2980 matches found
New Browser De-anonymization Technique
Researchers have a new way to de-anonymize browser users, by correlating their behavior on one account with their behavior on another: The findings, which NJIT researchers will present at the Usenix Security Symposium in Boston next month, show how an attacker who tricks someone into loading a...
Post-Roe Privacy
This is an excellent essay outlining the post-Roe privacy threat model. Summary: period tracking apps are largely a red herring. Taken together, this means the primary digital threat for people who take abortion pills is the actual evidence of intention stored on your phone, in the form of texts,...
Security Vulnerabilities in Honda’s Keyless Entry System
Honda vehicles from 2021 to 2022 are vulnerable to this attack: On Thursday, a security researcher who goes by Kevin2600 published a technical report and videos on a vulnerability that he claims allows anyone armed with a simple hardware device to steal the code to unlock Honda vehicles. Kevin260...
Nigerian Prison Break
There was a massive prison break in Abuja, Nigeria: Armed with bombs, Rocket Propelled Grenade RPGs and General Purpose Machine Guns GPMG, the attackers, who arrived at about 10:05 p.m. local time, gained access through the back of the prison, using dynamites to destroy the heavily fortified...
Friday Squid Blogging: Fishing for Squid
Foreign Policy has a three-part so far podcast series on squid and global fishing. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Read my blog posting guidelines here. EDITED TO ADD: I accidentally posted this on Wednesday. I...
Apple’s Lockdown Mode
Apple has introduced lockdown mode for high-risk users who are concerned about nation-state attacks. It trades reduced functionality for increased security in a very interesting way...
Ubiquitous Surveillance by ICE
Report by Georgetowns Center on Privacy and Technology published a comprehensive report on the surprising amount of mass surveillance conducted by Immigration and Customs Enforcement ICE. Our two-year investigation, including hundreds of Freedom of Information Act requests and a comprehensive...
NIST Announces First Four Quantum-Resistant Cryptographic Algorithms
NISTs post-quantum computing cryptography standard process is entering its final phases. It announced the first four algorithms: For general encryption, used when we access secure websites, NIST has selected the CRYSTALS-Kyber algorithm. Among its advantages are comparatively small encryption key...
Friday Squid Blogging: Multiplexing SQUIDs for X-ray Telescopes
NASA is researching new techniques for multiplexing SQUIDs--thats superconducting quantum interference devices--for X-ray observatories. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Read my blog posting guidelines here...
Analyzing the Swiss E-Voting System
Andrew Appel has a long analysis of the Swiss online voting system. Its a really good analysis of both the system and the official analyses...
ZuoRAT Malware Is Targeting Routers
Wired is reporting on a new remote-access Trojan that is able to infect at least eighty different targets: So far, researchers from Lumen Technologies Black Lotus Labs say theyve identified at least 80 targets infected by the stealthy malware, including routers made by Cisco, Netgear, Asus, and...
Ecuador’s Attempt to Resettle Edward Snowden
Someone hacked the Ecuadorian embassy in Moscow and found a document related to Ecuadors 2013 efforts to bring Edward Snowden there. If you remember, Snowden was traveling from Hong Kong to somewhere when the US revoked his passport, stranding him in Russia. In the document, Ecuador asks Russia t...
When Security Locks You Out of Everything
Thought experiment story of someone who lost everything in a house fire, and now cant log into anything: But to get into my cloud, I need my password and 2FA. And even if I could convince the cloud provider to bypass that and let me in, the backup is secured with a password which is stored in--yo...
2022 Workshop on Economics and Information Security (WEIS)
I did not attend WEIS this year, but Ross Anderson was there and liveblogged all the talks...
Friday Squid Blogging: Squid Cubes
Researchers thaw squid frozen into a cube and often make interesting discoveries. Okay, this is a weird story. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Read my blog posting guidelines here...
On the Dangers of Cryptocurrencies and the Uselessness of Blockchain
Earlier this month, I and others wrote a letter to Congress, basically saying that cryptocurrencies are an complete and total disaster, and urging them to regulate the space. Nothing in that letter is out of the ordinary, and is in line with what I wrote about blockchain in 2019. In response,...
On the Subversion of NIST by the NSA
Nadiya Kostyuk and Susan Landau wrote an interesting paper: "Dueling Over DUALECDRBG: The Consequences of Corrupting a Cryptographic Standardization Process": Abstract: In recent decades, the U.S. National Institute of Standards and Technology NIST, which develops cryptographic standards for...
Symbiote Backdoor in Linux
Interesting: What makes Symbiote different from other Linux malware that we usually come across, is that it needs to infect other running processes to inflict damage on infected machines. Instead of being a standalone executable file that is run to infect a machine, it is a shared object SO libra...
Hidden Anti-Cryptography Provisions in Internet Anti-Trust Bills
Two bills attempting to reduce the power of Internet monopolies are currently being debated in Congress: S. 2992, the American Innovation and Choice Online Act; and S. 2710, the Open App Markets Act. Reducing the power to tech monopolies would do more to "fix" the Internet than any other single...
Hertzbleed: A New Side-Channel Attack
Hertzbleed is a new side-channel attack that works against a variety of microprocressors. Deducing cryptographic keys by analyzing power consumption has long been an attack, but its not generally viable because measuring power consumption is often hard. This new attack measures power consumption ...
Friday Squid Blogging: Signature Steamed Giant Squid with Thai Lime Sauce
From a restaurant in Singapore. Its not actually giant squid. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Read my blog posting guidelines here...
Tracking People via Bluetooth on Their Phones
Weve always known that phones--and the people carrying them--can be uniquely identified from their Bluetooth signatures, and that we need security techniques to prevent that. This new research shows that thats not enough. Computer scientists at the University of California San Diego proved in a...
Attacking the Performance of Machine Learning Systems
Interesting research: "Sponge Examples: Energy-Latency Attacks on Neural Networks": Abstract: The high energy costs of neural network training and inference led to the use of acceleration hardware such as GPUs and TPUs. While such devices enable us to train large-scale neural networks in...
M1 Chip Vulnerability
This is a new vulnerability against Apples M1 chip. Researchers say that it is unpatchable. Researchers from MIT’s Computer Science and Artificial Intelligence Laboratory, however, have created a novel hardware attack, which combines memory corruption and speculative execution attacks to sidestep...
Upcoming Speaking Engagements
This is a current list of where and when I am scheduled to speak: I’m speaking at the Dublin Tech Summit in Dublin, Ireland, June 15-16, 2022. The list is maintained on this page...
Hacking Tesla’s Remote Key Cards
Interesting vulnerability in Teslas NFC key cards: Martin Herfurt, a security researcher in Austria, quickly noticed something odd about the new feature: Not only did it allow the car to automatically start within 130 seconds of being unlocked with the NFC card, but it also put the car in a state...
Cryptanalysis of ENCSecurity’s Encryption Implementation
ENCSecurity markets a file encryption system, and its used by SanDisk, Sony, Lexar, and probably others. Despite it using AES as its algorithm, its implementation is flawed in multiple ways--and breakable. The moral is, as it always is, that implementing cryptography securely is hard. Dont roll...
Friday Squid Blogging: Squid Changes Color from Black to Transparent
Neat video. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Read my blog posting guidelines here...
Twitter Used Two-Factor Login Details for Ad Targeting
Twitter was fined $150 million for using phone numbers and email addresses collected for two-factor authentication for ad targeting...
Smartphones and Civilians in Wartime
Interesting article about civilians using smartphones to assist their militaries in wartime, and how that blurs the important legal distinction between combatants and non-combatants: The principle of distinction between the two roles is a critical cornerstone of international humanitarian law--t...
Leaking Military Secrets on Gaming Discussion Boards
People are leaking classified military information on discussion boards for the video game War Thunder to win arguments--repeatedly...
Long Story on the Accused CIA Vault 7 Leaker
Long article about Joshua Schulte, the accused leaker of the WikiLeaks Vault 7 and Vault 8 CIA data. Well worth reading...
Friday Squid Blogging: More on the “Mind Boggling” Squid Genome
Octopus and squid genes are weird. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Read my blog posting guidelines here...
Me on Public-Interest Tech
Back in November 2020, in the middle of the COVID-19 pandemic, I gave a virtual talk at the International Symposium on Technology and Society: "The Story of the Internet and How it Broke Bad: A Call for Public-Interest Technologists." It was something I was really proud of, and its finally up on...
Remotely Controlling Touchscreens
Researchers have demonstrated controlling touchscreens at a distance, at least in a laboratory setting: The core idea is to take advantage of the electromagnetic signals to execute basic touch events such as taps and swipes into targeted locations of the touchscreen with the goal of taking over...
Clever — and Exploitable — Windows Zero-Day
Researchers have reported a still-unpatched Windows zero-day that is currently being exploited in the wild. Heres the advisory, which includes a work-around until a patch is available...
The Limits of Cyber Operations in Wartime
Interesting paper by Lennart Maschmeyer: "The Subversive Trilemma: Why Cyber Operations Fall Short of Expectations": Abstract: Although cyber conflict has existed for thirty years, the strategic utility of cyber operations remains unclear. Many expect cyber operations to provide independent utili...
Security and Human Behavior (SHB) 2022
Today is the second day of the fifteenth Workshop on Security and Human Behavior, hosted by Ross Anderson and Alice Hutchings at the University of Cambridge. After two years of having this conference remotely on Zoom, its nice to be back together in person. SHB is a small, annual, invitational...
Friday Squid Blogging: Squid Bites Diver
I agree; the diver deserved it. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Read my blog posting guidelines here...
Malware-Infested Smart Card Reader
Brian Krebs has an interesting story of a smart ID card reader with a malware-infested Windows driver, and US government employees who inadvertently buy and use them. But by all accounts, the potential attack surface here is enormous, as many federal employees clearly will purchase these readers...
Manipulating Machine-Learning Systems through the Order of the Training Data
Yet another adversarial ML attack: Most deep neural networks are trained by stochastic gradient descent. Now “stochastic” is a fancy Greek word for “random”; it means that the training data are fed into the model in random order. So what happens if the bad guys can cause the order to be not rando...
The Justice Department Will No Longer Charge Security Researchers with Criminal Hacking
Following a recent Supreme Court ruling, the Justice Department will no longer prosecute "good faith" security researchers with cybercrimes: The policy for the first time directs that good-faith security research should not be charged. Good faith security research means accessing a computer solel...
Forging Australian Driver’s Licenses
The New South Wales digital drivers license has multiple implementation flaws that allow for easy forgeries. This file is encrypted using AES-256-CBC encryption combined with Base64 encoding. A 4-digit application PIN which gets set during the initial onboarding when a user first instals the...
Friday Squid Blogging: Squid Street Art
Pretty. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Read my blog posting guidelines here...
The Onion on Google Map Surveillance
"Google Maps Adds Shortcuts through Houses of People Google Knows Arent Home Right Now." Excellent satire...
Bluetooth Flaw Allows Remote Unlocking of Digital Locks
Locks that use Bluetooth Low Energy to authenticate keys are vulnerable to remote unlocking. The research focused on Teslas, but the exploit is generalizable. In a video shared with Reuters, NCC Group researcher Sultan Qasim Khan was able to open and then drive a Tesla using a small relay device...
Websites that Collect Your Data as You Type
A surprising number of websites include JavaScript keyloggers that collect everything you type as you type it, not just when you submit a form. Researchers from KU Leuven, Radboud University, and University of Lausanne crawled and analyzed the top 100,000 websites, looking at scenarios in which a...
iPhone Malware that Operates Even When the Phone Is Turned Off
Researchers have demonstrated iPhone malware that works even when the phone is fully shut down. t turns out that the iPhone’s Bluetooth chip--which is key to making features like Find My work--has no mechanism for digitally signing or even encrypting the firmware it runs. Academics at Germany’s...
Attacks on Managed Service Providers Expected to Increase
CISA, NSA, FBI, and similar organizations in the other Five Eyes countries are warning that attacks on MSPs--as a vector to their customers--are likely to increase. No details about what this prediction is based on. Makes sense, though. The SolarWinds attack was incredibly successful for the...
The NSA Says that There are No Known Flaws in NIST’s Quantum-Resistant Algorithms
Rob Joyce, the director of cybersecurity at the NSA, said so in an interview: The NSA already has classified quantum-resistant algorithms of its own that it developed over many years, said Joyce. But it didnt enter any of its own in the contest. The agencys mathematicians, however, worked with NI...