicidal Contracts at Scale": Abstract: Smart contracts -- stateful executable objects hosted on blockchains like Ethereum -- carry billions of dollars worth of coins and cannot be updated once deployed. We present a new systematic...
Friday Squid Blogging: Squid Season May Start Earlier Next Year
Squid fisherman in Argentina have asked regulators to start the squid season earlier in 2018. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here...
Friday Squid Blogging: Steel Mesh Giant Squid Used as Artificial Reef
Researchers in the British Virgin Islands have sunk a giant squid made out of steel mesh to serve as an artificial reef. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here...
Boston Red Sox Caught Using Technology to Steal Signs
The Boston Red Sox admitted to eavesdropping on the communications channel between catcher and pitcher. Stealing signs is believed to be particularly effective when there is a runner on second base who can both watch what hand signals the catcher is using to communicate with the pitcher and can...
Alternatives to Government-Mandated Encryption Backdoors
Policy essay: "Encryption Substitutes," by Andrew Keane Woods: In this short essay, I make a few simple assumptions that bear mentioning at the outset. First, I assume that governments have good and legitimate reasons for getting access to personal data. These include things like controlling crim...
Friday Squid Blogging: The Evolution of Squid
Good video about the evolutionary history of squid. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Read my blog posting guidelines here...
Stealing Xbox Codes
Detailed story of Volodymyr Kvashuk, a Microsoft insider who noticed a bug in the companys internal systems that allowed him to create unlimited Xbox gift cards, and stole $10.1 million before he was caught...
Friday Squid Blogging: Editing the Squid Genome
Scientists have edited the genome of the Doryteuthis pealeii squid with CRISPR. A first. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here...
Security of Health Information
The world is racing to contain the new COVID-19 virus that is spreading around the globe with alarming speed. Right now, pandemic disease experts at the World Health Organization WHO, the US Centers for Disease Control and Prevention CDC, and other public-health agencies are gathering information...
Deep Learning to Find Malicious Email Attachments
Google presented its system of using deep-learning techniques to identify malicious email attachments: At the RSA security conference in San Francisco on Tuesday, Google's security and anti-abuse research lead Elie Bursztein will present findings on how the new deep-learning scanner for documents...
Friday Squid Blogging: An MRI Scan of a Squid's Brain
This paper30562-0 is filled with brain science that I do not understand news article, but fails to answer what I consider to be the important question: how do you keep a live squid still for long enough to do an MRI scan on them? As usual, you can also use this squid post to talk about the securi...
The Threat of Fake Academic Research
Interesting analysis of the possibility, feasibility, and efficacy of deliberately fake scientific research, something I had previously speculated about...
Software Vulnerabilities in the Boeing 787
Boeing left its software unprotected, and researchers have analyzed it for vulnerabilities: At the Black Hat security conference today in Las Vegas, Santamarta, a researcher for security firm IOActive, plans to present his findings, including the details of multiple serious security flaws in the...