Lucene search
K
SchneierRecent

2980 matches found

Schneier on Security
Schneier on Security
added 2022/09/15 3:28 p.m.12 views

Relay Attack against Teslas

Nice work: Radio relay attacks are technically complicated to execute, but conceptually easy to understand: attackers simply extend the range of your existing key using what is essentially a high-tech walkie-talkie. One thief stands near you while youre in the grocery store, intercepting your key...

0.6AI score
Exploits0
Schneier on Security
Schneier on Security
added 2022/09/14 5:8 p.m.23 views

Upcoming Speaking Engagements

This is a current list of where and when I am scheduled to speak: Im speaking as part of a Geneva Centre for Security Policy course on Cyber Security in the Context of International Security, online, on September 22, 2022. Im speaking at IT-Security INSIDE 2022 in Zurich, Switzerland, on Septembe...

1.8AI score
Exploits0
Schneier on Security
Schneier on Security
added 2022/09/14 11:51 a.m.18 views

Weird Fallout from Peiter Zatko’s Twitter Whistleblowing

People are trying to dig up dirt on Peiter Zatko, better known as Mudge. For the record, I have not been contacted. Im not sure if I should feel slighted...

1.2AI score
Exploits0
Schneier on Security
Schneier on Security
added 2022/09/13 11:51 a.m.13 views

FBI Seizes Stolen Cryptocurrencies

The Wall Street Journal is reporting that the FBI has recovered over $30 million in cryptocurrency stolen by North Korean hackers earlier this year. Its only a fraction of the $540 million stolen, but its something. The Axie Infinity recovery represents a shift in law enforcements ability to trac...

0.3AI score
Exploits0
Schneier on Security
Schneier on Security
added 2022/09/12 2:41 p.m.15 views

New Linux Cryptomining Malware

Its pretty nasty: The malware was dubbed "Shikitega" for its extensive use of the popular Shikata Ga Nai polymorphic encoder, which allows the malware to "mutate" its code to avoid detection. Shikitega alters its code each time it runs through one of several decoding loops that AT&T said each...

1.3AI score
Exploits0
Schneier on Security
Schneier on Security
added 2022/09/09 9:3 p.m.12 views

Friday Squid Blogging: Colossal Squid in New Zealand Museum

Its in Timaru. As usual, you can also use this squid post to talk about the security stories in the news that I havent covered. Read my blog posting guidelines here...

1.3AI score
Exploits0
Schneier on Security
Schneier on Security
added 2022/09/09 1:33 p.m.14 views

Responsible Disclosure for Cryptocurrency Security

Stewart Baker discusses why the industry-norm responsible disclosure for software vulnerabilities fails for cryptocurrency software. Why can’t the cryptocurrency industry solve the problem the way the software and hardware industries do, by patching and updating security as flaws are found? Two...

0.3AI score
Exploits0
Schneier on Security
Schneier on Security
added 2022/09/08 3:14 p.m.12 views

Facebook Has No Idea What Data It Has

This is from a court deposition: Facebooks stonewalling has been revealing on its own, providing variations on the same theme: It has amassed so much data on so many billions of people and organized it so confusingly that full transparency is impossible on a technical level. In the March 2022...

1.1AI score
Exploits0
Schneier on Security
Schneier on Security
added 2022/09/07 2:26 p.m.17 views

The LockBit Ransomware Gang Is Surprisingly Professional

This article makes LockBit sound like a legitimate organization: The DDoS attack last weekend that put a temporary stop to leaking Entrust data was seen as an opportunity to explore the triple extortion tactic to apply more pressure on victims to pay a ransom. LockBitSupp said that the ransomware...

1.2AI score
Exploits0
Schneier on Security
Schneier on Security
added 2022/09/02 9:32 p.m.17 views

Friday Squid Blogging: Squid Images

iStock has over 13,000 royalty-free images of squid. As usual, you can also use this squid post to talk about the security stories in the news that I havent covered. Read my blog posting guidelines here...

1.1AI score
Exploits0
Schneier on Security
Schneier on Security
added 2022/09/02 1:18 p.m.16 views

Montenegro Is the Victim of a Cyberattack

Details are few, but Montenegro has suffered a cyberattack: A combination of ransomware and distributed denial-of-service attacks, the onslaught disrupted government services and prompted the country’s electrical utility to switch to manual control. … But the attack against Montenegro’s...

2.9AI score
Exploits0
Schneier on Security
Schneier on Security
added 2022/09/01 12:18 p.m.15 views

Clever Phishing Scam Uses Legitimate PayPal Messages

Brian Krebs is reporting on a clever PayPal phishing scam that uses legitimate PayPal messaging. Basically, the scammers use the PayPal invoicing system to send the email. The email lists a phone number to dispute the charge, which is not PayPal and quickly turns into a request to download and...

2.2AI score
Exploits0
Schneier on Security
Schneier on Security
added 2022/08/31 2:33 p.m.26 views

High-School Graduation Prank Hack

This is a fun story, detailing the hack a group of high school students perpetrated against an Illinois school district, hacking 500 screens across a bunch of schools. During the process, the group broke into the school’s IT systems; repurposed software used to monitor students’ computers;...

10CVSS9.5AI score0.01611EPSS
Exploits1
Schneier on Security
Schneier on Security
added 2022/08/30 11:58 a.m.15 views

FTC Sues Data Broker

This is good news: The Federal Trade Commission FTC has sued Kochava, a large location data provider, for allegedly selling data that the FTC says can track people at reproductive health clinics and places of worship, according to an announcement from the agency. "Defendants violations are in...

2.5AI score
Exploits0
Schneier on Security
Schneier on Security
added 2022/08/29 2:30 p.m.24 views

Levels of Assurance for DoD Microelectronics

The NSA has has published criteria for evaluating levels of assurance required for DoD microelectronics. The introductory report in a DoD microelectronics series outlines the process for determining levels of hardware assurance for systems and custom microelectronic components, which include...

1.5AI score
Exploits0
Schneier on Security
Schneier on Security
added 2022/08/26 9:8 p.m.18 views

Friday Squid Blogging: 14-foot Giant Squid Washes Ashore in Cape Town

Its an Architeuthis dux, the second this year. As usual, you can also use this squid post to talk about the security stories in the news that I havent covered. Read my blog posting guidelines here...

2.2AI score
Exploits0
Schneier on Security
Schneier on Security
added 2022/08/26 11:54 a.m.19 views

Security and Cheap Complexity

Ive been saying that complexity is the worst enemy of security for a long time now. Heres me in 1999. And its been true for a long time. In 2018, Thomas Dullien of Googles Project Zero talked about "cheap complexity." Andrew Appel summarizes: The anomaly of cheap complexity. For most of human...

0.6AI score
Exploits0
Schneier on Security
Schneier on Security
added 2022/08/25 11:45 a.m.20 views

Man-in-the-Middle Phishing Attack

Heres a phishing campaign that uses a man-in-the-middle attack to defeat multi-factor authentication: Microsoft observed a campaign that inserted an attacker-controlled proxy site between the account users and the work server they attempted to log into. When the user entered a password into the...

0.5AI score
Exploits0
Schneier on Security
Schneier on Security
added 2022/08/24 11:40 a.m.15 views

Mudge Files Whistleblower Complaint against Twitter

Peiter Zatko, aka Mudge, has filed a whistleblower complaint with the SEC against Twitter, claiming that they violated an eleven-year-old FTC settlement by having lousy security. And he should know; he was Twitters chief security officer until he was fired in January. The Washington Post has the...

1.3AI score
Exploits0
Schneier on Security
Schneier on Security
added 2022/08/23 11:30 a.m.14 views

Signal Phone Numbers Exposed in Twilio Hack

Twilio was hacked earlier this month, and the phone numbers of 1,900 Signal users were exposed: Heres what our users need to know: All users can rest assured that their message history, contact lists, profile information, whom theyd blocked, and other personal data remain private and secure and...

1.3AI score
Exploits0
Schneier on Security
Schneier on Security
added 2022/08/22 11:38 a.m.25 views

Hyundai Uses Example Keys for Encryption System

This is a dumb crypto mistake I had not previously encountered: A developer says it was possible to run their own software on the car infotainment hardware after discovering the vehicles manufacturer had secured its system using keys that were not only publicly known but had been lifted from...

0.2AI score
Exploits0
Schneier on Security
Schneier on Security
added 2022/08/19 9:5 p.m.23 views

Friday Squid Blogging: The Language of the Jumbo Flying Squid

The jumbo flying squid Dosidicus gigas uses its color-changing ability as a language: In 2020, however, marine biologists discovered that jumbo flying squid are surprisingly coordinated. Despite their large numbers, the squid rarely bumped into each other or competed for the same prey. The...

0.7AI score
Exploits0
Schneier on Security
Schneier on Security
added 2022/08/18 11:45 a.m.27 views

USB “Rubber Ducky” Attack Tool

The USB Rubber Ducky is getting better and better. Already, previous versions of the Rubber Ducky could carry out attacks like creating a fake Windows pop-up box to harvest a users login credentials or causing Chrome to send all saved passwords to an attackers webserver. But these attacks had to ...

0.7AI score
Exploits0
Schneier on Security
Schneier on Security
added 2022/08/17 11:11 a.m.14 views

Zoom Exploit on MacOS

This vulnerability was reported to Zoom last December: The exploit works by targeting the installer for the Zoom application, which needs to run with special user permissions in order to install or remove the main Zoom application from a computer. Though the installer requires a user to enter the...

0.7AI score
Exploits0
Schneier on Security
Schneier on Security
added 2022/08/16 11:59 a.m.17 views

Remotely Controlling Touchscreens

This is more of a demonstration than a real-world vulnerability, but researchers can use electromagnetic interference to remotely control touchscreens. From a news article: Its important to note that the attack has a few key limitations. Firstly, the hackers need to know the targets phone passcod...

2.1AI score
Exploits0
Schneier on Security
Schneier on Security
added 2022/08/15 2:14 p.m.19 views

$23 Million YouTube Royalties Scam

Scammers were able to convince YouTube that other peoples music was their own. They successfully stole $23 million before they were caught. No one knows how common this scam is, and how much money total is being stolen in this way. Presumably this is not an uncommon fraud. While the size of the...

0.3AI score
Exploits0
Schneier on Security
Schneier on Security
added 2022/08/14 5:4 p.m.13 views

Upcoming Speaking Engagements

This is a current list of where and when I am scheduled to speak: Im speaking as part of a Geneva Centre for Security Policy course on Cyber Security in the Context of International Security, online, on September 22, 2022. Im speaking at IT-Security INSIDE 2022 in Zurich, Switzerland, on Septembe...

1.8AI score
Exploits0
Schneier on Security
Schneier on Security
added 2022/08/12 9:6 p.m.20 views

Friday Squid Blogging: SQUID Acronym for Making Conscious Choices

I think the U is forced: SQUID consists of five steps: Stop, Question, Understand, Imagine, and Decide. As usual, you can also use this squid post to talk about the security stories in the news that I havent covered. Read my blog posting guidelines here...

1.5AI score
Exploits0
Schneier on Security
Schneier on Security
added 2022/08/12 2:13 p.m.14 views

Twitter Exposes Personal Information for 5.4 Million Accounts

Twitter accidentally exposed the personal information--including phone numbers and email addresses--for 5.4 million accounts. And someone was trying to sell this information. In January 2022, we received a report through our bug bounty program of a vulnerability in Twitters systems. As a result o...

7AI score
Exploits0
Schneier on Security
Schneier on Security
added 2022/08/12 11:38 a.m.15 views

A Taxonomy of Access Control

My personal definition of a brilliant idea is one that is immediately obvious once its explained, but no one has thought of it before. I cant believe that no one has described this taxonomy of access control before Ittay Eyal laid it out in this paper. The paper is about cryptocurrency wallet...

1.4AI score
Exploits0
Schneier on Security
Schneier on Security
added 2022/08/11 1:23 p.m.17 views

Hacking Starlink

This is the first--of many, I assume--hack of Starlink. Leveraging a string of vulnerabilities, attackers can access the Starlink system and run custom code on the devices...

4AI score
Exploits0
Schneier on Security
Schneier on Security
added 2022/08/08 11:20 a.m.24 views

NIST’s Post-Quantum Cryptography Standards

Quantum computing is a completely new paradigm for computers. A quantum computer uses quantum properties such as superposition, which allows a qubit a quantum bit to be neither 0 nor 1, but something much more complicated. In theory, such a computer can solve problems too complex for conventional...

7.2AI score
Exploits0
Schneier on Security
Schneier on Security
added 2022/08/05 9:13 p.m.21 views

Friday Squid Blogging: New Squid Species

Seems like they are being discovered all the time: In the past, the DEEPEND crew has discovered three new species of Bathyteuthids, a type of squid that lives in depths between 700 and 2,000 meters. The findings were validated and published in 2020. Another new squid species description is...

0.9AI score
Exploits0
Schneier on Security
Schneier on Security
added 2022/08/04 11:56 a.m.32 views

SIKE Broken

SIKE is one of the new algorithms that NIST recently added to the post-quantum cryptography competition. It was just broken, really badly. We present an efficient key recovery attack on the Supersingular Isogeny Diffie­-Hellman protocol SIDH, based on a "glue-and-split" theorem due to Kani. Our...

2.4AI score
Exploits0
Schneier on Security
Schneier on Security
added 2022/08/03 11:50 a.m.17 views

Drone Deliveries into Prisons

Seems its now common to sneak contraband into prisons with a drone...

2.4AI score
Exploits0
Schneier on Security
Schneier on Security
added 2022/08/02 11:49 a.m.20 views

Surveillance of Your Car

TheMarkup has an extensive analysis of connected vehicle data and the companies that are collecting it. The Markup has identified 37 companies that are part of the rapidly growing connected vehicle data industry that seeks to monetize such data in an environment with few regulations governing its...

3AI score
Exploits0
Schneier on Security
Schneier on Security
added 2022/08/01 11:9 a.m.10 views

Ring Gives Videos to Police without a Warrant or User Consent

Amazon has revealed that it gives police videos from its Ring doorbells without a warrant and without user consent. Ring recently revealed how often the answer to that question has been yes. The Amazon company responded to an inquiry from US Senator Ed Markey D-Mass., confirming that there have...

0.3AI score
Exploits0
Schneier on Security
Schneier on Security
added 2022/07/29 9:19 p.m.16 views

Friday Squid Blogging: Evolution of the Vampire Squid

Short article on the evolution of the vampire squid. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Read my blog posting guidelines here...

1.1AI score
Exploits0
Schneier on Security
Schneier on Security
added 2022/07/29 3:8 p.m.13 views

Microsoft Zero-Days Sold and then Used

Yet another article about cyber-weapons arms manufacturers and their particular supply chain. This one is about Windows and Adobe Reader zero-day exploits sold by an Austrian company named DSIRF. Theres an entire industry devoted to undermining all of our security. It needs to be stopped...

3.8AI score
Exploits0
Schneier on Security
Schneier on Security
added 2022/07/28 11:16 a.m.18 views

New UFEI Rootkit

Kaspersky is reporting on a new UFEI rootkit that survives reinstalling the operating system and replacing the hard drive. From an article: The firmware compromises the UEFI, the low-level and highly opaque chain of firmware required to boot up nearly every modern computer. As the software that...

0.6AI score
Exploits0
Schneier on Security
Schneier on Security
added 2022/07/27 12:3 p.m.13 views

Securing Open-Source Software

Good essay arguing that open-source software is a critical national-security asset and needs to be treated as such: Open source is at least as important to the economy, public services, and national security as proprietary code, but it lacks the same standards and safeguards. It bears the qualiti...

Exploits0
Schneier on Security
Schneier on Security
added 2022/07/26 12:57 p.m.15 views

Apple’s Lockdown Mode

I havent written about Apples Lockdown Mode yet, mostly because I havent delved into the details. This is how Apple describes it: Lockdown Mode offers an extreme, optional level of security for the very few users who, because of who they are or what they do, may be personally targeted by some of...

1.5AI score
Exploits0
Schneier on Security
Schneier on Security
added 2022/07/22 9:12 p.m.23 views

Friday Squid Blogging: Bathyteuthis berryi Holding Eggs

Image and video of a Bathyteuthis berryi carrying a few hundred eggs, taken at a depth of 4,650 feet. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Read my blog posting guidelines here...

0.9AI score
Exploits0
Schneier on Security
Schneier on Security
added 2022/07/21 1:36 p.m.16 views

Critical Vulnerabilities in GPS Trackers

This is a dangerous vulnerability: An assessment from security firm BitSight found six vulnerabilities in the Micodus MV720, a GPS tracker that sells for about $20 and is widely available. The researchers who performed the assessment believe the same critical vulnerabilities are present in other...

0.8AI score
Exploits0
Schneier on Security
Schneier on Security
added 2022/07/20 3:32 p.m.12 views

Russia Creates Malware False-Flag App

The Russian hacking group Turla released an Android app that seems to aid Ukrainian hackers in their attacks against Russian networks. Its actually malware, and provides information back to the Russians: The hackers pretended to be a "community of free people around the world who are fighting...

1.5AI score
Exploits0
Schneier on Security
Schneier on Security
added 2022/07/19 2:40 p.m.18 views

NSO Group’s Pegasus Spyware Used against Thailand Pro-Democracy Activists and Leaders

Yet another basic human rights violation, courtesy of NSO Group: Citizen Lab has the details: Key Findings We discovered an extensive espionage campaign targeting Thai pro-democracy protesters, and activists calling for reforms to the monarchy. We forensically confirmed that at least 30 individua...

0.2AI score
Exploits0
Schneier on Security
Schneier on Security
added 2022/07/18 2:49 p.m.15 views

Facebook Is Now Encrypting Links to Prevent URL Stripping

Some sites, including Facebook, add parameters to the web address for tracking purposes. These parameters have no functionality that is relevant to the user, but sites rely on them to track users across pages and properties. Mozilla introduced support for URL stripping in Firefox 102, which it...

2.2AI score
Exploits0
Schneier on Security
Schneier on Security
added 2022/07/15 9:4 p.m.15 views

Friday Squid Blogging: Squid Inks Fisherman

Short video. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Read my blog posting guidelines here...

1AI score
Exploits0
Schneier on Security
Schneier on Security
added 2022/07/15 11:17 a.m.12 views

San Francisco Police Want Real-Time Access to Private Surveillance Cameras

Surely no one could have predicted this: The new proposal--championed by Mayor London Breed after Novembers wild weekend of orchestrated burglaries and theft in the San Francisco Bay Area--would authorize the police department to use non-city-owned security cameras and camera networks to live...

0.5AI score
Exploits0
Schneier on Security
Schneier on Security
added 2022/07/14 5:2 p.m.13 views

Upcoming Speaking Engagements

This is a current list of where and when I am scheduled to speak: Im speaking as part of a Geneva Centre for Security Policy course on Cyber Security in the Context of International Security, online, on September 22, 2022. Im speaking at IT-Security INSIDE 2022 in Zurich, Switzerland, on Septembe...

1.8AI score
Exploits0
Total number of security vulnerabilities2980