Signal Phone Numbers Exposed in Twilio Hack

Twilio was hacked earlier this month, and the phone numbers of 1,900 Signal users were exposed: Heres what our users need to know: All users can rest assured that their message history, contact lists, profile information, whom theyd blocked, and other personal data remain private and secure and...

Hyundai Uses Example Keys for Encryption System

This is a dumb crypto mistake I had not previously encountered: A developer says it was possible to run their own software on the car infotainment hardware after discovering the vehicles manufacturer had secured its system using keys that were not only publicly known but had been lifted from...

Friday Squid Blogging: The Language of the Jumbo Flying Squid

The jumbo flying squid Dosidicus gigas uses its color-changing ability as a language: In 2020, however, marine biologists discovered that jumbo flying squid are surprisingly coordinated. Despite their large numbers, the squid rarely bumped into each other or competed for the same prey. The...

USB “Rubber Ducky” Attack Tool

The USB Rubber Ducky is getting better and better. Already, previous versions of the Rubber Ducky could carry out attacks like creating a fake Windows pop-up box to harvest a users login credentials or causing Chrome to send all saved passwords to an attackers webserver. But these attacks had to ...

Zoom Exploit on MacOS

This vulnerability was reported to Zoom last December: The exploit works by targeting the installer for the Zoom application, which needs to run with special user permissions in order to install or remove the main Zoom application from a computer. Though the installer requires a user to enter the...

Remotely Controlling Touchscreens

This is more of a demonstration than a real-world vulnerability, but researchers can use electromagnetic interference to remotely control touchscreens. From a news article: Its important to note that the attack has a few key limitations. Firstly, the hackers need to know the targets phone passcod...

$23 Million YouTube Royalties Scam

Scammers were able to convince YouTube that other peoples music was their own. They successfully stole $23 million before they were caught. No one knows how common this scam is, and how much money total is being stolen in this way. Presumably this is not an uncommon fraud. While the size of the...

Upcoming Speaking Engagements

This is a current list of where and when I am scheduled to speak: Im speaking as part of a Geneva Centre for Security Policy course on Cyber Security in the Context of International Security, online, on September 22, 2022. Im speaking at IT-Security INSIDE 2022 in Zurich, Switzerland, on Septembe...

Friday Squid Blogging: SQUID Acronym for Making Conscious Choices

I think the U is forced: SQUID consists of five steps: Stop, Question, Understand, Imagine, and Decide. As usual, you can also use this squid post to talk about the security stories in the news that I havent covered. Read my blog posting guidelines here...

Twitter Exposes Personal Information for 5.4 Million Accounts

Twitter accidentally exposed the personal information--including phone numbers and email addresses--for 5.4 million accounts. And someone was trying to sell this information. In January 2022, we received a report through our bug bounty program of a vulnerability in Twitters systems. As a result o...

A Taxonomy of Access Control

My personal definition of a brilliant idea is one that is immediately obvious once its explained, but no one has thought of it before. I cant believe that no one has described this taxonomy of access control before Ittay Eyal laid it out in this paper. The paper is about cryptocurrency wallet...

Hacking Starlink

This is the first--of many, I assume--hack of Starlink. Leveraging a string of vulnerabilities, attackers can access the Starlink system and run custom code on the devices...

NIST’s Post-Quantum Cryptography Standards

Quantum computing is a completely new paradigm for computers. A quantum computer uses quantum properties such as superposition, which allows a qubit a quantum bit to be neither 0 nor 1, but something much more complicated. In theory, such a computer can solve problems too complex for conventional...

Friday Squid Blogging: New Squid Species

Seems like they are being discovered all the time: In the past, the DEEPEND crew has discovered three new species of Bathyteuthids, a type of squid that lives in depths between 700 and 2,000 meters. The findings were validated and published in 2020. Another new squid species description is...

SIKE Broken

SIKE is one of the new algorithms that NIST recently added to the post-quantum cryptography competition. It was just broken, really badly. We present an efficient key recovery attack on the Supersingular Isogeny Diffie­-Hellman protocol SIDH, based on a "glue-and-split" theorem due to Kani. Our...

Drone Deliveries into Prisons

Seems its now common to sneak contraband into prisons with a drone...

Surveillance of Your Car

TheMarkup has an extensive analysis of connected vehicle data and the companies that are collecting it. The Markup has identified 37 companies that are part of the rapidly growing connected vehicle data industry that seeks to monetize such data in an environment with few regulations governing its...

Ring Gives Videos to Police without a Warrant or User Consent

Amazon has revealed that it gives police videos from its Ring doorbells without a warrant and without user consent. Ring recently revealed how often the answer to that question has been yes. The Amazon company responded to an inquiry from US Senator Ed Markey D-Mass., confirming that there have...

Friday Squid Blogging: Evolution of the Vampire Squid

Short article on the evolution of the vampire squid. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Read my blog posting guidelines here...

Microsoft Zero-Days Sold and then Used

Yet another article about cyber-weapons arms manufacturers and their particular supply chain. This one is about Windows and Adobe Reader zero-day exploits sold by an Austrian company named DSIRF. Theres an entire industry devoted to undermining all of our security. It needs to be stopped...

New UFEI Rootkit

Kaspersky is reporting on a new UFEI rootkit that survives reinstalling the operating system and replacing the hard drive. From an article: The firmware compromises the UEFI, the low-level and highly opaque chain of firmware required to boot up nearly every modern computer. As the software that...

Securing Open-Source Software

Good essay arguing that open-source software is a critical national-security asset and needs to be treated as such: Open source is at least as important to the economy, public services, and national security as proprietary code, but it lacks the same standards and safeguards. It bears the qualiti...

Apple’s Lockdown Mode

I havent written about Apples Lockdown Mode yet, mostly because I havent delved into the details. This is how Apple describes it: Lockdown Mode offers an extreme, optional level of security for the very few users who, because of who they are or what they do, may be personally targeted by some of...

Friday Squid Blogging: Bathyteuthis berryi Holding Eggs

Image and video of a Bathyteuthis berryi carrying a few hundred eggs, taken at a depth of 4,650 feet. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Read my blog posting guidelines here...

Critical Vulnerabilities in GPS Trackers

This is a dangerous vulnerability: An assessment from security firm BitSight found six vulnerabilities in the Micodus MV720, a GPS tracker that sells for about $20 and is widely available. The researchers who performed the assessment believe the same critical vulnerabilities are present in other...

Russia Creates Malware False-Flag App

The Russian hacking group Turla released an Android app that seems to aid Ukrainian hackers in their attacks against Russian networks. Its actually malware, and provides information back to the Russians: The hackers pretended to be a "community of free people around the world who are fighting...

NSO Group’s Pegasus Spyware Used against Thailand Pro-Democracy Activists and Leaders

Yet another basic human rights violation, courtesy of NSO Group: Citizen Lab has the details: Key Findings We discovered an extensive espionage campaign targeting Thai pro-democracy protesters, and activists calling for reforms to the monarchy. We forensically confirmed that at least 30 individua...

Facebook Is Now Encrypting Links to Prevent URL Stripping

Some sites, including Facebook, add parameters to the web address for tracking purposes. These parameters have no functionality that is relevant to the user, but sites rely on them to track users across pages and properties. Mozilla introduced support for URL stripping in Firefox 102, which it...

Friday Squid Blogging: Squid Inks Fisherman

Short video. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Read my blog posting guidelines here...

San Francisco Police Want Real-Time Access to Private Surveillance Cameras

Surely no one could have predicted this: The new proposal--championed by Mayor London Breed after Novembers wild weekend of orchestrated burglaries and theft in the San Francisco Bay Area--would authorize the police department to use non-city-owned security cameras and camera networks to live...

Upcoming Speaking Engagements

This is a current list of where and when I am scheduled to speak: Im speaking as part of a Geneva Centre for Security Policy course on Cyber Security in the Context of International Security, online, on September 22, 2022. Im speaking at IT-Security INSIDE 2022 in Zurich, Switzerland, on Septembe...

New Browser De-anonymization Technique

Researchers have a new way to de-anonymize browser users, by correlating their behavior on one account with their behavior on another: The findings, which NJIT researchers will present at the Usenix Security Symposium in Boston next month, show how an attacker who tricks someone into loading a...

Post-Roe Privacy

This is an excellent essay outlining the post-Roe privacy threat model. Summary: period tracking apps are largely a red herring. Taken together, this means the primary digital threat for people who take abortion pills is the actual evidence of intention stored on your phone, in the form of texts,...

Security Vulnerabilities in Honda’s Keyless Entry System

Honda vehicles from 2021 to 2022 are vulnerable to this attack: On Thursday, a security researcher who goes by Kevin2600 published a technical report and videos on a vulnerability that he claims allows anyone armed with a simple hardware device to steal the code to unlock Honda vehicles. Kevin260...

Nigerian Prison Break

There was a massive prison break in Abuja, Nigeria: Armed with bombs, Rocket Propelled Grenade RPGs and General Purpose Machine Guns GPMG, the attackers, who arrived at about 10:05 p.m. local time, gained access through the back of the prison, using dynamites to destroy the heavily fortified...

Friday Squid Blogging: Fishing for Squid

Foreign Policy has a three-part so far podcast series on squid and global fishing. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Read my blog posting guidelines here. EDITED TO ADD: I accidentally posted this on Wednesday. I...

Apple’s Lockdown Mode

Apple has introduced lockdown mode for high-risk users who are concerned about nation-state attacks. It trades reduced functionality for increased security in a very interesting way...

Ubiquitous Surveillance by ICE

Report by Georgetowns Center on Privacy and Technology published a comprehensive report on the surprising amount of mass surveillance conducted by Immigration and Customs Enforcement ICE. Our two-year investigation, including hundreds of Freedom of Information Act requests and a comprehensive...

NIST Announces First Four Quantum-Resistant Cryptographic Algorithms

NISTs post-quantum computing cryptography standard process is entering its final phases. It announced the first four algorithms: For general encryption, used when we access secure websites, NIST has selected the CRYSTALS-Kyber algorithm. Among its advantages are comparatively small encryption key...

Friday Squid Blogging: Multiplexing SQUIDs for X-ray Telescopes

NASA is researching new techniques for multiplexing SQUIDs--thats superconducting quantum interference devices--for X-ray observatories. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Read my blog posting guidelines here...

Analyzing the Swiss E-Voting System

Andrew Appel has a long analysis of the Swiss online voting system. Its a really good analysis of both the system and the official analyses...

ZuoRAT Malware Is Targeting Routers

Wired is reporting on a new remote-access Trojan that is able to infect at least eighty different targets: So far, researchers from Lumen Technologies Black Lotus Labs say theyve identified at least 80 targets infected by the stealthy malware, including routers made by Cisco, Netgear, Asus, and...

Ecuador’s Attempt to Resettle Edward Snowden

Someone hacked the Ecuadorian embassy in Moscow and found a document related to Ecuadors 2013 efforts to bring Edward Snowden there. If you remember, Snowden was traveling from Hong Kong to somewhere when the US revoked his passport, stranding him in Russia. In the document, Ecuador asks Russia t...

When Security Locks You Out of Everything

Thought experiment story of someone who lost everything in a house fire, and now cant log into anything: But to get into my cloud, I need my password and 2FA. And even if I could convince the cloud provider to bypass that and let me in, the backup is secured with a password which is stored in--yo...

2022 Workshop on Economics and Information Security (WEIS)

I did not attend WEIS this year, but Ross Anderson was there and liveblogged all the talks...

Friday Squid Blogging: Squid Cubes

Researchers thaw squid frozen into a cube and often make interesting discoveries. Okay, this is a weird story. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Read my blog posting guidelines here...

On the Dangers of Cryptocurrencies and the Uselessness of Blockchain

Earlier this month, I and others wrote a letter to Congress, basically saying that cryptocurrencies are an complete and total disaster, and urging them to regulate the space. Nothing in that letter is out of the ordinary, and is in line with what I wrote about blockchain in 2019. In response,...

On the Subversion of NIST by the NSA

Nadiya Kostyuk and Susan Landau wrote an interesting paper: "Dueling Over DUALECDRBG: The Consequences of Corrupting a Cryptographic Standardization Process": Abstract: In recent decades, the U.S. National Institute of Standards and Technology NIST, which develops cryptographic standards for...

Symbiote Backdoor in Linux

Interesting: What makes Symbiote different from other Linux malware that we usually come across, is that it needs to infect other running processes to inflict damage on infected machines. Instead of being a standalone executable file that is run to infect a machine, it is a shared object SO libra...

Hidden Anti-Cryptography Provisions in Internet Anti-Trust Bills

Two bills attempting to reduce the power of Internet monopolies are currently being debated in Congress: S. 2992, the American Innovation and Choice Online Act; and S. 2710, the Open App Markets Act. Reducing the power to tech monopolies would do more to "fix" the Internet than any other single...