2961 matches found
Vendors are Fixing Security Flaws Faster
Googles Project Zero is reporting that software vendors are patching their code faster. tl;dr In 2021, vendors took an average of 52 days to fix security vulnerabilities reported from Project Zero. This is a significant acceleration from an average of about 80 days 3 years ago. In addition to the...
Secret CIA Data Collection Program
Two US senators claim that the CIA has been running an unregulated -- and almost certainly illegal -- mass surveillance program on Americans. The senators statement. Some declassified information from the CIA. No real details yet...
Upcoming Speaking Engagements
This is a current list of where and when I am scheduled to speak: I’m speaking at IT-S Now 2022 in Vienna on June 2, 2022. I’m speaking at the 14th International Conference on Cyber Conflict, CyCon 2022, in Tallinn, Estonia on June 3, 2022. I’m speaking at the RSA Conference 2022 in San Francisco...
Friday Squid Blogging: Climate Change Causing “Squid Bloom” along Pacific Coast
The oceans are warmer, which means more squid. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Read my blog posting guidelines here...
On the Irish Health Services Executive Hack
A detailed report of the 2021 ransomware attack against Ireland’s Health Services Executive lists some really bad security practices: The report notes that: The HSE did not have a Chief Information Security Officer CISO or a “single responsible owner for cybersecurity at either senior executive o...
Bunnie Huang’s Plausibly Deniable Database
Bunnie Huang has created a Plausibly Deniable Database. Most security schemes facilitate the coercive processes of an attacker because they disclose metadata about the secret data, such as the name and size of encrypted files. This allows specific and enforceable demands to be made: “Give us the...
Breaking 256-bit Elliptic Curve Encryption with a Quantum Computer
Researchers have calculated the quantum computer size necessary to break 256-bit elliptic curve public-key cryptography: Finally, we calculate the number of physical qubits required to break the 256-bit elliptic curve encryption of keys in the Bitcoin network within the small available time frame...
Amy Zegart on Spycraft in the Internet Age
Amy Zegart has a new book: Spies, Lies, and Algorithms: The History and Future of American Intelligence. Wired has an excerpt: In short, data volume and accessibility are revolutionizing sensemaking. The intelligence playing field is leveling -- and not in a good way. Intelligence collectors are...
Friday Squid Blogging: Are Squid from Another Planet?
An actually serious scientific journal has published a paper speculating that octopus and squid could be of extraterrestrial origin. News article. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Read my blog posting guidelines here...
The EARN IT Act Is Back
Senators have reintroduced the EARN IT Act, requiring social media companies among others to administer a massive surveillance operation on their users: A group of lawmakers led by Sen. Richard Blumenthal D-CT and Sen. Lindsey Graham R-SC have re-introduced the EARN IT Act, an incredibly unpopula...
Interview with the Head of the NSA’s Research Directorate
MIT Technology Review published an interview with Gil Herrera, the new head of the NSAs Research Directorate. Theres a lot of talk about quantum computing, monitoring 5G networks, and the problems of big data: The math department, often in conjunction with the computer science department, helps...
Finding Vulnerabilities in Open Source Projects
The Open Source Security Foundation announced $10 million in funding from a pool of tech and financial companies, including $5 million from Microsoft and Google, to find vulnerabilities in open source projects: The "Alpha" side will emphasize vulnerability testing by hand in the most popular...
Me on App Store Monopolies and Security
There are two bills working their way through Congress that would force companies like Apple to allow competitive app stores. Apple hates this, since it would break its monopoly, and its making a variety of security arguments to bolster its argument. I have written a rebuttal: I would like to...
Twelve-Year-Old Linux Vulnerability Discovered and Patched
Its a privilege escalation vulnerability: Linux users on Tuesday got a major dose of bad news -- a 12-year-old vulnerability in a system tool called Polkit gives attackers unfettered root privileges on machines running most major distributions of the open source operating system. Previously calle...
Friday Squid Blogging: Cephalopods Thirty Million Years Older Than Previously Thought
New fossils from Newfoundland push the origins of cephalopods to 522 million years ago. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Read my blog posting guidelines here...
Tracking Secret German Organizations with Apple AirTags
A German activist is trying to track down a secret government intelligence agency. One of her research techniques is to mail Apple AirTags to see where they actually end up: Wittmann says that everyone she spoke to denied being part of this intelligence agency. But what she describes as a "good...
New DeadBolt Ransomware Targets NAT Devices
Theres a new ransomware that targets NAT devices made by QNAP: The attacks started today, January 25th, with QNAP devices suddenly finding their files encrypted and file names appended with a .deadbolt file extension. Instead of creating ransom notes in each folder on the device, the QNAP devices...
Merck Wins Insurance Lawsuit re NotPetya Attack
The insurance company Ace American has to pay for the losses: On 6th December 2021, the New Jersey Superior Court granted partial summary judgment attached in favour of Merck and International Indemnity, declaring that the War or Hostile Acts exclusion was inapplicable to the dispute. Merck...
Linux-Targeted Malware Increased by 35%
Crowdstrike is reporting that malware targeting Linux has increased considerably in 2021: Malware targeting Linux systems increased by 35% in 2021 compared to 2020. XorDDoS, Mirai and Mozi malware families accounted for over 22% of Linux-targeted threats observed by CrowdStrike in 2021. Ten times...
Friday Squid Blogging: Piglet Squid
Nice article on the piglet squid. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Read my blog posting guidelines here...
China’s Olympics App Is Horribly Insecure
China is mandating that athletes download and use a health and travel app when they attend the Winter Olympics next month. Citizen Lab examined the app and found it riddled with security holes. Key Findings: MY2022, an app mandated for use by all attendees of the 2022 Olympic Games in Beijing, ha...
San Francisco Police Illegally Spying on Protesters
Last summer, the San Francisco police illegally used surveillance cameras at the George Floyd protests. The EFF is suing the police: This surveillance invaded the privacy of protesters, targeted people of color, and chills and deters participation and organizing for future protests. The SFPD also...
Are Fake COVID Testing Sites Harvesting Data?
Over the past few weeks, Ive seen a bunch of writing about what seems to be fake COVID-19 testing sites. They take your name and info, and do a nose swab, but you never get test results. Speculation centered around data harvesting, but that didnt make sense because it was far too labor intensive...
UK Government to Launch PR Campaign Undermining End-to-End Encryption
Rolling Stone is reporting that the UK government has hired the M&C Saatchi advertising agency to launch an anti-encryption advertising campaign. Presumably theyll lean heavily on the "think of the children!" rhetoric were seeing in this current wave of the crypto wars. The technical eavesdroppin...
An Examination of the Bug Bounty Marketplace
Heres a fascinating report: "Bounty Everything: Hackers and the Making of the Global Bug Marketplace." From a summary: …researchers Ryan Ellis and Yuan Stevens provide a window into the working lives of hackers who participate in “bug bounty” programs -- programs that hire hackers to discover an...
Friday Squid Blogging: The Evolution of Squid Eyes
New research: The researchers from the FAS Center for Systems Biology discovered a network of genes important in squid eye development that are known to also play a crucial role in limb development across animals, including vertebrates and insects. The scientists say these genes have been...
Upcoming Speaking Engagements
This is a current list of where and when I am scheduled to speak: I’m giving an online-only talk on “Securing a World of Physically Capable Computers” as part of Teleport’s Security Visionaries 2022 series, on January 18, 2022. I’m speaking at IT-S Now 2022 in Vienna on June 2, 2022. I’m speaking...
Using EM Waves to Detect Malware
I dont even know what I think about this. Researchers have developed a malware detection system that uses EM waves: "Obfuscation Revealed: Leveraging Electromagnetic Signals for Obfuscated Malware Classification." Abstract: The Internet of Things IoT is constituted of devices that are exponential...
Using Foreign Nationals to Bypass US Surveillance Restrictions
Remember when the US and Australian police surreptitiously owned and operated the encrypted cell phone app ANOM? They arrested 800 people in 2021 based on that operation. New documents received by Motherboard show that over 100 of those phones were shipped to users in the US, far more than...
Faking an iPhone Reboot
Researchers have figured how how to intercept and fake an iPhone reboot: Well dissect the iOS system and show how its possible to alter a shutdown event, tricking a user that got infected into thinking that the phone has been powered off, but in fact, its still running. The "NoReboot" approach...
Apple’s Private Relay Is Being Blocked
Some European cell phone carriers, and now T-Mobile, are blocking Apples Private Relay anonymous browsing feature. This could be an interesting battle to watch. Slashdot thread...
Fake QR Codes on Parking Meters
The City of Austin is warning about QR codes stuck to parking meters that take people to fraudulent payment sites...
Friday Squid Blogging: Squid Prices Are Rising
The price of squid in Korea is rising due to limited supply. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Read my blog posting guidelines here...
Norton’s Antivirus Product Now Includes an Ethereum Miner
Norton 360 can now mine Ethereum. Its opt-in, and the company keeps 15%. Its hard to uninstall this option...
People Are Increasingly Choosing Private Web Search
DuckDuckGo has had a banner year: And yet, DuckDuckGo. The privacy-oriented search engine netted more than 35 billion search queries in 2021, a 46.4% jump over 2020 23.6 billion. Thats big. Even so, the company, which bills itself as the "Internet privacy company," offering a search engine and...
More Russian Cyber Operations against Ukraine
Both Russia and Ukraine are preparing for military operations in cyberspace...
Friday Squid Blogging: Deep-Dwelling Squid
We have discovered a squid -- Oegopsida, Magnapinnidae, Magnapinna sp. -- that lives at 6,000 meters deep. :They’re really weird," says Vecchione. "They drift along with their arms spread out and these really long, skinny, spaghetti-like extensions dangling down underneath them." Microscopic...
Apple AirTags Are Being Used to Track People and Cars
This development suprises no one who has been paying attention: Researchers now believe AirTags, which are equipped with Bluetooth technology, could be revealing a more widespread problem of tech-enabled tracking. They emit a digital signal that can be detected by devices running Apples mobile...
Friday Squid Blogging: Squid-Headed Statue Appears in Dallas
Someone left it in a cemetery. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Read my blog posting guidelines here...
Stolen Bitcoins Returned
The US has returned $154 million in bitcoins stolen by a Sony employee. However, on December 1, following an investigation in collaboration with Japanese law enforcement authorities, the FBI seized the 3879.16242937 BTC in Ishiis wallet after obtaining the private key, which made it possible to...
More on NSO Group and Cytrox: Two Cyberweapons Arms Manufacturers
Citizen Lab published another report on the spyware used against two Egyptian nationals. One was hacked by NSO Groups Pegasus spyware. The other was hacked both by Pegasus and by the spyware from another cyberweapons arms manufacturer: Cytrox. We havent heard a lot about Cytrox and its Predator...
Friday Squid Blogging: UK Recognizes Squid as Sentient Beings
This seems big: The UK government has officially included decapod crustaceans-including crabs, lobsters, and crayfish-and cephalopod mollusks-including octopuses, squid, and cuttlefish-in its Animal Welfare Sentience Bill. This means they are now recognized as "sentient beings" in the UK. As usua...
More Log4j News
Log4j is being exploited by all sorts of attackers, all over the Internet: At that point it was reported that there were over 100 attempts to exploit the vulnerability every minute. "Since we started to implement our protection we prevented over 1,272,000 attempts to allocate the vulnerability,...
Upcoming Speaking Engagements
This is a current list of where and when I am scheduled to speak: I’m speaking at the RSA Conference 2022 in San Francisco on February 8, 2022. I’m speaking at IT-S Now 2022 in Vienna on June 2, 2022. I’m speaking at the 14th International Conference on Cyber Conflict, CyCon 2022, in Tallinn,...
On the Log4j Vulnerability
Its serious: The range of impacts is so broad because of the nature of the vulnerability itself. Developers use logging frameworks to keep track of what happens in a given application. To exploit Log4Shell, an attacker only needs to get the system to log a strategically crafted string of code. Fr...
NSO Group’s Pegasus Spyware Used Against US State Department Officials
NSO Groups descent into Internet pariah status continues. Its Pegasus spyware was used against nine US State Department employees. We dont know which NSO Group customer trained the spyware on the US. But the company does: NSO Group said in a statement on Thursday that it did not have any indicati...
Friday Squid Blogging: The Far Side Squid Comic
The Far Side is always good for a squid reference. Heres a recent one. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Read my blog posting guidelines here...
Law Enforcement Access to Chat Data and Metadata
A January 2021 FBI document outlines what types of data and metadata can be lawfully obtained by the FBI from messaging apps. Rolling Stone broke the story and its been written about elsewhere. I dont see a lot of surprises in the document. Lots of apps leak all sorts of metadata: iMessage and...
Google Shuts Down Glupteba Botnet, Sues Operators
Google took steps to shut down the Glupteba botnet, at least for now. The botnet uses the bitcoin blockchain as a backup command-and-control mechanism, making it hard to get rid of it permanently. So Google is also suing the botnets operators. Its an interesting strategy. Lets see if its successf...
New German Government is Pro-Encryption and Anti-Backdoors
I hope this is true: According to Jens Zimmermann, the German coalition negotiations had made it "quite clear" that the incoming government of the Social Democrats SPD, the Greens and the business-friendly liberal FDP would reject "the weakening of encryption, which is being attempted under the...