Lucene search
K
SchneierRecent

2980 matches found

Schneier on Security
Schneier on Security
added 2021/04/23 9:1 p.m.38 views

Friday Squid Blogging: Squid-Shaped Bike Rack

Theres a new squid-shaped bike rack in Ballard, WA. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Read my blog posting guidelines here...

1.4AI score
Exploits0
Schneier on Security
Schneier on Security
added 2021/04/22 11:12 a.m.46 views

On North Korea’s Cyberattack Capabilities

Excellent New Yorker article on North Koreas offensive cyber capabilities...

2.9AI score
Exploits0
Schneier on Security
Schneier on Security
added 2021/04/21 4:12 p.m.54 views

Backdoor Found in Codecov Bash Uploader

Developers have discovered a backdoor in the Codecov bash uploader. Its been there for four months. We dont know who put it there. Codecov said the breach allowed the attackers to export information stored in its users continuous integration CI environments. This information was then sent to a...

2.4AI score
Exploits0
Schneier on Security
Schneier on Security
added 2021/04/20 11:19 a.m.29 views

Biden Administration Imposes Sanctions on Russia for SolarWinds

On April 15, the Biden administration both formally attributed the SolarWinds espionage campaign to the Russian Foreign Intelligence Service SVR, and imposed a series of sanctions designed to punish the country for the attack and deter future attacks. I will leave it to those with experience in...

1.6AI score
Exploits0
Schneier on Security
Schneier on Security
added 2021/04/19 11:8 a.m.31 views

Details on the Unlocking of the San Bernardino Terrorist’s iPhone

The Washington Post has published a long story on the unlocking of the San Bernardino Terrorists iPhone 5C in 2016. We all thought it was an Israeli company called Cellebrite. It was actually an Australian company called Azimuth Security. Azimuth specialized in finding significant vulnerabilities...

0.1AI score
Exploits0
Schneier on Security
Schneier on Security
added 2021/04/16 9:9 p.m.45 views

Friday Squid Blogging: Blobs of Squid Eggs Found Near Norway

Divers find three-foot "blobs" -- egg sacs of the squid Illex coindetii -- off the coast of Norway. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Read my blog posting guidelines here...

2.2AI score
Exploits0
Schneier on Security
Schneier on Security
added 2021/04/16 7:13 p.m.52 views

Cybersecurity Experts to Follow on Twitter

Security Boulevard recently listed the "Top-21 Cybersecurity Experts You Must Follow on Twitter in 2021." I came in at 7. I thought that was pretty good, especially since I never tweet. My Twitter feed just mirrors my blog. If you are one of the 134K people who read me from Twitter, "hi."...

1.4AI score
Exploits0
Schneier on Security
Schneier on Security
added 2021/04/16 11:23 a.m.41 views

NSA Discloses Vulnerabilities in Microsoft Exchange

Amongst the 100+ vulnerabilities patch in this months Patch Tuesday, there are four in Microsoft Exchange that were disclosed by the NSA...

1.7AI score
Exploits0
Schneier on Security
Schneier on Security
added 2021/04/15 11:13 a.m.51 views

DNI’s Annual Threat Assessment

The office of the Director of National Intelligence released its "Annual Threat Assessment of the U.S. Intelligence Community." Cybersecurity is covered on pages 20-21. Nothing surprising: Cyber threats from nation states and their surrogates will remain acute. States increasing use of cyber...

Exploits0
Schneier on Security
Schneier on Security
added 2021/04/14 5:30 p.m.34 views

Upcoming Speaking Engagements

This is a current list of where and when I am scheduled to speak: I’m keynoting the all-virtual RSA Conference 2021, May 17-20, 2021. I’m keynoting the 5th International Symposium on Cyber Security Cryptology and Machine Learning via Zoom, July 8-9, 2021. I’ll be speaking at an Informa event on...

3AI score
Exploits0
Schneier on Security
Schneier on Security
added 2021/04/14 2:56 p.m.30 views

The FBI Is Now Securing Networks Without Their Owners’ Permission

In January, we learned about a Chinese espionage campaign that exploited four zero-days in Microsoft Exchange. One of the characteristics of the campaign, in the later days when the Chinese probably realized that the vulnerabilities would soon be fixed, was to install a web shell in compromised...

0.3AI score
Exploits0
Schneier on Security
Schneier on Security
added 2021/04/13 2:13 p.m.23 views

More Biden Cybersecurity Nominations

News: President Biden announced key cybersecurity leadership nominations Monday, proposing Jen Easterly as the next head of the Cybersecurity and Infrastructure Security Agency and John "Chris" Inglis as the first ever national cyber director NCD. I know them both, and think theyre both good...

1.7AI score
Exploits0
Schneier on Security
Schneier on Security
added 2021/04/09 9:8 p.m.50 views

Friday Squid Blogging: Jurassic Squid and Prey

A 180-million-year-old Vampire squid ancestor was fossilized along with its prey. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Read my blog posting guidelines here...

1AI score
Exploits0
Schneier on Security
Schneier on Security
added 2021/04/09 1:54 p.m.46 views

Backdoor Added — But Found — in PHP

Unknown hackers attempted to add a backdoor to the PHP source code. It was two malicious commits, with the subject "fix typo" and the names of known PHP developers and maintainers. They were discovered and removed before being pushed out to any users. But since 79% of the Internets websites use...

1.7AI score
Exploits0
Schneier on Security
Schneier on Security
added 2021/04/08 11:6 a.m.53 views

Google’s Project Zero Finds a Nation-State Zero-Day Operation

Googles Project Zero discovered, and caused to be patched, eleven zero-day exploits against Chrome, Safari, Microsoft Windows, and iOS. This seems to have been exploited by "Western government operatives actively conducting a counterterrorism operation": The exploits, which went back to early 202...

0.4AI score
Exploits0
Schneier on Security
Schneier on Security
added 2021/04/07 11:24 a.m.33 views

Signal Adds Cryptocurrency Support

According to Wired, Signal is adding support for the cryptocurrency MobileCoin, "a form of digital cash designed to work efficiently on mobile devices while protecting users privacy and even their anonymity." Moxie Marlinspike, the creator of Signal and CEO of the nonprofit that runs it, describe...

0.6AI score
Exploits0
Schneier on Security
Schneier on Security
added 2021/04/06 11:5 a.m.27 views

Phone Cloning Scam

A newspaper in Malaysia is reporting on a cell phone cloning scam. The scammer convinces the victim to lend them their cell phone, and the scammer quickly clones it. Whats clever about this scam is that the victim is an Uber driver and the scammer is the passenger, so the driver is naturally busy...

2.9AI score
Exploits0
Schneier on Security
Schneier on Security
added 2021/04/05 11:15 a.m.53 views

Wi-Fi Devices as Physical Object Sensors

The new 802.11bf standard will turn Wi-Fi devices into object sensors: In three years or so, the Wi-Fi specification is scheduled to get an upgrade that will turn wireless devices into sensors capable of gathering data about the people and objects bathed in their signals. "When 802.11bf will be...

2.5AI score
Exploits0
Schneier on Security
Schneier on Security
added 2021/04/02 9:10 p.m.49 views

Friday Squid Blogging: 500-Million-Year-Old Cephalopod

The oldest known cephalopod -- the ancestor of all modern octopuses, squid, cuttlefish and nautiluses -- is 500 million years old. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Read my blog posting guidelines here...

2.3AI score
Exploits0
Schneier on Security
Schneier on Security
added 2021/04/02 11:0 a.m.44 views

Malware Hidden in Call of Duty Cheating Software

News article: Most troublingly, Activision says that the "cheat" tool has been advertised multiple times on a popular cheating forum under the title "new COD hack." Gamers looking to flout the rules will typically go to such forums to find new ways to do so. While the report doesnt mention which...

0.7AI score
Exploits0
Schneier on Security
Schneier on Security
added 2021/04/01 2:39 p.m.30 views

Fugitive Identified on YouTube By His Distinctive Tattoos

A mafia fugitive hiding out in the Dominican Republic was arrested when investigators found his YouTube cooking channel and identified him by his distinctive arm tattoos...

2.7AI score
Exploits0
Schneier on Security
Schneier on Security
added 2021/03/30 3:0 p.m.33 views

System Update: New Android Malware

Researchers have discovered a new Android app called "System Update" that is a sophisticated Remote-Access Trojan RAT. From a news article: The broad range of data that this sneaky little bastard is capable of stealing is pretty horrifying. It includes: instant messenger messages and database...

0.2AI score
Exploits0
Schneier on Security
Schneier on Security
added 2021/03/26 9:4 p.m.46 views

Friday Squid Blogging: Squid Potato Masher

A squid potato masher for only $11.50. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Read my blog posting guidelines here...

1.2AI score
Exploits0
Schneier on Security
Schneier on Security
added 2021/03/26 1:41 p.m.53 views

Hacking Weapons Systems

Lukasz Olejnik has a good essay on hacking weapons systems. Basically, there is no reason to believe that software in weapons systems is any more vulnerability free than any other software. So now the question is whether the software can be accessed over the Internet. Increasingly, it is. This is...

1.7AI score
Exploits0
Schneier on Security
Schneier on Security
added 2021/03/24 11:10 a.m.26 views

Determining Key Shape from Sound

Its not yet very accurate or practical, but under ideal conditions it is possible to figure out the shape of a house key by listening to it being used. Listen to Your Key: Towards Acoustics-based Physical Key Inference Abstract: Physical locks are one of the most prevalent mechanisms for securing...

0.1AI score
Exploits0
Schneier on Security
Schneier on Security
added 2021/03/23 11:32 a.m.41 views

Accellion Supply Chain Hack

A vulnerability in the Accellion file-transfer program is being used by criminal groups to hack networks worldwide. Theres much in the article about when Accellion knew about the vulnerability, when it alerted its customers, and when it patched its software. The governor of New Zealands central...

2.7AI score
Exploits0
Schneier on Security
Schneier on Security
added 2021/03/22 11:15 a.m.38 views

Details of a Computer Banking Scam

This is a longish video that describes a profitable computer banking scam thats run out of call centers in places like India. Theres a lot of fluff about glitterbombs and the like, but the details are interesting. The scammers convince the victims to give them remote access to their computers, an...

2.6AI score
Exploits0
Schneier on Security
Schneier on Security
added 2021/03/19 9:14 p.m.36 views

Friday Squid Blogging: Squid Cartoon

Squid ink. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Read my blog posting guidelines here...

1.1AI score
Exploits0
Schneier on Security
Schneier on Security
added 2021/03/19 11:21 a.m.39 views

Easy SMS Hijacking

Vice is reporting on a cell phone vulnerability caused by commercial SMS services. One of the things these services permit is text message forwarding. It turns out that with a little bit of anonymous money -- in this case, $16 off an anonymous prepaid credit card -- and a few lies, you can forwar...

2.1AI score
Exploits0
Schneier on Security
Schneier on Security
added 2021/03/18 11:17 a.m.43 views

Exploiting Spectre Over the Internet

Google has demonstrated exploiting the Spectre CPU attack remotely over the web: Today, were sharing proof-of-concept PoC code that confirms the practicality of Spectre exploits against JavaScript engines. We use Google Chrome to demonstrate our attack, but these issues are not specific to Chrome...

1.4AI score
Exploits0
Schneier on Security
Schneier on Security
added 2021/03/17 11:10 a.m.304 views

Illegal Content and the Blockchain

Security researchers have recently discovered a botnet with a novel defense against takedowns. Normally, authorities can disable a botnet by taking over its command-and-control server. With nowhere to go for instructions, the botnet is rendered useless. But over the years, botnet designers have...

6.9AI score
Exploits0
Schneier on Security
Schneier on Security
added 2021/03/16 11:36 a.m.41 views

On the Insecurity of ES&S Voting Machines’ Hash Code

Andrew Appel and Susan Greenhalgh have a blog post on the insecurity of ES&Ss software authentication system: It turns out that ES&S has bugs in their hash-code checker: if the "reference hashcode" is completely missing, then itll say "yes, boss, everything is fine" instead of reporting an error...

7.5AI score
Exploits0
Schneier on Security
Schneier on Security
added 2021/03/15 11:16 a.m.33 views

Security Analysis of Apple’s “Find My…” Protocol

Interesting research: "Who Can Find My Devices? Security and Privacy of Apples Crowd-Sourced Bluetooth Location Tracking System": Abstract: Overnight, Apple has turned its hundreds-of-million-device ecosystem into the worlds largest crowd-sourced location tracking network called offline finding O...

2.4AI score
Exploits0
Schneier on Security
Schneier on Security
added 2021/03/14 6:16 p.m.41 views

Upcoming Speaking Engagements

This is a current list of where and when I am scheduled to speak: I’m speaking at the Australian Cyber Conference 2021 on March 17 and 18, 2021. I’m keynoting the all-virtual RSA Conference 2021, May 17-20, 2021. I’ll be speaking at an Informa event on September 14, 2021. Details to come. The lis...

2.8AI score
Exploits0
Schneier on Security
Schneier on Security
added 2021/03/12 10:10 p.m.42 views

Friday Squid Blogging: On SQUIDS

A good tutorial: But we can go beyond the polarization of electrons and really leverage the electron waviness. By interleaving thin layers of superconducting and normal materials, we can make the quantum electronic equivalents of transistors and diodes such as Superconducting Tunnel Junctions SJT...

2.9AI score
Exploits0
Schneier on Security
Schneier on Security
added 2021/03/12 12:3 p.m.48 views

Metadata Left in Security Agency PDFs

Really interesting research: "Exploitation and Sanitization of Hidden Data in PDF Files" Abstract: Organizations publish and share more and more electronic documents like PDF files. Unfortunately, most organizations are unaware that these documents can compromise sensitive information like author...

0.5AI score
Exploits0
Schneier on Security
Schneier on Security
added 2021/03/11 12:15 p.m.50 views

Fast Random Bit Generation

Science has a paper and commentary on generating 250 random terabits per second with a laser. I dont know how cryptographically secure they are, but that can be cleaned up with something like Fortuna. EDITED TO ADD 3/12: Here are free versions of the paper and the commentary...

2.9AI score
Exploits0
Schneier on Security
Schneier on Security
added 2021/03/10 12:28 p.m.51 views

More on the Chinese Zero-Day Microsoft Exchange Hack

Nick Weaver has an excellent post on the Microsoft Exchange hack: The investigative journalist Brian Krebs has produced a handy timeline of events and a few things stand out from the chronology. The attacker was first detected by one group on Jan. 5 and another on Jan. 6, and Microsoft acknowledg...

1.3AI score
Exploits0
Schneier on Security
Schneier on Security
added 2021/03/09 12:16 p.m.34 views

On Not Fixing Old Vulnerabilities

How is this even possible? …26% of companies Positive Technologies tested were vulnerable to WannaCry, which was a threat years ago, and some even vulnerable to Heartbleed. "The most frequent vulnerabilities detected during automated assessment date back to 2013-­2017, which indicates a lack of...

1.6AI score
Exploits0
Schneier on Security
Schneier on Security
added 2021/03/08 12:10 p.m.40 views

Hacking Digitally Signed PDF Files

Interesting paper: "Shadow Attacks: Hiding and Replacing Content in Signed PDFs": Abstract: Digitally signed PDFs are used in contracts and invoices to guarantee the authenticity and integrity of their content. A user opening a signed PDF expects to see a warning in case of any modification. In...

3.4AI score
Exploits0
Schneier on Security
Schneier on Security
added 2021/03/05 10:7 p.m.53 views

Friday Squid Blogging: Vampire Squid Fossil

A 30-million-year-old vampire squid fossil was found, lost, and then re-found in Hungary. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Read my blog posting guidelines here...

0.3AI score
Exploits0
Schneier on Security
Schneier on Security
added 2021/03/05 4:48 p.m.22 views

No, RSA Is Not Broken

I have been seeing this paper by cryptographer Peter Schnorr making the rounds: "Fast Factoring Integers by SVP Algorithms." It describes a new factoring method, and its abstract ends with the provocative sentence: "This destroys the RSA cryptosystem." It does not. At best, its an improvement in...

2AI score
Exploits0
Schneier on Security
Schneier on Security
added 2021/03/05 12:3 p.m.46 views

Threat Model Humor

At a hospital...

0.7AI score
Exploits0
Schneier on Security
Schneier on Security
added 2021/03/04 7:3 p.m.37 views

Four Microsoft Exchange Zero-Days Exploited by China

Microsoft has issued an emergency Microsoft Exchange patch to fix four zero-day vulnerabilities currently being exploited by China. EDITED TO ADD 3/12: Exchange Online is not affected...

1.6AI score
Exploits0
Schneier on Security
Schneier on Security
added 2021/03/04 12:25 p.m.98 views

Chinese Hackers Stole an NSA Windows Exploit in 2014

Check Point has evidence that probably government affiliated Chinese hackers stole and cloned an NSA Windows hacking tool years before probably government affiliated Russian hackers stole and then published the same tool. Heres the timeline: The timeline basically seems to be, according to Check...

6.9CVSS2.9AI score0.11022EPSS
Exploits1
Schneier on Security
Schneier on Security
added 2021/03/03 12:0 p.m.30 views

Encoded Message in the Perseverance Mars Lander’s Parachute

NASA made an oblique reference to a coded message in the color pattern of the Perseverance Mars Lander s parachute. More information...

3.7AI score
Exploits0
Schneier on Security
Schneier on Security
added 2021/03/02 12:5 p.m.35 views

Mysterious Macintosh Malware

This is weird: Once an hour, infected Macs check a control server to see if there are any new commands the malware should run or binaries to execute. So far, however, researchers have yet to observe delivery of any payload on any of the infected 30,000 machines, leaving the malwares ultimate goal...

1.4AI score
Exploits0
Schneier on Security
Schneier on Security
added 2021/03/01 12:12 p.m.42 views

National Security Risks of Late-Stage Capitalism

Early in 2020, cyberspace attackers apparently working for the Russian government compromised a piece of widely used network management software made by a company called SolarWinds. The hack gave the attackers access to the computer networks of some 18,000 of SolarWinds’s customers, including US...

7.1AI score
Exploits0
Schneier on Security
Schneier on Security
added 2021/02/26 10:8 p.m.30 views

Friday Squid Blogging: Far Side Cartoon

The Far Side on squid. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Read my blog posting guidelines here...

0.9AI score
Exploits0
Schneier on Security
Schneier on Security
added 2021/02/26 12:28 p.m.33 views

The Problem with Treating Data as a Commodity

Excellent Brookings paper: "Why data ownership is the wrong approach to protecting privacy." From the introduction: Treating data like it is property fails to recognize either the value that varieties of personal information serve or the abiding interest that individuals have in their personal...

1.6AI score
Exploits0
Total number of security vulnerabilities2980