2979 matches found
Military Cryptanalytics, Part III
The NSA has just declassified and released a redacted version of Military Cryptanalytics, Part III, by Lambros D. Callimahos, October 1977. Parts I and II, by Lambros D. Callimahos and William F. Friedman, were released decades ago -- I believe repeatedly, in increasingly unredacted form -- and...
Amazon Has Trucks Filled with Hard Drives and an Armed Guard
From an interview with an Amazon Web Services security engineer: So when you use AWS, part of what youre paying for is security. Right; its part of what we sell. Lets say a prospective customer comes to AWS. They say, "I like pay-as-you-go pricing. Tell me more about that." We say, "Okay, heres h...
Friday Squid Blogging: Linguine allo Scoglio Recipe
Delicious seafood pasta dish -- includes squid -- from Americas Test Kitchen. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Read my blog posting guidelines here...
Brexit Deal Mandates Old Insecure Crypto Algorithms
In what is surely an unthinking cut-and-paste issue, page 921 of the Brexit deal mandates the use of SHA-1 and 1024-bit RSA: The open standard s/MIME as extension to de facto e-mail standard SMTP will be deployed to encrypt messages containing DNA profile information. The protocol s/MIME V3 allow...
On the Evolution of Ransomware
Good article on the evolution of ransomware: Though some researchers say that the scale and severity of ransomware attacks crossed a bright line in 2020, others describe this year as simply the next step in a gradual and, unfortunately, predictable devolution. After years spent honing their...
Russia’s SolarWinds Attack
Recent news articles have all been talking about the massive Russian cyberattack against the United States, but thats wrong on two accounts. It wasnt a cyberattack in international relations terms, it was espionage. And the victim wasnt just the US, it was the entire world. But it was massive, an...
Friday Squid Blogging: Small Giant Squid Washes Ashore in Japan
A ten-foot giant squid has washed ashore on the Western coast of Japan. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Read my blog posting guidelines here...
How China Uses Stolen US Personnel Data
Interesting analysis of Chinas efforts to identify US spies: By about 2010, two former CIA officials recalled, the Chinese security services had instituted a sophisticated travel intelligence program, developing databases that tracked flights and passenger lists for espionage purposes. "We looked...
Investigating the Navalny Poisoning
Bellingcat has investigated the near-fatal poisoning of Alexey Navalny by the Russian FSB back in August. The details display some impressive traffic analysis. Navalny got a confession out of one of the poisoners, displaying some masterful social engineering. Lots of interesting opsec details in...
Eavesdropping on Phone Taps from Voice Assistants
The microphones on voice assistants are very sensitive, and can snoop on all sorts of data: In Hey Alexa what did I just type? we show that when sitting up to half a meter away, a voice assistant can still hear the taps you make on your phone, even in presence of noise. Modern voice assistants ha...
Cellebrite Can Break Signal
Cellebrite announced that it can break Signal. Note that the company has heavily edited its blog post, but the original -- with lots of technical details -- was saved by the Wayback Machine. News article. Slashdot post. The whole story is puzzling. Cellebrites details will make it easier for the...
Friday Squid Blogging: Christmas Squid Memories
Stuffed squid for Christmas Eve. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Read my blog posting guidelines here...
NSA on Authentication Hacks (Related to SolarWinds Breach)
The NSA has published an advisory outlining how "malicious cyber actors" are "are manipulating trust in federated authentication environments to access protected data in the cloud." This is related to the SolarWinds hack I have previously written about, and represents one of the techniques the SV...
US Schools Are Buying Cell Phone Unlocking Systems
Gizmodo is reporting that schools in the US are buying equipment to unlock cell phones from companies like Cellebrite: Gizmodo has reviewed similar accounting documents from eight school districts, seven of which are in Texas, showing that administrators paid as much $11,582 for the controversial...
More on the SolarWinds Breach
The New York Times has more details. About 18,000 private and government users downloaded a Russian tainted software update - a Trojan horse of sorts - that gave its hackers a foothold into victims systems, according to SolarWinds, the company whose software was compromised. Among those who use...
Mexican Drug Cartels with High-Tech Spyware
Sophisticated spyware, sold by surveillance tech companies to Mexican government agencies, are ending up in the hands of drug cartels: As many as 25 private companies -- including the Israeli company NSO Group and the Italian firm Hacking Team -- have sold surveillance software to Mexican federal...
Zodiac Killer Cipher Solved
The SF Chronicle is reporting more details here, and the FBI is confirming, that a Melbourne mathematician and team has decrypted the 1969 message sent by the Zodiac Killer to the newspaper. Theres no paper yet, but there are a bunch of details in the news articles. Heres an interview with one of...
How the SolarWinds Hackers Bypassed Duo’s Multi-Factor Authentication
This is interesting: Toward the end of the second incident that Volexity worked involving Dark Halo, the actor was observed accessing the e-mail account of a user via OWA. This was unexpected for a few reasons, not least of which was the targeted mailbox was protected by MFA. Logs from the Exchan...
Another Massive Russian Hack of US Government Networks
The press is reporting a massive hack of US government networks by sophisticated Russian hackers. Officials said a hunt was on to determine if other parts of the government had been affected by what looked to be one of the most sophisticated, and perhaps among the largest, attacks on federal...
Should There Be Limits on Persuasive Technologies?
Persuasion is as old as our species. Both democracy and the market economy depend on it. Politicians persuade citizens to vote for them, or to support different policy positions. Businesses persuade consumers to buy their products or services. We all persuade our friends to accept our choice of...
Upcoming Speaking Engagements
This is a current list of where and when I am scheduled to speak: Im speaking online at Western Washington University on January 20, 2021. Details to come. I’ll be speaking at an Informa event on February 28, 2021. Details to come. The list is maintained on this page...
Authentication Failure
This is a weird story of a building owner commissioning an artist to paint a mural on the side of his building -- except that he wasnt actually the buildings owner. The fake landlord met Hawkins in person the day after Thanksgiving, supplying the paint and half the promised fee. They met again a...
Friday Squid Blogging: Newly Identified Ichthyosaur Species Probably Ate Squid
This is a deep-diving species that "fed on small prey items such as squid." Academic paper. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Read my blog posting guidelines here...
A Cybersecurity Policy Agenda
The Aspen Institutes Aspen Cybersecurity Group -- Im a member -- has released its cybersecurity policy agenda for the next four years. The next administration and Congress cannot simultaneously address the wide array of cybersecurity risks confronting modern society. Policymakers in the White...
Finnish Data Theft and Extortion
The Finnish psychotherapy clinic Vastaamo was the victim of a data breach and theft. The criminals tried extorting money from the clinic. When that failed, they started extorting money from the patients: Neither the company nor Finnish investigators have released many details about the nature of...
FireEye Hacked
FireEye was hacked by -- they believe -- "a nation with top-tier offensive capabilities": During our investigation to date, we have found that the attacker targeted and accessed certain Red Team assessment tools that we use to test our customers’ security. These tools mimic the behavior of many...
Oblivious DNS-over-HTTPS
This new protocol, called Oblivious DNS-over-HTTPS ODoH, hides the websites you visit from your ISP. Heres how it works: ODoH wraps a layer of encryption around the DNS query and passes it through a proxy server, which acts as a go-between the internet user and the website they want to visit...
Hiding Malware in Social Media Buttons
Clever tactic: This new malware was discovered by researchers at Dutch cyber-security company Sansec that focuses on defending e-commerce websites from digital skimming also known as Magecart attacks. The payment skimmer malware pulls its sleight of hand trick with the help of a double payload...
Friday Squid Blogging: Bigfin Squid Found in Australian Waters
A bigfin squid has been found -- and filmed -- in Australian waters for the first time. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Read my blog posting guidelines here...
The 2020 Workshop on Economics and Information Security (WEIS)
The workshop on Economics and Information Security is always an interesting conference. This year, it will be online. Heres the program. Registration is free...
Enigma Machine Recovered from the Baltic Sea
Neat story: German divers searching the Baltic Sea for discarded fishing nets have stumbled upon a rare Enigma cipher machine used by the Nazi military during World War Two which they believe was thrown overboard from a scuttled submarine. Thinking they had discovered a typewriter entangled in a...
Open Source Does Not Equal Secure
Way back in 1999, I wrote about open-source software: First, simply publishing the code does not automatically mean that people will examine it for security flaws. Security researchers are fickle and busy people. They do not have the time to examine every piece of source code that is published. S...
Impressive iPhone Exploit
This is a scarily impressive vulnerability: Earlier this year, Apple patched one of the most breathtaking iPhone vulnerabilities ever: a memory corruption bug in the iOS kernel that gave attackers remote access to the entire device -- over Wi-Fi, with no user interaction required at all. Oh, and...
Manipulating Systems Using Remote Lasers
Many systems are vulnerable: Researchers at the time said that they were able to launch inaudible commands by shining lasers -- from as far as 360 feet -- at the microphones on various popular voice assistants, including Amazon Alexa, Apple Siri, Facebook Portal, and Google Assistant. … They...
Check Washing
I cant believe that check washing is still a thing: "Check washing" is a practice where thieves break into mailboxes or otherwise steal mail, find envelopes with checks, then use special solvents to remove the information on that check except for the signature and then change the payee and the...
Friday Squid Blogging: Diplomoceras Maximum
Diplomoceras maximum is an ancient squid-like creature. It lived about 68 million years ago, looked kind of like a giant paperclip, and may have had a lifespan of 200 years. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Read my...
Undermining Democracy
Last Thursday, Rudy Giuliani, a Trump campaign lawyer, alleged a widespread voting conspiracy involving Venezuela, Cuba, and China. Another lawyer, Sidney Powell, argued that Mr. Trump won in a landslide, the entire election in swing states should be overturned and the legislatures should make su...
Cyber Public Health
In a lecture, Adam Shostack makes the case for a discipline of cyber public health. It would relate to cybersecurity in a similar way that public health relates to medicine...
On That Dusseldorf Hospital Ransomware Attack and the Resultant Death
Wired has a detailed story about the ransomware attack on a Dusseldorf hospital, the one that resulted in an ambulance being redirected to a more distant hospital and the patient dying. The police wanted to prosecute the ransomware attackers for negligent homicide, but the details were more...
More on the Security of the 2020 US Election
Last week I signed on to two joint letters about the security of the 2020 election. The first was as one of 59 election security experts, basically saying that while the election seems to have been both secure and accurate voter suppression notwithstanding, we still need to work to secure our...
Indistinguishability Obfuscation
Quanta magazine recently published a breathless article on indistinguishability obfuscation -- calling it the "crown jewel of cryptography" -- and saying that it had finally been achieved, based on a recently published paper. I want to add some caveats to the discussion. Basically, obfuscation...
Friday Squid Blogging: Ram’s Horn Squid Video
This is the first video footage of a rams horn squid Spirula spirula . As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Read my blog posting guidelines here...
Symantec Reports on Cicada APT Attacks against Japan
Symantec is reporting on an APT group linked to China, named Cicada. They have been attacking organizations in Japan and elsewhere. Cicada has historically been known to target Japan-linked organizations, and has also targeted MSPs in the past. The group is using living-off-the-land tools as well...
The US Military Buys Commercial Location Data
Vice has a long article about how the US military buys commercial location data worldwide. The U.S. military is buying the granular movement data of people around the world, harvested from innocuous-seeming apps, Motherboard has learned. The most popular app among a group Motherboard analyzed...
Michael Ellis as NSA General Counsel
Over at Lawfare, Susan Hennessey has an excellent primer on how Trump loyalist Michael Ellis got to be the NSA General Counsel, over the objections of NSA Director Paul Nakasone, and what Biden can and should do about it. While important details remain unclear, media accounts include numerous...
On Blockchain Voting
Blockchain voting is a spectacularly dumb idea for a whole bunch of reasons. I have generally quoted Matt Blaze: Why is blockchain voting a dumb idea? Glad you asked. For starters: It doesnt solve any problems civil elections actually have. Its basically incompatible with "software independence",...
Upcoming Speaking Engagements
This is a current list of where and when I am scheduled to speak: I’m speaking at the ISC² Security Congress 2020, November 16, 2020. I’ll be on a panel at the OECD Global Blockchain Policy Forum 2020 on November 17, 2020. The panel is called "Deep Dive: Digital Security and Distributed Ledger...
Friday Squid Blogging: Underwater Robot Uses Squid-Like Propulsion
This is neat: By generating powerful streams of water, UCSDs squid-like robot can swim untethered. The "squidbot" carries its own power source, and has the room to hold more, including a sensor or camera for underwater exploration. As usual, you can also use this squid post to talk about the...
Inrupt’s Solid Announcement
Earlier this year, I announced that I had joined Inrupt, the company commercializing Tim Berners-Lees Solid specification: The idea behind Solid is both simple and extraordinarily powerful. Your data lives in a pod that is controlled by you. Data generated by your things -- your computer, your...
New Zealand Election Fraud
It seems that this election season has not gone without fraud. In New Zealand, a vote for "Bird of the Year" has been marred by fraudulent votes: More than 1,500 fraudulent votes were cast in the early hours of Monday in the countrys annual bird election, briefly pushing the Little-Spotted Kiwi t...