How to Surrender to a Drone

The Ukrainian army has released an instructional video explaining how Russian soldiers should surrender to a drone: "Seeing the drone in the field of view, make eye contact with it," the video instructs. Soldiers should then raise their arms and signal theyre ready to follow. After that the drone...

Friday Squid Blogging: Squid in Concert

Squid is performing a concert in London in February. If you dont know what their music is like, try this or this or this. As usual, you can also use this squid post to talk about the security stories in the news that I havent covered. Read my blog posting guidelines here...

As Long as We’re on the Subject of CAPTCHAs

There are these...

Apple Patches iPhone Zero-Day

The most recent iPhone update--to version 16.1.2--patches a zero-day vulnerability that "may have been actively exploited against versions of iOS released before iOS 15.1." News: Apple said security researchers at Googles Threat Analysis Group, which investigates nation state-backed spyware,...

A Security Vulnerability in the KmsdBot Botnet

Security researchers found a software bug in the KmsdBot cryptomining botnet: With no error-checking built in, sending KmsdBot a malformed command­--like its controllers did one day while Akamai was watching­--created a panic crash with an "index out of range" error. Because theres no persistence...

Reimagining Democracy

Last week, I hosted a two-day workshop on reimagining democracy. The idea was to bring together people from a variety of disciplines who are all thinking about different aspects of democracy, less from a "what we need to do today" perspective and more from a blue-sky future perspective. My remit ...

Hacking Boston’s CharlieCard

Interesting discussion of vulnerabilities and exploits against Bostons CharlieCard...

Obligatory ChatGPT Post

Seems like absolutely everyone everywhere is playing with Chat GPT. So I did, too…. Write an essay in the style of Bruce Schneier on how ChatGPT will affect cybersecurity. As with any new technology, the development and deployment of ChatGPT is likely to have a significant impact on the field of...

Apple Is Finally Encrypting iCloud Backups

After way too many years, Apple is finally encrypting iCloud backups: Based on a screenshot from Apple, these categories are covered when you flip on Advanced Data Protection: device backups, messages backups, iCloud Drive, Notes, Photos, Reminders, Safari bookmarks, Siri Shortcuts, Voice Memos,...

Friday Squid Blogging: China Bans Taiwanese Squid Imports

Today I have some squid geopolitical news. As usual, you can also use this squid post to talk about the security stories in the news that I havent covered. Read my blog posting guidelines here...

Hacking Trespass Law

This article talks about public land in the US that is completely surrounded by private land, which in some cases makes it inaccessible to the public. But theres a hack: Some hunters have long believed, however, that the publicly owned parcels on Elk Mountain can be legally reached using a practi...

Security Vulnerabilities in Eufy Cameras

Eufy cameras claim to be local only, but upload data to the cloud. The company is basically lying to reporters, despite being shown evidence to the contrary. The companys behavior is so egregious that ReviewGeek is no longer recommending them. This will be interesting to watch. If Eufy can ignore...

Leaked Signing Keys Are Being Used to Sign Malware

A bunch of Android OEM signing keys have been leaked or stolen, and they are actively being used to sign malware. Łukasz Siewierski, a member of Googles Android Security Team, has a post on the Android Partner Vulnerability Initiative AVPI issue tracker detailing leaked platform certificate keys...

The Decoupling Principle

This is a really interesting paper that discusses what the authors call the Decoupling Principle: The idea is simple, yet previously not clearly articulated: to ensure privacy, information should be divided architecturally and institutionally such that each entity has only the information they ne...

CryWiper Data Wiper Targeting Russian Sites

Kaspersky is reporting on a data wiper masquerading as ransomware that is targeting local Russian government networks. The Trojan corrupts any data thats not vital for the functioning of the operating system. It doesnt affect files with extensions .exe, .dll, .lnk, .sys or .msi, and ignores sever...

CAPTCHA

This is an actual CAPTCHA I was shown when trying to log into PayPal. As an actual human and not a bot, I had no idea how to answer. Is this a joke? Seems not. Is it a Magritte-like existential question? Its not a bicycle. Its a drawing of a bicycle. Actually, its a photograph of a drawing of a...

Friday Squid Blogging: Legend of the Indiana Oil-Pit Squid

At a GMC plant. As usual, you can also use this squid post to talk about the security stories in the news that I havent covered. Read my blog posting guidelines here...

Existential Risk and the Fermi Paradox

We know that complexity is the worst enemy of security, because it makes attack easier and defense harder. This becomes catastrophic as the effects of that attack become greater. In A Hackers Mind coming in February 2023, I write: Our societal systems, in general, may have grown fairer and more...

LastPass Security Breach

The company was hacked, and customer information accessed. No passwords were compromised...

Sirius XM Software Vulnerability

This is new: Newly revealed research shows that a number of major car brands, including Honda, Nissan, Infiniti, and Acura, were affected by a previously undisclosed security bug that would have allowed a savvy hacker to hijack vehicles and steal user data. According to researchers, the bug was i...

Facebook Fined $276M under GDPR

Facebook--Meta--was just fined $276 million USD for a data leak that included full names, birth dates, phone numbers, and location. Metas total fine by the Data Protection Commission is over $700 million. Total GDPR fines are over €2 billion EUR since 2018...

Charles V of Spain Secret Code Cracked

Diplomatic code cracked after 500 years: In painstaking work backed by computers, Pierrot found "distinct families" of about 120 symbols used by Charles V. "Whole words are encrypted with a single symbol" and the emperor replaced vowels coming after consonants with marks, she said, an inspiration...

Computer Repair Technicians Are Stealing Your Data

Laptop technicians routinely violate the privacy of the people whose computers they repair: Researchers at University of Guelph in Ontario, Canada, recovered logs from laptops after receiving overnight repairs from 12 commercial shops. The logs showed that technicians from six of the locations ha...

The US Has a Shortage of Bomb-Sniffing Dogs

Nothing beats a dogs nose for detecting explosives. Unfortunately, there arent enough dogs: Last month, the US Government Accountability Office GAO released a nearly 100-page report about working dogs and the need for federal agencies to better safeguard their health and wellness. The GOA says th...

Apple’s Device Analytics Can Identify iCloud Users

Researchers claim that supposedly anonymous device analytics information can identify users: On Twitter, security researchers Tommy Mysk and Talal Haj Bakry have found that Apples device analytics data includes an iCloud account and can be linked directly to a specific user, including their name,...

Breaking the Zeppelin Ransomware Encryption Scheme

Brian Krebs writes about how the Zeppelin ransomware encryption scheme was broken: The researchers said their break came when they understood that while Zeppelin used three different types of encryption keys to encrypt files, they could undo the whole scheme by factoring or computing just one of...

Friday Squid Blogging: Squid Brains

Researchers have new evidence of how squid brains develop: Researchers from the FAS Center for Systems Biology describe how they used a new live-imaging technique to watch neurons being created in the embryo in almost real-time. They were then able to track those cells through the development of...

First Review of A Hacker’s Mind

Kirkus reviews A Hackers Mind: A cybersecurity expert examines how the powerful game whatever system is put before them, leaving it to others to cover the cost. Schneier, a professor at Harvard Kennedy School and author of such books as Data and Goliath and Click Here To Kill Everybody, regularly...

Successful Hack of Time-Triggered Ethernet

Time-triggered Ethernet TTE is used in spacecraft, basically to use the same hardware to process traffic with different timing and criticality. Researchers have defeated it: On Tuesday, researchers published findings that, for the first time, break TTEs isolation guarantees. The result is PCspooF...

Failures in Twitter’s Two-Factor Authentication System

Twitter is having intermittent problems with its two-factor authentication system: Not all users are having problems receiving SMS authentication codes, and those who rely on an authenticator app or physical authentication token to secure their Twitter account may not have reason to test the...

Russian Software Company Pretending to Be American

Computer code developed by a company called Pushwoosh is in about 8,000 Apple and Google smartphone apps. The company pretends to be American when it is actually Russian. According to company documents publicly filed in Russia and reviewed by Reuters, Pushwoosh is headquartered in the Siberian to...

Another Event-Related Spyware App

Last month, we were warned not to install Qatars World Cup app because it was spyware. This month, its Egypts COP27 Summit app: The app is being promoted as a tool to help attendees navigate the event. But it risks giving the Egyptian government permission to read users emails and messages. Even...

Upcoming Speaking Engagements

This is a current list of where and when I am scheduled to speak: I’m speaking at the 24th International Information Security Conference in Madrid, Spain, on November 17, 2022. The list is maintained on this page...

A Digital Red Cross

The International Committee of the Red Cross wants some digital equivalent to the iconic red cross, to alert would-be hackers that they are accessing a medical network. The emblem wouldn’t provide technical cybersecurity protection to hospitals, Red Cross infrastructure or other medical providers...

Friday Squid Blogging: Squid Purse

Perfect for an evening out. As usual, you can also use this squid post to talk about the security stories in the news that I havent covered. Read my blog posting guidelines here...

New Book: A Hacker’s Mind

I have a new book coming out in February. Its about hacking. A Hackers Mind: How the Powerful Bend Societys Rules, and How to Bend them Back isnt about hacking computer systems; its about hacking more general economic, political, and social systems. It generalizes the term hack as a means of...

NSA Over-surveillance

Here in 2022, we have a newly declassified 2016 Inspector General report--"Misuse of Sigint Systems"--about a 2013 NSA program that resulted in the unauthorized that is, illegal targeting of Americans. Given all we learned from Edward Snowden, this feels like a minor coda. Theres nothing really...

An Untrustworthy TLS Certificate in Browsers

The major browsers natively trust a whole bunch of certificate authorities, and some of them are really sketchy: Googles Chrome, Apples Safari, nonprofit Firefox and others allow the company, TrustCor Systems, to act as whats known as a root certificate authority, a powerful spot in the internets...

Defeating Phishing-Resistant Multifactor Authentication

CISA is now pushing phishing-resistant multifactor authentication. Roger Grimes has an excellent post reminding everyone that "phishing-resistant" is not "phishing proof," and that everyone needs to stop pretending otherwise. His list of different attacks is particularly useful...

Using Wi-FI to See through Walls

This technique measures device response time to determine distance: The scientists tested the exploit by modifying an off-the-shelf drone to create a flying scanning device, the Wi-Peep. The robotic aircraft sends several messages to each device as it flies around, establishing the positions of...

The Conviction of Uber’s Chief Security Officer

I have been meaning to write about Joe Sullivan, Ubers former Chief Security Officer. He was convicted of crimes related to covering up a cyberattack against Uber. Its a complicated case, and Im not convinced that he deserved a guilty ruling or that its a good thing for the industry. I may still...

Friday Squid Blogging: Newfoundland Giant Squid Sculpture

In 1878, a 55-foot-long giant squid washed up on the shores of Glovers Harbour, Newfoundland. Its the largest giant squid ever recorded--although scientists now think that the size was an exaggeration or the result of postmortem stretching--and theres a full-sized statue of it near the beach wher...

NSA on Supply Chain Security

The NSA together with CISA has published a long report on supply-chain security: "Securing the Software Supply Chain: Recommended Practices Guide for Suppliers.": Prevention is often seen as the responsibility of the software developer, as they are required to securely develop and deliver code,...

Iran’s Digital Surveillance Tools Leaked

Its Irans turn to have its digital surveillance tools leaked: According to these internal documents, SIAM is a computer system that works behind the scenes of Iranian cellular networks, providing its operators a broad menu of remote commands to alter, disrupt, and monitor how customers use their...

Apple Only Commits to Patching Latest OS Version

People have suspected this for a while, but Apple has made it official. It only commits to fully patching the latest version of its OS, even though it claims to support older versions. From ArsTechnica: In other words, while Apple will provide security-related updates for older versions of its...

Friday Squid Blogging: Chinese Squid Fishing

China claims that it is "engaging in responsible squid fishing": Chen Xinjun, dean of the College of Marine Sciences at Shanghai Ocean University, made the remarks in response to recent accusations by foreign reporters and actor Leonardo DiCaprio that China is depleting its own fish stock and tha...

Critical Vulnerability in Open SSL

There are no details yet, but its really important that you patch Open SSL 3.x when the new version comes out on Tuesday. How bad is "Critical"? According to OpenSSL, an issue of critical severity affects common configurations and is also likely exploitable. Its likely to be abused to disclose...

Australia Increases Fines for Massive Data Breaches

After suffering two large, and embarrassing, data breaches in recent weeks, the Australian government increased the fine for serious data breaches from $2.2 million to a minimum of $50 million. Thats $50 million AUD, or $32 million USD. This is a welcome change. The problem is one of incentives,...

On the Randomness of Automatic Card Shufflers

Many years ago, Matt Blaze and I talked about getting our hands on a casino-grade automatic shuffler and looking for vulnerabilities. We never did it--I remember that we didnt even try very hard--but this article shows that we probably would have found non-random properties: …the executives had...

Friday Squid Blogging: The Reproductive Habits of Giant Squid

Interesting: A recent study on giant squid that have washed ashore along the Sea of Japan coast has raised the possibility that the animal has a different reproductive method than many other types of squid. Almost all squid and octopus species are polygamous, with multiple males passing sperm to ...