2979 matches found
“Privacy Nutrition Labels” in Apple’s App Store
Apple will start requiring standardized privacy labels for apps in its app store, starting in December: Apple allows data disclosure to be optional if all of the following conditions apply: if its not used for tracking, advertising or marketing; if its not shared with a data broker; if collection...
The Security Failures of Online Exam Proctoring
Proctoring an online exam is hard. Its hard to be sure that the student isnt cheating, maybe by having reference materials at hand, or maybe by substituting someone else to take the exam for them. There are a variety of companies that provide online proctoring services, but theyre uniformly...
2020 Was a Secure Election
Over at Lawfare: "2020 Is An Election Security Success Story So Far." What’s more, the voting itself was remarkably smooth. It was only a few months ago that professionals and analysts who monitor election administration were alarmed at how badly unprepared the country was for voting during a...
Friday Squid Blogging: Peru Defends Its Waters against Chinese Squid Fishing Boats
Squid geopolitics. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Read my blog posting guidelines here...
Detecting Phishing Emails
Research paper: Rick Wash, "How Experts Detect Phishing Scam Emails": Abstract: Phishing scam emails are emails that pretend to be something they are not in order to get the recipient of the email to undertake some action they normally would not. While technical protections against phishing reduc...
California Proposition 24 Passes
Californias Proposition 24, aimed at improving the California Consumer Privacy Act, passed this week. Analyses are very mixed. I was very mixed on the proposition, but on the whole I supported it. The proposition has some serious flaws, and was watered down by industry, but voting for privacy fee...
Determining What Video Conference Participants Are Typing from Watching Shoulder Movements
Accuracy isnt great, but that it can be done at all is impressive. Murtuza Jadiwala, a computer science professor heading the research project, said his team was able to identify the contents of texts by examining body movement of the participants. Specifically, they focused on the movement of...
New Windows Zero-Day
Googles Project Zero has discovered and published a buffer overflow vulnerability in the Windows Kernel Cryptography Driver. The exploit doesnt affect the cryptography, but allows attackers to escalate system privileges: Attackers were combining an exploit for it with a separate one targeting a...
Friday Squid Blogging: Interview with a Squid Researcher
Interview with Mike Vecchione, Curator of Cephalopoda -- now thats a job title -- at the Smithsonian Museum of National History. One reason theyre so interesting is they are intelligent invertebrates. Almost everything that we think of as being intelligent -- parrots, dolphins, etc. -- are...
The Legal Risks of Security Research
Sunoo Park and Kendra Albert have published "A Researcher’s Guide to Some Legal Risks of Security Research." From a summary: Such risk extends beyond anti-hacking laws, implicating copyright law and anti-circumvention provisions DMCA §1201, electronic privacy law ECPA, and cryptography export...
Tracking Users on Waze
A security researcher discovered a wulnerability in Waze that breaks the anonymity of users: I found out that I can visit Waze from any web browser at waze.com/livemap so I decided to check how are those driver icons implemented. What I found is that I can ask Waze API for data on a location by...
The NSA is Refusing to Disclose its Policy on Backdooring Commercial Products
Senator Ron Wyden asked, and the NSA didnt answer: The NSA has long sought agreements with technology companies under which they would build special access for the spy agency into their products, according to disclosures by former NSA contractor Edward Snowden and reporting by Reuters and others...
Reverse-Engineering the Redactions in the Ghislaine Maxwell Deposition
Slate magazine was able to cleverly read the Ghislaine Maxwell deposition and reverse-engineer many of the redacted names. Weve long known that redacting is hard in the modern age, but most of the failures to date have been a result of not realizing that covering digital text with a black bar...
IMSI-Catchers from Canada
Gizmodo is reporting that Harris Corp. is no longer selling Stingray IMSI-catchers and, presumably, its follow-on models Hailstorm and Crossbow to local governments: L3Harris Technologies, formerly known as the Harris Corporation, notified police agencies last year that it planned to discontinue...
Friday Squid Blogging: Squid-like Nebula
Pretty astronomical photo. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Read my blog posting guidelines here...
New Report on Police Decryption Capabilities
There is a new report on police decryption capabilities: specifically, mobile device forensic tools MDFTs. Short summary: its not just the FBI that can do it. This report documents the widespread adoption of MDFTs by law enforcement in the United States. Based on 110 public records requests to...
NSA Advisory on Chinese Government Hacking
The NSA released an advisory listing the top twenty-five known vulnerabilities currently being exploited by Chinese nation-state attackers. This advisory provides Common Vulnerabilities and Exposures CVEs known to be recently leveraged, or scanned-for, by Chinese state-sponsored cyber actors to...
Cybersecurity Visuals
The Hewlett Foundation just announced its top five ideas in its Cybersecurity Visuals Challenge. The problem Hewlett is trying to solve is the dearth of good visuals for cybersecurity. A Google Images Search demonstrates the problem: locks, fingerprints, hands on laptops, scary looking hackers in...
Split-Second Phantom Images Fool Autopilots
Researchers are tricking autopilots by inserting split-second images into roadside billboards. Researchers at Israels Ben Gurion University of the Negev … previously revealed that they could use split-second light projections on roads to successfully trick Teslas driver-assistance systems into...
Friday Squid Blogging: Chinese Squid Fishing Near the Galapagos
The Chinese have been illegally squid fishing near the Galapagos Islands. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Read my blog posting guidelines here...
US Cyber Command and Microsoft Are Both Disrupting TrickBot
Earlier this month, we learned that someone is disrupting the TrickBot botnet network. Over the past 10 days, someone has been launching a series of coordinated attacks designed to disrupt Trickbot, an enormous collection of more than two million malware-infected Windows PCs that are constantly...
Upcoming Speaking Engagements
This is a current list of where and when I am scheduled to speak: Ill be speaking at Cyber Week Online, October 19-21, 2020. Ill be speaking at the IEEE Symposium on Technology and Society virtual conference, November 12-15, 2020. Ill be keynoting the 2020 Conference on Cyber Norms on November 12...
2020 Workshop on Economics of Information Security
The Workshop on Economics of Information Security will be online this year. Register here...
Google Responds to Warrants for “About” Searches
One of the things we learned from the Snowden documents is that the NSA conducts "about" searches. That is, searches based on activities and not identifiers. A normal search would be on a name, or IP address, or phone number. An about search would something like "show me anyone that has used this...
Hacking Apple for Profit
Five researchers hacked Apple Computers networks -- not their products -- and found fifty-five vulnerabilities. So far, they have received $289K. One of the worst of all the bugs they found would have allowed criminals to create a worm that would automatically steal all the photos, videos, and...
Friday Squid Blogging: Saving the Humboldt Squid
Genetic research finds the Humboldt squid is vulnerable to overfishing. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Read my blog posting guidelines here...
New Privacy Features in iOS 14
A good rundown...
Swiss-Swedish Diplomatic Row Over Crypto AG
Previously I have written about the Swedish-owned Swiss-based cryptographic hardware company: Crypto AG. It was a CIA-owned Cold War operation for decades. Today it is called Crypto International, still based in Switzerland but owned by a Swedish company. Its back in the news: Late last week,...
On Risk-Based Authentication
Interesting usability study: "More Than Just Good Passwords? A Study on Usability and Security Perceptions of Risk-based Authentication": Abstract: Risk-based Authentication RBA is an adaptive security measure to strengthen password-based authentication. RBA monitors additional features during...
Friday Squid Blogging: After Squidnight
Review of a squid-related childrens book. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Read my blog posting guidelines here...
COVID-19 and Acedia
Note: This isnt my usual essay topic. Still, I want to put it on my blog. Six months into the pandemic with no end in sight, many of us have been feeling a sense of unease that goes beyond anxiety or distress. Its a nameless feeling that somehow makes it hard to go on with even the nice things we...
Detecting Deep Fakes with a Heartbeat
Researchers can detect deep fakes because they dont convincingly mimic human blood circulation in the face: In particular, video of a persons face contains subtle shifts in color that result from pulses in blood circulation. You might imagine that these changes would be too minute to detect merel...
Negotiating with Ransomware Gangs
Really interesting conversation with someone who negotiates with ransomware gangs: For now, it seems that paying ransomware, while obviously risky and empowering/encouraging ransomware attackers, can perhaps be comported so as not to break any laws like anti-terrorist laws, FCPA, conspiracy and...
Hacking a Coffee Maker
As expected, IoT devices are filled with vulnerabilities: As a thought experiment, Martin Hron, a researcher at security company Avast, reverse engineered one of the older coffee makers to see what kinds of hacks he could do with it. After just a week of effort, the unqualified answer was: quite ...
On Executive Order 12333
Mark Jaycox has written a long article on the US Executive Order 12333: "No Oversight, No Limits, No Worries: A Primer on Presidential Spying and Executive Order 12,333": Abstract: Executive Order 12,333 "EO 12333" is a 1980s Executive Order signed by President Ronald Reagan that, among other...
Friday Squid Blogging: COVID-19 Found on Chinese Squid Packaging
I thought the virus doesnt survive well on food packaging: Authorities in China’s northeastern Jilin province have found the novel coronavirus on the packaging of imported squid, health authorities in the city of Fuyu said on Sunday, urging anyone who may have bought it to get themselves tested. ...
CEO of NS8 Charged with Securities Fraud
The founder and CEO of the Internet security company NS8 has been arrested and "charged in a Complaint in Manhattan federal court with securities fraud, fraud in the offer and sale of securities, and wire fraud." I admit that Ive never even heard of the company before...
Iranian Government Hacking Android
The New York Times wrote about a still-unreleased report from Chckpoint and the Miaan Group: The reports, which were reviewed by The New York Times in advance of their release, say that the hackers have successfully infiltrated what were thought to be secure mobile phones and computers belonging ...
Documented Death from a Ransomware Attack
A Dusseldorf woman died when a ransomware attack against a hospital forced her to be taken to a different hospital in another city. I think this is the first documented case of a cyberattack causing a fatality. UK hospitals had to redirect patients during the 2017 WannaCry ransomware attack, but...
Interview with the Author of the 2000 Love Bug Virus
No real surprises, but we finally have the story. The story he went on to tell is strikingly straightforward. De Guzman was poor, and internet access was expensive. He felt that getting online was almost akin to a human right a view that was ahead of its time. Getting access required a password, ...
Amazon Delivery Drivers Hacking Scheduling System
Amazon drivers -- all gig workers who dont work for the company -- are hanging cell phones in trees near Amazon delivery stations, fooling the system into thinking that they are closer than they actually are: The phones in trees seem to serve as master devices that dispatch routes to multiple...
Former NSA Director Keith Alexander Joins Amazon’s Board of Directors
This sounds like a bad idea...
Friday Squid Blogging: Nano-Sized SQUIDS
SQUID news: Physicists have developed a small, compact superconducting quantum interference device SQUID that can detect magnetic fields. The team l focused on the instruments core, which contains two parallel layers of graphene. As usual, you can also use this squid post to talk about the securi...
Nihilistic Password Security Questions
Posted three years ago, but definitely appropriate for the times...
Matt Blaze on OTP Radio Stations
Matt Blaze discusses also here an interesting mystery about a Cuban one-time-pad radio station, and a random number generator error that probably helped arrest a pair of Russian spies in the US...
New Bluetooth Vulnerability
Theres a new unpatched Bluetooth vulnerability: The issue is with a protocol called Cross-Transport Key Derivation or CTKD, for short. When, say, an iPhone is getting ready to pair up with Bluetooth-powered device, CTKDs role is to set up two separate authentication keys for that phone: one for a...
How the FIN7 Cybercrime Gang Operates
The Grugq has written an excellent essay on how the Russian cybercriminal gang FIN7 operates. An excerpt: The secret of FIN7’s success is their operational art of cyber crime. They managed their resources and operations effectively, allowing them to successfully attack and exploit hundreds of...
Privacy Analysis of Ambient Light Sensors
Interesting privacy analysis of the Ambient Light Sensor API. And a blog post. Especially note the "Lessons Learned" section...
Upcoming Speaking Engagements
This is a current list of where and when I am scheduled to speak: I’m speaking at the Cybersecurity Law & Policy Scholars Virtual Conference on September 17, 2020. I’m keynoting the Canadian Internet Registration Authority’s online symposium, Canadians Connected, on Wednesday, September 23, 2020...
Interesting Attack on the EMV Smartcard Payment Standard
Its complicated, but its basically a man-in-the-middle attack that involves two smartphones. The first phone reads the actual smartcard, and then forwards the required information to a second phone. That second phone actually conducts the transaction on the POS terminal. That second phone is able...