2980 matches found
Relay Attack against Teslas
Nice work: Radio relay attacks are technically complicated to execute, but conceptually easy to understand: attackers simply extend the range of your existing key using what is essentially a high-tech walkie-talkie. One thief stands near you while youre in the grocery store, intercepting your key...
Upcoming Speaking Engagements
This is a current list of where and when I am scheduled to speak: Im speaking as part of a Geneva Centre for Security Policy course on Cyber Security in the Context of International Security, online, on September 22, 2022. Im speaking at IT-Security INSIDE 2022 in Zurich, Switzerland, on Septembe...
Weird Fallout from Peiter Zatko’s Twitter Whistleblowing
People are trying to dig up dirt on Peiter Zatko, better known as Mudge. For the record, I have not been contacted. Im not sure if I should feel slighted...
FBI Seizes Stolen Cryptocurrencies
The Wall Street Journal is reporting that the FBI has recovered over $30 million in cryptocurrency stolen by North Korean hackers earlier this year. Its only a fraction of the $540 million stolen, but its something. The Axie Infinity recovery represents a shift in law enforcements ability to trac...
New Linux Cryptomining Malware
Its pretty nasty: The malware was dubbed "Shikitega" for its extensive use of the popular Shikata Ga Nai polymorphic encoder, which allows the malware to "mutate" its code to avoid detection. Shikitega alters its code each time it runs through one of several decoding loops that AT&T said each...
Friday Squid Blogging: Colossal Squid in New Zealand Museum
Its in Timaru. As usual, you can also use this squid post to talk about the security stories in the news that I havent covered. Read my blog posting guidelines here...
Responsible Disclosure for Cryptocurrency Security
Stewart Baker discusses why the industry-norm responsible disclosure for software vulnerabilities fails for cryptocurrency software. Why can’t the cryptocurrency industry solve the problem the way the software and hardware industries do, by patching and updating security as flaws are found? Two...
Facebook Has No Idea What Data It Has
This is from a court deposition: Facebooks stonewalling has been revealing on its own, providing variations on the same theme: It has amassed so much data on so many billions of people and organized it so confusingly that full transparency is impossible on a technical level. In the March 2022...
The LockBit Ransomware Gang Is Surprisingly Professional
This article makes LockBit sound like a legitimate organization: The DDoS attack last weekend that put a temporary stop to leaking Entrust data was seen as an opportunity to explore the triple extortion tactic to apply more pressure on victims to pay a ransom. LockBitSupp said that the ransomware...
Friday Squid Blogging: Squid Images
iStock has over 13,000 royalty-free images of squid. As usual, you can also use this squid post to talk about the security stories in the news that I havent covered. Read my blog posting guidelines here...
Montenegro Is the Victim of a Cyberattack
Details are few, but Montenegro has suffered a cyberattack: A combination of ransomware and distributed denial-of-service attacks, the onslaught disrupted government services and prompted the country’s electrical utility to switch to manual control. … But the attack against Montenegro’s...
Clever Phishing Scam Uses Legitimate PayPal Messages
Brian Krebs is reporting on a clever PayPal phishing scam that uses legitimate PayPal messaging. Basically, the scammers use the PayPal invoicing system to send the email. The email lists a phone number to dispute the charge, which is not PayPal and quickly turns into a request to download and...
High-School Graduation Prank Hack
This is a fun story, detailing the hack a group of high school students perpetrated against an Illinois school district, hacking 500 screens across a bunch of schools. During the process, the group broke into the school’s IT systems; repurposed software used to monitor students’ computers;...
FTC Sues Data Broker
This is good news: The Federal Trade Commission FTC has sued Kochava, a large location data provider, for allegedly selling data that the FTC says can track people at reproductive health clinics and places of worship, according to an announcement from the agency. "Defendants violations are in...
Levels of Assurance for DoD Microelectronics
The NSA has has published criteria for evaluating levels of assurance required for DoD microelectronics. The introductory report in a DoD microelectronics series outlines the process for determining levels of hardware assurance for systems and custom microelectronic components, which include...
Friday Squid Blogging: 14-foot Giant Squid Washes Ashore in Cape Town
Its an Architeuthis dux, the second this year. As usual, you can also use this squid post to talk about the security stories in the news that I havent covered. Read my blog posting guidelines here...
Security and Cheap Complexity
Ive been saying that complexity is the worst enemy of security for a long time now. Heres me in 1999. And its been true for a long time. In 2018, Thomas Dullien of Googles Project Zero talked about "cheap complexity." Andrew Appel summarizes: The anomaly of cheap complexity. For most of human...
Man-in-the-Middle Phishing Attack
Heres a phishing campaign that uses a man-in-the-middle attack to defeat multi-factor authentication: Microsoft observed a campaign that inserted an attacker-controlled proxy site between the account users and the work server they attempted to log into. When the user entered a password into the...
Mudge Files Whistleblower Complaint against Twitter
Peiter Zatko, aka Mudge, has filed a whistleblower complaint with the SEC against Twitter, claiming that they violated an eleven-year-old FTC settlement by having lousy security. And he should know; he was Twitters chief security officer until he was fired in January. The Washington Post has the...
Signal Phone Numbers Exposed in Twilio Hack
Twilio was hacked earlier this month, and the phone numbers of 1,900 Signal users were exposed: Heres what our users need to know: All users can rest assured that their message history, contact lists, profile information, whom theyd blocked, and other personal data remain private and secure and...
Hyundai Uses Example Keys for Encryption System
This is a dumb crypto mistake I had not previously encountered: A developer says it was possible to run their own software on the car infotainment hardware after discovering the vehicles manufacturer had secured its system using keys that were not only publicly known but had been lifted from...
Friday Squid Blogging: The Language of the Jumbo Flying Squid
The jumbo flying squid Dosidicus gigas uses its color-changing ability as a language: In 2020, however, marine biologists discovered that jumbo flying squid are surprisingly coordinated. Despite their large numbers, the squid rarely bumped into each other or competed for the same prey. The...
USB “Rubber Ducky” Attack Tool
The USB Rubber Ducky is getting better and better. Already, previous versions of the Rubber Ducky could carry out attacks like creating a fake Windows pop-up box to harvest a users login credentials or causing Chrome to send all saved passwords to an attackers webserver. But these attacks had to ...
Zoom Exploit on MacOS
This vulnerability was reported to Zoom last December: The exploit works by targeting the installer for the Zoom application, which needs to run with special user permissions in order to install or remove the main Zoom application from a computer. Though the installer requires a user to enter the...
Remotely Controlling Touchscreens
This is more of a demonstration than a real-world vulnerability, but researchers can use electromagnetic interference to remotely control touchscreens. From a news article: Its important to note that the attack has a few key limitations. Firstly, the hackers need to know the targets phone passcod...
$23 Million YouTube Royalties Scam
Scammers were able to convince YouTube that other peoples music was their own. They successfully stole $23 million before they were caught. No one knows how common this scam is, and how much money total is being stolen in this way. Presumably this is not an uncommon fraud. While the size of the...
Upcoming Speaking Engagements
This is a current list of where and when I am scheduled to speak: Im speaking as part of a Geneva Centre for Security Policy course on Cyber Security in the Context of International Security, online, on September 22, 2022. Im speaking at IT-Security INSIDE 2022 in Zurich, Switzerland, on Septembe...
Friday Squid Blogging: SQUID Acronym for Making Conscious Choices
I think the U is forced: SQUID consists of five steps: Stop, Question, Understand, Imagine, and Decide. As usual, you can also use this squid post to talk about the security stories in the news that I havent covered. Read my blog posting guidelines here...
Twitter Exposes Personal Information for 5.4 Million Accounts
Twitter accidentally exposed the personal information--including phone numbers and email addresses--for 5.4 million accounts. And someone was trying to sell this information. In January 2022, we received a report through our bug bounty program of a vulnerability in Twitters systems. As a result o...
A Taxonomy of Access Control
My personal definition of a brilliant idea is one that is immediately obvious once its explained, but no one has thought of it before. I cant believe that no one has described this taxonomy of access control before Ittay Eyal laid it out in this paper. The paper is about cryptocurrency wallet...
Hacking Starlink
This is the first--of many, I assume--hack of Starlink. Leveraging a string of vulnerabilities, attackers can access the Starlink system and run custom code on the devices...
NIST’s Post-Quantum Cryptography Standards
Quantum computing is a completely new paradigm for computers. A quantum computer uses quantum properties such as superposition, which allows a qubit a quantum bit to be neither 0 nor 1, but something much more complicated. In theory, such a computer can solve problems too complex for conventional...
Friday Squid Blogging: New Squid Species
Seems like they are being discovered all the time: In the past, the DEEPEND crew has discovered three new species of Bathyteuthids, a type of squid that lives in depths between 700 and 2,000 meters. The findings were validated and published in 2020. Another new squid species description is...
SIKE Broken
SIKE is one of the new algorithms that NIST recently added to the post-quantum cryptography competition. It was just broken, really badly. We present an efficient key recovery attack on the Supersingular Isogeny Diffie-Hellman protocol SIDH, based on a "glue-and-split" theorem due to Kani. Our...
Drone Deliveries into Prisons
Seems its now common to sneak contraband into prisons with a drone...
Surveillance of Your Car
TheMarkup has an extensive analysis of connected vehicle data and the companies that are collecting it. The Markup has identified 37 companies that are part of the rapidly growing connected vehicle data industry that seeks to monetize such data in an environment with few regulations governing its...
Ring Gives Videos to Police without a Warrant or User Consent
Amazon has revealed that it gives police videos from its Ring doorbells without a warrant and without user consent. Ring recently revealed how often the answer to that question has been yes. The Amazon company responded to an inquiry from US Senator Ed Markey D-Mass., confirming that there have...
Friday Squid Blogging: Evolution of the Vampire Squid
Short article on the evolution of the vampire squid. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Read my blog posting guidelines here...
Microsoft Zero-Days Sold and then Used
Yet another article about cyber-weapons arms manufacturers and their particular supply chain. This one is about Windows and Adobe Reader zero-day exploits sold by an Austrian company named DSIRF. Theres an entire industry devoted to undermining all of our security. It needs to be stopped...
New UFEI Rootkit
Kaspersky is reporting on a new UFEI rootkit that survives reinstalling the operating system and replacing the hard drive. From an article: The firmware compromises the UEFI, the low-level and highly opaque chain of firmware required to boot up nearly every modern computer. As the software that...
Securing Open-Source Software
Good essay arguing that open-source software is a critical national-security asset and needs to be treated as such: Open source is at least as important to the economy, public services, and national security as proprietary code, but it lacks the same standards and safeguards. It bears the qualiti...
Apple’s Lockdown Mode
I havent written about Apples Lockdown Mode yet, mostly because I havent delved into the details. This is how Apple describes it: Lockdown Mode offers an extreme, optional level of security for the very few users who, because of who they are or what they do, may be personally targeted by some of...
Friday Squid Blogging: Bathyteuthis berryi Holding Eggs
Image and video of a Bathyteuthis berryi carrying a few hundred eggs, taken at a depth of 4,650 feet. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Read my blog posting guidelines here...
Critical Vulnerabilities in GPS Trackers
This is a dangerous vulnerability: An assessment from security firm BitSight found six vulnerabilities in the Micodus MV720, a GPS tracker that sells for about $20 and is widely available. The researchers who performed the assessment believe the same critical vulnerabilities are present in other...
Russia Creates Malware False-Flag App
The Russian hacking group Turla released an Android app that seems to aid Ukrainian hackers in their attacks against Russian networks. Its actually malware, and provides information back to the Russians: The hackers pretended to be a "community of free people around the world who are fighting...
NSO Group’s Pegasus Spyware Used against Thailand Pro-Democracy Activists and Leaders
Yet another basic human rights violation, courtesy of NSO Group: Citizen Lab has the details: Key Findings We discovered an extensive espionage campaign targeting Thai pro-democracy protesters, and activists calling for reforms to the monarchy. We forensically confirmed that at least 30 individua...
Facebook Is Now Encrypting Links to Prevent URL Stripping
Some sites, including Facebook, add parameters to the web address for tracking purposes. These parameters have no functionality that is relevant to the user, but sites rely on them to track users across pages and properties. Mozilla introduced support for URL stripping in Firefox 102, which it...
Friday Squid Blogging: Squid Inks Fisherman
Short video. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Read my blog posting guidelines here...
San Francisco Police Want Real-Time Access to Private Surveillance Cameras
Surely no one could have predicted this: The new proposal--championed by Mayor London Breed after Novembers wild weekend of orchestrated burglaries and theft in the San Francisco Bay Area--would authorize the police department to use non-city-owned security cameras and camera networks to live...
Upcoming Speaking Engagements
This is a current list of where and when I am scheduled to speak: Im speaking as part of a Geneva Centre for Security Policy course on Cyber Security in the Context of International Security, online, on September 22, 2022. Im speaking at IT-Security INSIDE 2022 in Zurich, Switzerland, on Septembe...