2979 matches found
Experian Privacy Vulnerability
Brian Krebs is reporting on a vulnerability in Experians website: Identity thieves have been exploiting a glaring security weakness in the website of Experian, one of the big three consumer credit reporting bureaus. Normally, Experian requires that those seeking a copy of their credit report...
ChatGPT-Written Malware
I dont know how much of a thing this will end up being, but we are seeing ChatGPT-written malware in the wild. …within a few weeks of ChatGPT going live, participants in cybercrime forums--some with little or no coding experience--were using it to write software and emails that could be used fo...
Identifying People Using Cell Phone Location Data
The two people who shut down four Washington power stations in December were arrested. This is the interesting part: Investigators identified Greenwood and Crahan almost immediately after the attacks took place by using cell phone data that allegedly showed both men in the vicinity of all four...
Friday Squid Blogging: Squid Fetish
Seems that about 1.5% of people have a squid fetish. As usual, you can also use this squid post to talk about the security stories in the news that I havent covered. Read my blog posting guidelines here...
Schneier on Security Audiobook Sale
Im not sure why, but Audiobooks.com is offering the audiobook version of Schneier on Security at 50% off until January 17. EDITED TO ADD: The audiobook of We Have Root is 50% off until January 27 if you use this link...
Remote Vulnerabilities in Automobiles
This group has found a ton of remote vulnerabilities in all sorts of automobiles. Its enough to make you want to buy a car that is not Internet-connected. Unfortunately, that seems to be impossible...
Decarbonizing Cryptocurrencies through Taxation
Maintaining bitcoin and other cryptocurrencies causes about 0.3 percent of global CO2 emissions. That may not sound like a lot, but its more than the emissions of Switzerland, Croatia, and Norway combined. As many cryptocurrencies crash and the FTX bankruptcy moves into the litigation stage,...
Breaking RSA with a Quantum Computer
A group of Chinese researchers have just published a paper claiming that they can--although they have not yet done so--break 2048-bit RSA. This is something to take seriously. It might not be correct, but its not obviously wrong. We have long known from Shors algorithm that factoring with a quant...
Friday Squid Blogging: Grounded Fishing Boat Carrying 16,000 Pounds of Squid
Rough seas are hampering efforts to salvage the boat: The Speranza Marie, carrying 16,000 pounds of squid and some 1,000 gallons of diesel fuel, hit the shoreline near Chinese Harbor at about 2 a.m. on Dec. 15. Six crew members were on board, and all were rescued without injury by another fishing...
Recovering Smartphone Voice from the Accelerometer
Yet another smartphone side-channel attack: "EarSpy: Spying Caller Speech and Identity through Tiny Vibrations of Smartphone Ear Speakers": Abstract: Eavesdropping from the users smartphone is a well-known threat to the users safety and privacy. Existing studies show that loudspeaker reverberatio...
QR Code Scam
An enterprising individual made fake parking tickets with a QR code for easy payment...
Arresting IT Administrators
This is one way of ensuring that IT keeps up with patches: Albanian prosecutors on Wednesday asked for the house arrest of five public employees they blame for not protecting the country from a cyberattack by alleged Iranian hackers. Prosecutors said the five IT officials of the public...
LastPass Breach
Last August, LastPass reported a security breach, saying that no customer information--or passwords--were compromised. Turns out the full story is worse: While no customer data was accessed during the August 2022 incident, some source code and technical information were stolen from our developmen...
Friday Squid Blogging: Injured Giant Squid and Paddleboarder
Heres a video--I dont know where its from--of an injured juvenile male giant squid grabbing on to a paddleboard. As usual, you can also use this squid post to talk about the security stories in the news that I havent covered. Read my blog posting guidelines here...
Hacking the JFK Airport Taxi Dispatch System
Two men have been convicted of hacking the taxi dispatch system at the JFK airport. This enabled them to reorder the taxis on the list; they charged taxi drivers $10 to cut the line...
Critical Microsoft Code-Execution Vulnerability
A critical code-execution vulnerability in Microsoft Windows was patched in September. It seems that researchers just realized how serious it was and is: Like EternalBlue, CVE-2022-37958, as the latest vulnerability is tracked, allows attackers to execute malicious code with no authentication...
Ukraine Intercepting Russian Soldiers’ Cell Phone Calls
Theyre using commercial phones, which go through the Ukrainian telecom network: "You still have a lot of soldiers bringing cellphones to the frontline who want to talk to their families and they are either being intercepted as they go through a Ukrainian telecommunications provider or intercepted...
Trojaned Windows Installer Targets Ukraine
Mandiant is reporting on a trojaned Windows installer that targets Ukrainian users. The installer was left on various torrent sites, presumably ensnaring people downloading pirated copies of the operating system: Mandiant uncovered a socially engineered supply chain operation focused on Ukrainian...
How to Surrender to a Drone
The Ukrainian army has released an instructional video explaining how Russian soldiers should surrender to a drone: "Seeing the drone in the field of view, make eye contact with it," the video instructs. Soldiers should then raise their arms and signal theyre ready to follow. After that the drone...
Friday Squid Blogging: Squid in Concert
Squid is performing a concert in London in February. If you dont know what their music is like, try this or this or this. As usual, you can also use this squid post to talk about the security stories in the news that I havent covered. Read my blog posting guidelines here...
As Long as We’re on the Subject of CAPTCHAs
There are these...
Apple Patches iPhone Zero-Day
The most recent iPhone update--to version 16.1.2--patches a zero-day vulnerability that "may have been actively exploited against versions of iOS released before iOS 15.1." News: Apple said security researchers at Googles Threat Analysis Group, which investigates nation state-backed spyware,...
A Security Vulnerability in the KmsdBot Botnet
Security researchers found a software bug in the KmsdBot cryptomining botnet: With no error-checking built in, sending KmsdBot a malformed command--like its controllers did one day while Akamai was watching--created a panic crash with an "index out of range" error. Because theres no persistence...
Reimagining Democracy
Last week, I hosted a two-day workshop on reimagining democracy. The idea was to bring together people from a variety of disciplines who are all thinking about different aspects of democracy, less from a "what we need to do today" perspective and more from a blue-sky future perspective. My remit ...
Hacking Boston’s CharlieCard
Interesting discussion of vulnerabilities and exploits against Bostons CharlieCard...
Obligatory ChatGPT Post
Seems like absolutely everyone everywhere is playing with Chat GPT. So I did, too…. Write an essay in the style of Bruce Schneier on how ChatGPT will affect cybersecurity. As with any new technology, the development and deployment of ChatGPT is likely to have a significant impact on the field of...
Apple Is Finally Encrypting iCloud Backups
After way too many years, Apple is finally encrypting iCloud backups: Based on a screenshot from Apple, these categories are covered when you flip on Advanced Data Protection: device backups, messages backups, iCloud Drive, Notes, Photos, Reminders, Safari bookmarks, Siri Shortcuts, Voice Memos,...
Friday Squid Blogging: China Bans Taiwanese Squid Imports
Today I have some squid geopolitical news. As usual, you can also use this squid post to talk about the security stories in the news that I havent covered. Read my blog posting guidelines here...
Hacking Trespass Law
This article talks about public land in the US that is completely surrounded by private land, which in some cases makes it inaccessible to the public. But theres a hack: Some hunters have long believed, however, that the publicly owned parcels on Elk Mountain can be legally reached using a practi...
Security Vulnerabilities in Eufy Cameras
Eufy cameras claim to be local only, but upload data to the cloud. The company is basically lying to reporters, despite being shown evidence to the contrary. The companys behavior is so egregious that ReviewGeek is no longer recommending them. This will be interesting to watch. If Eufy can ignore...
Leaked Signing Keys Are Being Used to Sign Malware
A bunch of Android OEM signing keys have been leaked or stolen, and they are actively being used to sign malware. Łukasz Siewierski, a member of Googles Android Security Team, has a post on the Android Partner Vulnerability Initiative AVPI issue tracker detailing leaked platform certificate keys...
The Decoupling Principle
This is a really interesting paper that discusses what the authors call the Decoupling Principle: The idea is simple, yet previously not clearly articulated: to ensure privacy, information should be divided architecturally and institutionally such that each entity has only the information they ne...
CryWiper Data Wiper Targeting Russian Sites
Kaspersky is reporting on a data wiper masquerading as ransomware that is targeting local Russian government networks. The Trojan corrupts any data thats not vital for the functioning of the operating system. It doesnt affect files with extensions .exe, .dll, .lnk, .sys or .msi, and ignores sever...
CAPTCHA
This is an actual CAPTCHA I was shown when trying to log into PayPal. As an actual human and not a bot, I had no idea how to answer. Is this a joke? Seems not. Is it a Magritte-like existential question? Its not a bicycle. Its a drawing of a bicycle. Actually, its a photograph of a drawing of a...
Friday Squid Blogging: Legend of the Indiana Oil-Pit Squid
At a GMC plant. As usual, you can also use this squid post to talk about the security stories in the news that I havent covered. Read my blog posting guidelines here...
Existential Risk and the Fermi Paradox
We know that complexity is the worst enemy of security, because it makes attack easier and defense harder. This becomes catastrophic as the effects of that attack become greater. In A Hackers Mind coming in February 2023, I write: Our societal systems, in general, may have grown fairer and more...
LastPass Security Breach
The company was hacked, and customer information accessed. No passwords were compromised...
Sirius XM Software Vulnerability
This is new: Newly revealed research shows that a number of major car brands, including Honda, Nissan, Infiniti, and Acura, were affected by a previously undisclosed security bug that would have allowed a savvy hacker to hijack vehicles and steal user data. According to researchers, the bug was i...
Facebook Fined $276M under GDPR
Facebook--Meta--was just fined $276 million USD for a data leak that included full names, birth dates, phone numbers, and location. Metas total fine by the Data Protection Commission is over $700 million. Total GDPR fines are over €2 billion EUR since 2018...
Charles V of Spain Secret Code Cracked
Diplomatic code cracked after 500 years: In painstaking work backed by computers, Pierrot found "distinct families" of about 120 symbols used by Charles V. "Whole words are encrypted with a single symbol" and the emperor replaced vowels coming after consonants with marks, she said, an inspiration...
Computer Repair Technicians Are Stealing Your Data
Laptop technicians routinely violate the privacy of the people whose computers they repair: Researchers at University of Guelph in Ontario, Canada, recovered logs from laptops after receiving overnight repairs from 12 commercial shops. The logs showed that technicians from six of the locations ha...
The US Has a Shortage of Bomb-Sniffing Dogs
Nothing beats a dogs nose for detecting explosives. Unfortunately, there arent enough dogs: Last month, the US Government Accountability Office GAO released a nearly 100-page report about working dogs and the need for federal agencies to better safeguard their health and wellness. The GOA says th...
Apple’s Device Analytics Can Identify iCloud Users
Researchers claim that supposedly anonymous device analytics information can identify users: On Twitter, security researchers Tommy Mysk and Talal Haj Bakry have found that Apples device analytics data includes an iCloud account and can be linked directly to a specific user, including their name,...
Breaking the Zeppelin Ransomware Encryption Scheme
Brian Krebs writes about how the Zeppelin ransomware encryption scheme was broken: The researchers said their break came when they understood that while Zeppelin used three different types of encryption keys to encrypt files, they could undo the whole scheme by factoring or computing just one of...
Friday Squid Blogging: Squid Brains
Researchers have new evidence of how squid brains develop: Researchers from the FAS Center for Systems Biology describe how they used a new live-imaging technique to watch neurons being created in the embryo in almost real-time. They were then able to track those cells through the development of...
First Review of A Hacker’s Mind
Kirkus reviews A Hackers Mind: A cybersecurity expert examines how the powerful game whatever system is put before them, leaving it to others to cover the cost. Schneier, a professor at Harvard Kennedy School and author of such books as Data and Goliath and Click Here To Kill Everybody, regularly...
Successful Hack of Time-Triggered Ethernet
Time-triggered Ethernet TTE is used in spacecraft, basically to use the same hardware to process traffic with different timing and criticality. Researchers have defeated it: On Tuesday, researchers published findings that, for the first time, break TTEs isolation guarantees. The result is PCspooF...
Failures in Twitter’s Two-Factor Authentication System
Twitter is having intermittent problems with its two-factor authentication system: Not all users are having problems receiving SMS authentication codes, and those who rely on an authenticator app or physical authentication token to secure their Twitter account may not have reason to test the...
Russian Software Company Pretending to Be American
Computer code developed by a company called Pushwoosh is in about 8,000 Apple and Google smartphone apps. The company pretends to be American when it is actually Russian. According to company documents publicly filed in Russia and reviewed by Reuters, Pushwoosh is headquartered in the Siberian to...
Another Event-Related Spyware App
Last month, we were warned not to install Qatars World Cup app because it was spyware. This month, its Egypts COP27 Summit app: The app is being promoted as a tool to help attendees navigate the event. But it risks giving the Egyptian government permission to read users emails and messages. Even...