2979 matches found
Friday Squid Blogging: Map of All Colossal Squid Sightings
Interesting map, from this paper. Blog moderation policy...
Weird Zimbra Vulnerability
Hackers can execute commands on a remote computer by sending malformed emails to a Zimbra mail server. It's critical, but difficult to exploit reliably. In an email sent Wednesday afternoon, Proofpoint researcher Greg Lesnewich seemed to largely concur that the attacks weren't likely to lead to...
California AI Safety Bill Vetoed
Governor Newsom has vetoed the state's AI safety bill. I have mixed feelings about the bill. There's a lot to like about it, and I want governments to regulate in this space. But, for now, it's all EU. Related, the Council of Europe treaty on AI is ready for signature. It'll be legally binding wh...
Hacking ChatGPT by Planting False Memories into Its Data
This vulnerability hacks a feature that allows ChatGPT to have long-term memory, where it uses information from past conversations to inform future conversations with that same user. A researcher found that he could use that feature to plant "false memories" into that context window that could...
AI and the 2024 US Elections
For years now, AI has undermined the public's ability to trust what it sees, hears, and reads. The Republican National Committee released a provocative ad offering an "AI-generated look into the country's possible future if Joe Biden is re-elected," showing apocalyptic, machine-made images of...
Squid Fishing in Japan
Fishermen are catching more squid as other fish are depleted. Blog moderation policy...
NIST Recommends Some Common-Sense Password Rules
NIST's second draft of its "SP 800-63-4"--its digital identify guidelines--finally contains some really good rules about passwords: The following requirements apply to passwords: 1. lVerifiers and CSPs SHALL require passwords to be a minimum of eight characters in length and SHOULD require...
An Analysis of the EU’s Cyber Resilience Act
A good--long, complex--analysis of the EU's new Cyber Resilience Act...
New Windows Malware Locks Computer in Kiosk Mode
Clever: A malware campaign uses the unusual method of locking users in their browser's kiosk mode to annoy them into entering their Google credentials, which are then stolen by information-stealing malware. Specifically, the malware "locks" the user's browser on Google's login page with no obviou...
Israel’s Pager Attacks and Supply Chain Vulnerabilities
Israel's brazen attacks on Hezbollah last week, in which hundreds of pagers and two-way radios exploded and killed at least 37 people, graphically illustrated a threat that cybersecurity experts have been warning about for years: Our international supply chains for computerized equipment leave us...
Hacking the “Bike Angels” System for Moving Bikeshares
I always like a good hack. And this story delivers. Basically, the New York City bikeshare program has a system to reward people who move bicycles from full stations to empty ones. By deliberately moving bikes to create artificial problems, and exploiting exactly how the system calculates rewards...
Friday Squid Blogging: Squid Game Season Two Teaser
The teaser for Squid Game Season Two dropped. Blog moderation policy...
Clever Social Engineering Attack Using Captchas
This is really interesting. Its a phishing attack targeting GitHub users, tricking them to solve a fake Captcha that actually runs a script that is copied to the command line. Clever...
FBI Shuts Down Chinese Botnet
The FBI has shut down a botnet run by Chinese hackers: The botnet malware infected a number of different types of internet-connected devices around the world, including home routers, cameras, digital video recorders, and NAS drives. Those devices were used to help infiltrate sensitive networks...
Remotely Exploding Pagers
Wow. It seems they all exploded simultaneously, which means they were triggered. Were they each tampered with physically, or did someone figure out how to trigger a thermal runaway remotely? Supply chain attack? Malicious code update, or natural vulnerability? I have no idea, but I expect we will...
Python Developers Targeted with Malware During Fake Job Interviews
Interesting social engineering attack: luring potential job applicants with fake recruiting pitches, trying to convince them to download malware. From a news article These particular attacks from North Korean state-funded hacking team Lazarus Group are new, but the overall malware campaign agains...
Legacy Ivanti Cloud Service Appliance Being Exploited
CISA wants everyone--and government agencies in particular--to remove or upgrade an Ivanti Cloud Service Appliance CSA that is no longer being supported. Welcome to the security nightmare that is the Internet of Things...
Upcoming Speaking Engagements
This is a current list of where and when I am scheduled to speak: I’m speaking at eCrime 2024 in Boston, Massachusetts, USA. The event runs from September 24 through 26, 2024, and my keynote is at 8:45 AM ET on the 24th. I’m briefly speaking at the EPIC Champion of Freedom Awards in Washington, D...
Friday Squid Blogging: Squid as a Legislative Negotiating Tactic
This is an odd story of serving squid during legislative negotiations in the Philippines. Blog moderation policy...
My TedXBillings Talk
Over the summer, I gave a talk about AI and democracy at TedXBillings. The recording is live. Please share. Im hoping for more than 200 views…...
Microsoft Is Adding New Cryptography Algorithms
Microsoft is updating SymCrypt, its core cryptographic library, with new quantum-secure algorithms. Microsofts details are here. From a news article: The first new algorithm Microsoft added to SymCrypt is called ML-KEM. Previously known as CRYSTALS-Kyber, ML-KEM is one of three post-quantum...
Evaluating the Effectiveness of Reward Modeling of Generative AI Systems
New research evaluating the effectiveness of reward modeling during Reinforcement Learning from Human Feedback RLHF: "SEAL: Systematic Error Analysis for Value ALignment." The paper introduces quantitative metrics for evaluating the effectiveness of modeling and aligning human values: Abstract:...
New Chrome Zero-Day
According to Microsoft researchers, North Korean hackers have been using a Chrome zero-day exploit to steal cryptocurrency...
Australia Threatens to Force Companies to Break Encryption
In 2018, Australia passed the Assistance and Access Act, which--among other things--gave the government the power to force companies to break their own encryption. The Assistance and Access Act includes key components that outline investigatory powers between government and industry. These...
Friday Squid Blogging: Live Video of Promachoteuthis Squid
The first live video of the Promachoteuthis squid, filmed at a newly discovered seamount off the coast of Chile. Blog moderation policy...
YubiKey Side-Channel Attack
There is a side-channel attack against YubiKey access tokens that allows someone to clone a device. Its a complicated attack, requiring the victims username and password, and physical access to their YubiKey--as well as some technical expertise and equipment. Still, nice piece of security analysi...
Long Analysis of the M-209
Really interesting analysis of the American M-209 encryption device and its security...
Security Researcher Sued for Disproving Government Statements
This story seems straightforward. A city is the victim of a ransomware attack. They repeatedly lie to the media about the severity of the breach. A security researcher repeatedly proves their statements to be lies. The city gets mad and sues the researcher. Lets hope the judge throws the case out...
List of Old NSA Training Videos
The NSAs "National Cryptographic School Television Catalogue" from 1991 lists about 600 COMSEC and SIGINT training videos. There are a bunch explaining the operations of various cryptographic equipment, and a few code words I have never heard of before...
SQL Injection Attack on Airport Security
Interesting vulnerability: …a special lane at airport security called Known Crewmember KCM. KCM is a TSA program that allows pilots and flight attendants to bypass security screening, even when flying on domestic personal trips. The KCM process is fairly simple: the employee uses the dedicated la...
Friday Squid Blogging: Economic Fallout from Falklands Halting Squid Fishing
Details. Blog moderation policy...
Adm. Grace Hopper’s 1982 NSA Lecture Has Been Published
The "long lost lecture" by Adm. Grace Hopper has been published by the NSA. Note that there are two parts. Its a wonderful talk: funny, engaging, wise, prescient. Remember that talk was given in 1982, less than a year before the ARPANET switched to TCP/IP and the internet went operational. She wa...
Matthew Green on Telegram’s Encryption
Matthew Green wrote a really good blog post on what Telegrams encryption is and is not. EDITED TO ADD 8/28: Another good explainer from Kaspersky...
The Present and Future of TV Surveillance
Ars Technica has a good article on whats happening in the world of television surveillance. More than even I realized...
US Federal Court Rules Against Geofence Warrants
This is a big deal. A US Appeals Court ruled that geofence warrants--these are general warrants demanding information about all people within a geographical boundary--are unconstitutional. The decision seems obvious to me, but you cant take anything for granted...
Friday Squid Blogging: Self-Healing Materials from Squid Teeth
Making self-healing materials based on the teeth in squid suckers. Blog moderation policy...
Take a Selfie Using a NY Surveillance Camera
This site will let you take a selfie with a New York City traffic surveillance camera. EDITED TO ADD: BoingBoing post...
Surveillance Watch
This is a fantastic project mapping the global surveillance industry...
Story of an Undercover CIA Agent who Penetrated Al Qaeda
Rolling Stone has a long investigative story non-paywalled version here about a CIA agent who spent years posing as an Islamic radical. Unrelated, but also in the "real life spies" file: a fake Sudanese diving resort run by Mossad...
Hacking Wireless Bicycle Shifters
This is yet another insecure Internet-of-things story, this one about wireless gear shifters for bicycles. These gear shifters are used in big-money professional bicycle races like the Tour de France, which provides an incentive to actually implement this attack. Research paper. Another news stor...
The State of Ransomware
Palo Alto Networks published its semi-annual report on ransomware. From the Executive Summary: Unit 42 monitors ransomware and extortion leak sites closely to keep tabs on threat activity. We reviewed compromise announcements from 53 dedicated leak sites in the first half of 2024 and found 1,762...
Friday Squid Blog: The Market for Squid Oil Is Growing
How did I not know before now that there was a market for squid oil? The squid oil market has experienced robust growth in recent years, expanding from $4.56 billion in 2023 to $4.94 billion in 2024 at a compound annual growth rate CAGR of 8.5%. The growth in the historic period can be attributed...
New Windows IPv6 Zero-Click Vulnerability
The press is reporting a critical Windows vulnerability affecting IPv6. As Microsoft explained in its Tuesday advisory, unauthenticated attackers can exploit the flaw remotely in low-complexity attacks by repeatedly sending IPv6 packets that include specially crafted packets. Microsoft also share...
NIST Releases First Post-Quantum Encryption Algorithms
From the Federal Register: After three rounds of evaluation and analysis, NIST selected four algorithms it will standardize as a result of the PQC Standardization Process. The public-key encapsulation mechanism selected was CRYSTALS-KYBER, along with three digital signature schemes:...
Upcoming Speaking Engagements
This is a current list of where and when I am scheduled to speak: Im speaking at eCrime 2024 in Boston, Massachusetts, USA. The event runs from September 24 through 26, 2024, and my keynote is on the 24th. The list is maintained on this page...
Texas Sues GM for Collecting Driving Data without Consent
Texas is suing General Motors for collecting driver data without consent and then selling it to insurance companies: From CNN: In car models from 2015 and later, the Detroit-based car manufacturer allegedly used technology to "collect, record, analyze, and transmit highly detailed driving data...
On the Voynich Manuscript
Really interesting article on the ancient-manuscript scholars who are applying their techniques to the Voynich Manuscript. No one has been able to understand the writing yet, but there are some new understandings: Davis presented her findings at the medieval-studies conference and published them ...
Taxonomy of Generative AI Misuse
Interesting paper: "Generative AI Misuse: A Taxonomy of Tactics and Insights from Real-World Data”: Generative, multimodal artificial intelligence GenAI offers transformative potential across industries, but its misuse poses significant risks. Prior research has shed light on the potential of...
Friday Squid Blogging: SQUID Is a New Computational Tool for Analyzing Genomic AI
Yet another SQUID acronym: SQUID, short for Surrogate Quantitative Interpretability for Deepnets, is a computational tool created by Cold Spring Harbor Laboratory CSHL scientists. Its designed to help interpret how AI models analyze the genome. Compared with other analysis tools, SQUID is more...
People-Search Site Removal Services Largely Ineffective
Consumer Reports has a new study of people-search site removal services, concluding that they dont really work: As a whole, people-search removal services are largely ineffective. Private information about each participant on the people-search sites decreased after using the people-search removal...