Storing Encrypted Photos in Google’s Cloud

New paper: "Encrypted Cloud Photo Storage Using Google Photos": Abstract: Cloud photo services are widely used for persistent, convenient, and often free photo storage, which is especially useful for mobile devices. As users store more and more photos in the cloud, significant privacy concerns...

AirDropped Gun Photo Causes Terrorist Scare

A teenager on an airplane sent a photo of a replica gun via AirDrop to everyone who had their settings configured to receive unsolicited photos from strangers. This caused a three-hour delay as the plane -- still at the gate -- was evacuated and searched. The teen was not allowed to reboard. I ca...

De-anonymization Story

This is important: Monsignor Jeffrey Burrill was general secretary of the US Conference of Catholic Bishops USCCB, effectively the highest-ranking priest in the US who is not a bishop, before records of Grindr usage obtained from data brokers was correlated with his apartment, place of work,...

Hiding Malware in ML Models

Interesting research: "EvilModel: Hiding Malware Inside of Neural Network Models". Abstract: Delivering malware covertly and detection-evadingly is critical to advanced malware campaigns. In this paper, we present a method that delivers malware covertly and detection-evadingly through neural...

Disrupting Ransomware by Disrupting Bitcoin

Ransomware isnt new; the idea dates back to 1986 with the "Brain" computer virus. Now, its become the criminal business model of the internet for two reasons. The first is the realization that no one values data more than its original owner, and it makes more sense to ransom it back to them --...

Friday Squid Blogging: The Evolution of Squid

Good video about the evolutionary history of squid. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Read my blog posting guidelines here...

Commercial Location Data Used to Out Priest

A Catholic priest was outed through commercially available surveillance data. Vice has a good analysis: The news starkly demonstrates not only the inherent power of location data, but how the chance to wield that power has trickled down from corporations and intelligence agencies to essentially a...

Nasty Windows Printer Driver Vulnerability

From SentinelLabs, a critical vulnerability in HP printer drivers: Researchers have released technical details on a high-severity privilege-escalation flaw in HP printer drivers also used by Samsung and Xerox, which impacts hundreds of millions of Windows machines. If exploited, cyberattackers...

NSO Group Hacked

NSO Group, the Israeli cyberweapons arms manufacturer behind the Pegasus spyware -- used by authoritarian regimes around the world to spy on dissidents, journalists, human rights workers, and others -- was hacked. Or, at least, an enormous trove of documents was leaked to journalists. Theres a lo...

Candiru: Another Cyberweapons Arms Manufacturer

Citizen Lab has identified yet another Israeli company that sells spyware to governments around the world: Candiru. From the report: Summary: Candiru is a secretive Israel-based company that sells spyware exclusively to governments. Reportedly, their spyware can infect and monitor iPhones,...

Friday Squid Blogging: Giant Squid Model

Pretty wooden model. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Read my blog posting guidelines here...

REvil is Off-Line

This is an interesting development: Just days after President Biden demanded that President Vladimir V. Putin of Russia shut down ransomware groups attacking American targets, the most aggressive of the groups suddenly went off-line early Tuesday. … Gone was the publicly available "happy blog" th...

Colorado Passes Consumer Privacy Law

First California. Then Virginia. Now Colorado. Heres a good comparison of the three states laws...

Upcoming Speaking Engagements

This is a current list of where and when I am scheduled to speak: I’m speaking at Norbert Wiener in the 21st Century, a virtual conference hosted by The IEEE Society on Social Implications of Technology SSIT, July 23-25, 2021. I’m speaking at DEFCON 29, August 5-8, 2021. Im speaking via Internet ...

China Taking Control of Zero-Day Exploits

China is making sure that all newly discovered zero-day exploits are disclosed to the government. Under the new rules, anyone in China who finds a vulnerability must tell the government, which will decide what repairs to make. No information can be given to "overseas organizations or individuals"...

Iranian State-Sponsored Hacking Attempts

Interesting attack: Masquerading as UK scholars with the University of Londons School of Oriental and African Studies SOAS, the threat actor TA453 has been covertly approaching individuals since at least January 2021 to solicit sensitive information. The threat actor, an APT who we assess with hi...

Analysis of the FBI’s Anom Phone

Motherboard got its hands on one of those Anom phones that were really FBI honeypots. The details are interesting...

Friday Squid Blogging: Squid-Related Game

Its called "Squid Fishering." As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Read my blog posting guidelines here...

Details of the REvil Ransomware Attack

ArsTechnica has a good story on the REvil ransomware attack of last weekend, with technical details: This weekends attack was carried out with almost surgical precision. According to Cybereason, the REvil affiliates first gained access to targeted environments and then used the zero-day in the...

Vulnerability in the Kaspersky Password Manager

A vulnerability just patched in the random number generator used in the Kaspersky Password Manager resulted in easily guessable passwords: The password generator included in Kaspersky Password Manager had several problems. The most critical one is that it used a PRNG not suited for cryptographic...

Stealing Xbox Codes

Detailed story of Volodymyr Kvashuk, a Microsoft insider who noticed a bug in the companys internal systems that allowed him to create unlimited Xbox gift cards, and stole $10.1 million before he was caught...

Friday Squid Blogging: Best Squid-Related Headline

From the New York Times: "When an Eel Climbs a Ramp to Eat Squid From a Clamp, Thats a Moray." The article is about the eel; the squid is just eel food. But still…. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Read my blog posti...

More Russian Hacking

Two reports this week. The first is from Microsoft, which wrote: As part of our investigation into this ongoing activity, we also detected information-stealing malware on a machine belonging to one of our customer support agents with access to basic account information for a small number of our...

Insurance and Ransomware

As ransomware becomes more common, Im seeing more discussions about the ethics of paying the ransom. Heres one more contribution to that issue: a research paper that the insurance industry is hurting more than its helping. However, the most pressing challenge currently facing the industry is...

Risks of Evidentiary Software

Over at Lawfare, Susan Landau has an excellent essay on the risks posed by software used to collect evidence a Breathalyzer is probably the most obvious example. Bugs and vulnerabilities can lead to inaccurate evidence, but the proprietary nature of software makes it hard for defendants to examin...

NFC Flaws in POS Devices and ATMs

Its a series of vulnerabilities: Josep Rodriguez, a researcher and consultant at security firm IOActive, has spent the last year digging up and reporting vulnerabilities in the so-called near-field communications reader chips used in millions of ATMs and point-of-sale systems worldwide. NFC syste...

Friday Squid Blogging: Colossal Squid Photographed off the Coast of Antarctica

Wow. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Read my blog posting guidelines here...

AI-Piloted Fighter Jets

News from Georgetowns Center for Security and Emerging Technology: China Claims Its AI Can Beat Human Pilots in Battle: Chinese state media reported that an AI system had successfully defeated human pilots during simulated dogfights. According to the Global Times report, the system had shot down...

Banning Surveillance-Based Advertising

The Norwegian Consumer Council just published a fantastic new report: "Time to Ban Surveillance-Based Advertising." From the Introduction: The challenges caused and entrenched by surveillance-based advertising include, but are not limited to: privacy and data protection infringements opaque...

Mollitiam Industries is the Newest Cyberweapons Arms Manufacturer

Wired is reporting on a company called Mollitiam Industries: Marketing materials left exposed online by a third-party claim Mollitiams interception products, dubbed "Invisible Man" and "Night Crawler," are capable of remotely accessing a targets files, location, and covertly turning on a devices...

Apple Will Offer Onion Routing for iCloud/Safari Users

At this years Apple Worldwide Developer Conference, Apple announced something called "iCloud Private Relay." Thats basically its private version of onion routing, which is what Tor does. Privacy Relay is built into both the forthcoming iOS and MacOS versions, but it will only work if youre an...

The Future of Machine Learning and Cybersecurity

The Center for Security and Emerging Technology has a new report: "Machine Learning and Cybersecurity: Hype and Reality." Heres the bottom line: The report offers four conclusions: Machine learning can help defenders more accurately detect and triage potential attacks. However, in many cases thes...

Friday Squid Blogging: Video of Giant Squid Hunting Prey

Fantastic video of a giant squid hunting at depths between 1,827 and 3,117 feet. This is a follow-on from this post. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Read my blog posting guidelines here...

Peloton Vulnerability Found and Fixed

Researchers have discovered a vulnerability in Peloton stationary bicycles, one that would give the attacker complete control over the device. The attack requires physical access to the Peloton, so its not really a practical attack. President Bidens Peloton was not in danger...

Intentional Flaw in GPRS Encryption Algorithm GEA-1

General Packet Radio Service GPRS is a mobile data standard that was widely used in the early 2000s. The first encryption algorithm for that standard was GEA-1, a stream cipher built on three linear-feedback shift registers and a non-linear combining function. Although the algorithm has a 64-bit...

Paul van Oorschot’s Computer Security and the Internet

Paul van Oorschots webpage contains a complete copy of his book: Computer Security and the Internet: Tools and Jewels. Its worth reading...

VPNs and Trust

TorrentFreak surveyed nineteen VPN providers, asking them questions about their privacy practices: what data they keep, how they respond to court order, what country they are incorporated in, and so on. Most interesting to me is the home countries of these companies. Express VPN is incorporated i...

Andrew Appel on New Hampshire’s Election Audit

Really interesting two part analysis of the audit conducted after the 2020 election in Windham, New Hampshire. Based on preliminary reports published by the team of experts that New Hampshire engaged to examine an election discrepancy, it appears that a buildup of dust in the read heads of...

Upcoming Speaking Engagements

This is a current list of where and when I am scheduled to speak: Ill be part of a European Internet Forum virtual debate on June 17, 2021. The topic is "Decrypting the encryption debate: How to ensure public safety with a privacy-preserving and secure Internet?" I’m speaking at the all-online...

TikTok Can Now Collect Biometric Data

This is probably worth paying attention to: A change to TikToks U.S. privacy policy on Wednesday introduced a new section that says the social video app "may collect biometric identifiers and biometric information" from its users content. This includes things like "faceprints and voiceprints," th...

Friday Squid Blogging: Fossil of Squid Eating and Being Eaten

We now have a fossil of a squid eating a crustacean while it is being eaten by a shark. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Read my blog posting guidelines here...

FBI/AFP-Run Encrypted Phone

For three years, the Federal Bureau of Investigation and the Australian Federal Police owned and operated a commercial encrypted phone app, called AN0M, that was used by organized crime around the world. Of course, the police were able to read everything -- I dont even know if this qualifies as a...

Detecting Deepfake Picture Editing

"Markpainting" is a clever technique to watermark photos in such a way that makes it easier to detect ML-based manipulation: An image owner can modify their image in subtle ways which are not themselves very visible, but will sabotage any attempt to inpaint it by adding visible information...

Information Flows and Democracy

Henry Farrell and I published a paper on fixing American democracy: "Rechanneling Beliefs: How Information Flows Hinder or Help Democracy." Its much easier for democratic stability to break down than most people realize, but this doesnt mean we must despair over the future. Its possible, though...

Vulnerabilities in Weapons Systems

"If you think any of these systems are going to work as expected in wartime, youre fooling yourself." That was Bruces response at a conference hosted by US Transportation Command in 2017, after learning that their computerized logistical systems were mostly unclassified and on the Internet. That...

The Supreme Court Narrowed the CFAA

In a 6-3 ruling, the Supreme Court just narrowed the scope of the Computer Fraud and Abuse Act: In a ruling delivered today, the court sided with Van Buren and overturned his 18-month conviction. In a 37-page opinion written and delivered by Justice Amy Coney Barrett, the court explained that the...

Friday Squid Blogging: Squids in Space

NASA is sending baby bobtail squid into space. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Read my blog posting guidelines here...

Security and Human Behavior (SHB) 2021

Today is the second day of the fourteenth Workshop on Security and Human Behavior. The University of Cambridge is the host, but were all on Zoom. SHB is a small, annual, invitational workshop of people studying various aspects of the human side of security, organized each year by Alessandro...

The DarkSide Ransomware Gang

The New York Times has a long story on the DarkSide ransomware gang. A glimpse into DarkSides secret communications in the months leading up to the Colonial Pipeline attack reveals a criminal operation on the rise, pulling in millions of dollars in ransom payments each month. DarkSide offers what...

Security Vulnerability in Apple’s Silicon “M1” Chip

The website for the M1racles security vulnerability is an excellent demonstration that not all vulnerabilities are exploitable. Be sure to read the FAQ through to the end. EDITED TO ADD: Wired article...