2979 matches found
New DNS Hijacking Attacks
DNS hijacking isn't new, but this seems to be an attack of unprecedented scale: Researchers at Cisco's Talos security division on Wednesday revealed that a hacker group it's calling Sea Turtle carried out a broad campaign of espionage via DNS hijacking, hitting 40 different organizations. In the...
Cataloging IoT Vulnerabilities
Recent articles about IoT vulnerabilities describe hacking of construction cranes, supermarket freezers, and electric scooters...
Friday Squid Blogging: Good Squid Fishing in the Exmouth Gulf
The conditions are ideal for squid fishing in the Exmouth Gulf in West Australia. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here...
I'm Doing a Reddit AMA
On Thursday, September 6, starting at 10:00 am CDT, I'll be doing a Reddit "Ask Me Anything" in association with the Ford Foundation. It's about my new book, but -- of course -- you can ask me anything. No promises that I will answer everything...
Conservation of Threat
Here's some interesting research about how we perceive threats. Basically, as the environment becomes safer we basically manufacture new threats. From an essay about the research: To study how concepts change when they become less common, we brought volunteers into our laboratory and gave them a...
White House Chief of Staff John Kelly's Cell Phone was Tapped
Politico reports that White House Chief of Staff John Kelly's cell phone was compromised back in December. I know this is news because of who he is, but I hope every major government official of any country assumes that their commercial off-the-shelf cell phone is compromised. Even allies spy on...
iOS 11 Allows Users to Disable Touch ID
A new feature in Apple's new iPhone operating system -- iOS 11 -- will allow users to quickly disable Touch ID. A new setting, designed to automate emergency services calls, lets iPhone users tap the power button quickly five times to call 911. This doesn't automatically dial the emergency servic...
Tomato-Plant Security
I have a soft spot for interesting biological security measures, especially by plants. I've used them as examples in several of my books. Here's a new one: when tomato plants are attacked by caterpillars, they release a chemical that turns the caterpillars on each other: It's common for...
An Assassin's Teapot
This teapot has two chambers. Liquid is released from one or the other depending on whether an air hole is covered. I want one...
On Robots Killing People
The robot revolution began long ago, and so did the killing. One day in 1979, a robot at a Ford Motor Company casting plant malfunctioned--human workers determined that it was not going fast enough. And so twenty-five-year-old Robert Williams was asked to climb into a storage rack to help move...
Friday Squid Blogging: Squid Dog Toy
Its sold out, but the pictures are cute. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Read my blog posting guidelines here...
Commercial Location Data Used to Out Priest
A Catholic priest was outed through commercially available surveillance data. Vice has a good analysis: The news starkly demonstrates not only the inherent power of location data, but how the chance to wield that power has trickled down from corporations and intelligence agencies to essentially a...
Friday Squid Blogging: Colossal Squid Photographed off the Coast of Antarctica
Wow. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Read my blog posting guidelines here...
Friday Squid Blogging: Amazing Video of a Black-Eyed Squid Trying to Eat an Owlfish
From the Monterey Bay Aquarium. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Read my blog posting guidelines here...
Another SolarWinds Orion Hack
At the same time the Russians were using a backdoored SolarWinds update to attack networks worldwide, another threat actor -- believed to be Chinese in origin -- was using an already existing vulnerability in Orion to penetrate networks: Two people briefed on the case said FBI investigators...
Latest on the SVR’s SolarWinds Hack
The New York Times has an in-depth article on the latest information about the SolarWinds hack not a great name, since its much more far-reaching than that. Interviews with key players investigating what intelligence agencies believe to be an operation by Russia’s S.V.R. intelligence service...
Kubernetes Security
Attack matrix for Kubernetes, using the MITRE ATT framework. A good first step towards understand the security of this suddenly popular and very complex container orchestration system...
Superhero Movies and Security Lessons
A paper I co-wrote was just published in Security Journal: "Superheroes on screen: real life lessons for security debates": Abstract: Superhero films and episodic shows have existed since the early days of those media, but since 9/11, they have become one of the most popular and most lucrative...
Friday Squid Blogging: Fried Squid Recipe
This is an easy fried squid recipe with saffron and agrodolce. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here...
Malware Installed in Asus Computers through Hacked Update Process
Kaspersky Labs is reporting on a new supply chain attack they call "Shadowhammer." In January 2019, we discovered a sophisticated supply chain attack involving the ASUS Live Update Utility. The attack took place between June and November 2018 and according to our telemetry, it affected a large...
CAs Reissue Over One Million Weak Certificates
Turns out that the software a bunch of CAs used to generate public-key certificates was flawed: they created random serial numbers with only 63 bits instead of the required 64. That may not seem like a big deal to the layman, but that one bit change means that the serial numbers only have half th...
Congressional Report on the 2017 Equifax Data Breach
The US House of Representatives Committee on Oversight and Government Reform has just released a comprehensive report on the 2017 Equifax hack. It's a great piece of writing, with a detailed timeline, root cause analysis, and lessons learned. Lance Spitzner also commented on this. Here is my...
More Spectre/Meltdown-Like Attacks
Back in January, we learned about a class of vulnerabilities against microprocessors that leverages various performance and efficiency shortcuts for attack. I wrote that the first two attacks would be just the start: It shouldn't be surprising that microprocessor designers have been building...
How DNA Databases Violate Everyone's Privacy
If you're an American of European descent, there's a 60% chance you can be uniquely identified by public information in DNA databases. This is not information that you have made public; this is information your relatives have made public. Research paper: "Identity inference of genomic data using...
Upcoming Speaking Engagements
This is a current list of where and when I am scheduled to speak: I'm giving a book talk on Click Here to Kill Everybody at the Ford Foundation in New York City, on September 5, 2018. The Aspen Institute's Cybersecurity & Technology Program is holding a book launch for Click Here to Kill Everybod...
Maliciously Changing Someone's Address
Someone changed the address of UPS corporate headquarters to his own apartment in Chicago. The company discovered it three months later. The problem, of course, is that in the US there isn't any authentication of change-of-address submissions: According to the Postal Service, nearly 37 million...
Friday Squid Blogging: Te Papa Colossal Squid Exhibition Is Being Renovated
The New Zealand home of the colossal squid exhibit is behind renovated. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here...
Yet Another Russian Hack of the NSA -- This Time with Kaspersky's Help
The Wall Street Journal has a bombshell of a story. Yet another NSA contractor took classified documents home with him. Yet another Russian intelligence operation stole copies of those documents. The twist this time is that the Russians identified the documents because the contractor had Kaspersk...
Friday Squid Blogging: Underwater Cameras for Observing Squid
Interesting research paper. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Read my blog posting guidelines here...
Chinese Supply-Chain Attack on Computer Systems
Bloomberg News has a major story about the Chinese hacking computer motherboards made by Supermicro, Levono, and others. Its been going on since at least 2008. The US government has known about it for almost as long, and has tried to keep the attack secret: Chinas exploitation of products made by...
Finding the Location of Telegram Users
Security researcher Ahmed Hassan has shown that spoofing the Androids "People Nearby" feature allows him to pinpoint the physical location of Telegram users: Using readily available software and a rooted Android device, hes able to spoof the location his device reports to Telegram servers. By usi...
Friday Squid Blogging: Squid Eggs
Cool photo. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here. EDITED TO ADD 3/4: I just deleted a slew of comments about COVID 19. I may reinstate some of them later; right now I want some time t...
Attacking Driverless Cars with Projected Images
Interesting research -- "Phantom Attacks Against Advanced Driving Assistance Systems": Abstract: The absence of deployed vehicular communication systems, which prevents the advanced driving assistance systems ADASs and autopilots of semi/fully autonomous cars to validate their virtual perception...
Chinese Hackers Bypassing Two-Factor Authentication
Interesting story of how a Chinese state-sponsored hacking group is bypassing the RSA SecurID two-factor authentication system. How they did it remains unclear; although, the Fox-IT team has their theory. They said APT20 stole an RSA SecurID software token from a hacked system, which the Chinese...
NordVPN Breached
There was a successful attack against NordVPN: Based on the command log, another of the leaked secret keys appeared to secure a private certificate authority that NordVPN used to issue digital certificates. Those certificates might be issued for other servers in NordVPN's network or for a variety...
AT&T Employees Took Bribes to Unlock Smartphones
This wasn't a small operation: A Pakistani man bribed AT call-center employees to install malware and unauthorized hardware as part of a scheme to fraudulently unlock cell phones, according to the US Department of Justice. Muhammad Fahd, 34, was extradited from Hong Kong to the US on Friday and i...
Former Mozilla CTO Harassed at the US Border
This is a pretty awful story of how Andreas Gal, former Mozilla CTO and US citizen, was detained and threatened at the US border. CBP agents demanded that he unlock his phone and computer. Know your rights when you enter the US. The EFF publishes a handy guide. And if you want to encrypt your...
Are the Police Using Smart-Home IoT Devices to Spy on People?
IoT devices are surveillance devices, and manufacturers generally use them to collect data on their customers. Surveillance is still the business model of the Internet, and this data is used against the customers' interests: either by the device manufacturer or by some third party the manufacture...
Friday Squid Blogging: New Tool for Grabbing Squid and other Fragile Sea Creatures
Interesting video of a robot grabber that's delicate enough to capture squid and even jellyfish in the ocean. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here...
Subverting Backdoored Encryption
This is a really interesting research result. This paper proves that two parties can create a secure communications channel using a communications system with a backdoor. It's a theoretical result, so it doesn't talk about how easy that channel is to create. And the assumptions on the adversary a...
Reverse Engineering the Cuban Sonic Weapon
Interesting analysis and speculation...
Extracting Secrets from Machine Learning Systems
This is fascinating research about how the underlying training data for a machine-learning system can be inadvertently exposed. Basically, if a machine-learning system trains on a dataset that contains secret information, in some cases an attacker can query the system to extract that secret...
Voting Machine Security
Last week, DefCon hosted a "Voter Hacker Village" event. Every single voting machine there was easily hackable. Here are detailed details. There should be a summary report soon; I'll add it to this post when it's published...
Detecting Stingrays
Researchers are developing technologies that can detect IMSI-catchers: those fake cell phone towers that can be used to surveil people in the area. This is good work, but it's unclear to me whether these devices can detect all the newer IMSI-catchers that are being sold to governments worldwide...
Roombas will Spy on You
The company that sells the Roomba autonomous vacuum wants to sell the data about your home that it collects. Some questions: What happens if a Roomba user consents to the data collection and later sells his or her home -- especially furnished -- and now the buyers of the data have a map of a home...
Side-Channel Attack against CRYSTALS-Kyber
CRYSTALS-Kyber is one of the public-key algorithms currently recommended by NIST as part of its post-quantum cryptography standardization process. Researchers have just published a side-channel attack--using power consumption--against an implementation of the algorithm that was supposed to be...
Security Analysis of Threema
A group of Swiss researchers have published an impressive security analysis of Threema. We provide an extensive cryptographic analysis of Threema, a Swiss-based encrypted messaging application with more than 10 million users and 7000 corporate customers. We present seven different attacks against...
AirDropped Gun Photo Causes Terrorist Scare
A teenager on an airplane sent a photo of a replica gun via AirDrop to everyone who had their settings configured to receive unsolicited photos from strangers. This caused a three-hour delay as the plane -- still at the gate -- was evacuated and searched. The teen was not allowed to reboard. I ca...
The DarkSide Ransomware Gang
The New York Times has a long story on the DarkSide ransomware gang. A glimpse into DarkSides secret communications in the months leading up to the Colonial Pipeline attack reveals a criminal operation on the rise, pulling in millions of dollars in ransom payments each month. DarkSide offers what...
When AIs Start Hacking
If you dont have enough to worry about already, consider a world where AIs are hackers. Hacking is as old as humanity. We are creative problem solvers. We exploit loopholes, manipulate systems, and strive for more influence, power, and wealth. To date, hacking has exclusively been a human activit...