2017 Tesla Hack

Interesting story of a class break against the entire Tesla fleet...

Insider Attack on the Carnegie Library

Greg Priore, the person in charge of the rare book room at the Carnegie Library, stole from it for almost two decades before getting caught. It's a perennial problem: trusted insiders have to be trusted...

Insider Attack on the Carnegie Library

Greg Priore, the person in charge of the rare book room at the Carnegie Library, stole from it for almost two decades before getting caught. Its a perennial problem: trusted insiders have to be trusted...

Insider Attack on the Carnegie Library

Greg Priore, the person in charge of the rare book room at the Carnegie Library, stole from it for almost two decades before getting caught. Its a perennial problem: trusted insiders have to be trusted...

North Korea ATM Hack

The US Cybersecurity and Infrastructure Security Agency CISA published a long and technical alert describing a North Korea hacking scheme against ATMs in a bunch of countries worldwide: This joint advisory is the result of analytic efforts among the Cybersecurity and Infrastructure Security Agenc...

North Korea ATM Hack

The US Cybersecurity and Infrastructure Security Agency CISA published a long and technical alert describing a North Korea hacking scheme against ATMs in a bunch of countries worldwide: This joint advisory is the result of analytic efforts among the Cybersecurity and Infrastructure Security Agenc...

North Korea ATM Hack

The US Cybersecurity and Infrastructure Security Agency CISA published a long and technical alert describing a North Korea hacking scheme against ATMs in a bunch of countries worldwide: This joint advisory is the result of analytic efforts among the Cybersecurity and Infrastructure Security Agenc...

Seny Kamara on "Crypto for the People"

Seny Kamara gave an excellent keynote talk this year at the online CRYPTO Conference. He talked about solving real-world crypto problems for marginalized communities around the world, instead of crypto problems for governments and corporations. Well worth watching and listening to...

Seny Kamara on "Crypto for the People"

Seny Kamara gave an excellent keynote talk this year at the online CRYPTO Conference. He talked about solving real-world crypto problems for marginalized communities around the world, instead of crypto problems for governments and corporations. Well worth watching and listening to...

Seny Kamara on "Crypto for the People"

Seny Kamara gave an excellent keynote talk this year at the online CRYPTO Conference. He talked about solving real-world crypto problems for marginalized communities around the world, instead of crypto problems for governments and corporations. Well worth watching and listening to...

Friday Squid Blogging: How Squid Survive Freezing, Oxygen-Deprived Waters

Lots of interesting genetic details. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here...

Friday Squid Blogging: How Squid Survive Freezing, Oxygen-Deprived Waters

Lots of interesting genetic details. As usual, you can also use this squid post to talk about the security stories in the news that I havent covered. Read my blog posting guidelines here...

Friday Squid Blogging: How Squid Survive Freezing, Oxygen-Deprived Waters

Lots of interesting genetic details. As usual, you can also use this squid post to talk about the security stories in the news that I havent covered. Read my blog posting guidelines here...

US Postal Service Files Blockchain Voting Patent

The US Postal Service has filed a patent on a blockchain voting method: Abstract: A voting system can use the security of blockchain and the mail to provide a reliable voting system. A registered voter receives a computer readable code in the mail and confirms identity and confirms correct ballot...

US Postal Service Files Blockchain Voting Patent

The US Postal Service has filed a patent on a blockchain voting method: Abstract: A voting system can use the security of blockchain and the mail to provide a reliable voting system. A registered voter receives a computer readable code in the mail and confirms identity and confirms correct ballot...

US Postal Service Files Blockchain Voting Patent

The US Postal Service has filed a patent on a blockchain voting method: Abstract: A voting system can use the security of blockchain and the mail to provide a reliable voting system. A registered voter receives a computer readable code in the mail and confirms identity and confirms correct ballot...

Cory Doctorow on The Age of Surveillance Capitalism

Cory Doctorow has writtten an extended rebuttal of The Age of Surveillance Capitalism by Shoshana Zuboff. He summarized the argument on Twitter. Shorter summary: it's not the surveillance part, it's the fact that these companies are monopolies. I think it's both. Surveillance capitalism has some...

Amazon Supplier Fraud

Interesting story of an Amazon supplier fraud: According to the indictment, the brothers swapped ASINs for items Amazon ordered to send large quantities of different goods instead. In one instance, Amazon ordered 12 canisters of disinfectant spray costing $94.03. The defendants allegedly shipped...

Identifying People by Their Browsing Histories

Interesting paper: "Replication: Why We Still Can't Browse in Peace: On the Uniqueness and Reidentifiability of Web Browsing Histories": We examine the threat to individuals' privacy based on the feasibility of reidentifying users through distinctive profiles of their browsing history visible to...

DiceKeys

DiceKeys is a physical mechanism for creating and storing a 192-bit key. The idea is that you roll a special set of twenty-five dice, put them into a plastic jig, and then use an app to convert those dice into a key. You can then use that key for a variety of purposes, and regenerate it from the...

Friday Squid Blogging: Rhode Island's State Appetizer Is Calamari

Rhode Island has an official state appetizer, and it's calamari. Who knew? As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here...

Yet Another Biometric: Bioacoustic Signatures

Sound waves through the body are unique enough to be a biometric: "Modeling allowed us to infer what structures or material features of the human body actually differentiated people," explains Joo Yong Sim, one of the ETRI researchers who conducted the study. "For example, we could see how the...

Copying a Key by Listening to It in Action

Researchers are using recordings of keys being used in locks to create copies. Once they have a key-insertion audio file, SpiKey's inference software gets to work filtering the signal to reveal the strong, metallic clicks as key ridges hit the lock's pins and you can hear those filtered clicks...

Using Disinformation to Cause a Blackout

Interesting paper: "How weaponizing disinformation can bring down a city's power grid": Abstract: Social media has made it possible to manipulate the masses via disinformation and fake news at an unprecedented scale. This is particularly alarming from a security perspective, as humans have proven...

Vaccine for Emotet Malware

Interesting story of a vaccine for the Emotet malware: Through trial and error and thanks to subsequent Emotet updates that refined how the new persistence mechanism worked, Quinn was able to put together a tiny PowerShell script that exploited the registry key mechanism to crash Emotet itself. T...

Robocall Results from a Telephony Honeypot

A group of researchers set up a telephony honeypot and tracked robocall behavior: NCSU researchers said they ran 66,606 telephone lines between March 2019 and January 2020, during which time they said to have received 1,481,201 unsolicited calls -- even if they never made their phone numbers publ...

Friday Squid Blogging: Editing the Squid Genome

Scientists have edited the genome of the Doryteuthis pealeii squid with CRISPR. A first. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here...

Upcoming Speaking Engagements

This is a current list of where and when I am scheduled to speak: I'm giving a keynote address at the Cybersecurity and Data Privacy Law virtual conference on September 9, 2020. The list is maintained on this page...

Drovorub Malware

The NSA and FBI have jointly disclosed Drovorub, a Russian malware suite that targets Linux. Detailed advisory. Fact sheet. News articles. Reddit thread...

UAE Hack and Leak Operations

Interesting paper on recent hack-and-leak operations attributed to the UAE: Abstract: Four hack-and-leak operations in U.S. politics between 2016 and 2019, publicly attributed to the United Arab Emirates UAE, Qatar, and Saudi Arabia, should be seen as the "simulation of scandal" ­-- deliberate...

Cryptanalysis of an Old Zip Encryption Algorithm

Mike Stay broke an old zipfile encryption algorithm to recover $300,000 in bitcoin. DefCon talk here...

Collecting and Selling Mobile Phone Location Data

The Wall Street Journal has an article about a company called Anomaly Six LLC that has an SDK that's used by "more than 500 mobile applications." Through that SDK, the company collects location data from users, which it then sells. Anomaly Six is a federal contractor that provides...

Smart Lock Vulnerability

Yet another Internet-connected door lock is insecure: Sold by retailers including Amazon, Walmart, and Home Depot, U-Tec's $139.99 UltraLoq is marketed as a "secure and versatile smart deadbolt that offers keyless entry via your Bluetooth-enabled smartphone and code." Users can share temporary...

Friday Squid Blogging: New SQUID

There's a new SQUID: A new device that relies on flowing clouds of ultracold atoms promises potential tests of the intersection between the weirdness of the quantum world and the familiarity of the macroscopic world we experience every day. The atomtronic Superconducting QUantum Interference Devi...

The NSA on the Risks of Exposing Location Data

The NSA has issued an advisory on the risks of location data. Mitigations reduce, but do not eliminate, location tracking risks in mobile devices. Most users rely on features disabled by such mitigations, making such safeguards impractical. Users should be aware of these risks and take action bas...

Cybercrime in the Age of COVID-19

The Cambridge Cybercrime Centre has a series of papers on cybercrime during the coronavirus pandemic. EDITED TO ADD 8/12: Interpol report...

BlackBerry Phone Cracked

Australia is reporting that a BlackBerry device has been cracked after five years: An encrypted BlackBerry device that was cracked five years after it was first seized by police is poised to be the key piece of evidence in one of the state's longest-running drug importation investigations. In...

Twitter Hacker Arrested

A 17-year-old Florida boy was arrested and charged with last week's Twitter hack. News articles. Boing Boing post. Florida state attorney press release. This is a developing story. Post any additional news in the comments. EDITED TO ADD 8/1: Two others have been charged as well. EDITED TO ADD 8/1...

Friday Squid Blogging: Squid Proteins for a Better Face Mask

Researchers are synthesizing squid proteins to create a face mask that better survives cleaning. And you thought there was no connection between squid and COVID-19. The military thinks this might have applications for self-healing robots. As usual, you can also use this squid post to talk about t...

Data and Goliath Book Placement

Notice the copy of Data and Goliath just behind the head of Maine Senator Angus King. This demonstrates the importance of a vibrant color and a large font...

Fake Stories in Real News Sites

Fireeye is reporting that a hacking group called Ghostwriter broke into the content management systems of Eastern European news sites to plant fake stories. From a Wired story: The propagandists have created and disseminated disinformation since at least March 2017, with a focus on undermining NA...

Survey of Supply Chain Attacks

The Atlantic Council has a released a report that looks at the history of computer supply chain attacks. Key trends from their summary: 1. Deep Impact from State Actors: There were at least 27 different state attacks against the software supply chain including from Russia, China, North Korea, and...

Images in Eye Reflections

In Japan, a cyberstalker located his victim by enhancing the reflections in her eye, and using that information to establish a location. Reminds me of the image enhancement scene in Blade Runner. That was science fiction, but now image resolution is so good that we have to worry about it...

Friday Squid Blogging: Introducing the Seattle Kraken

The Kraken is the name of Seattle's new NFL franchise. I have always really liked collective nouns as sports team names like the Utah Jazz or the Minnesota Wild, mostly because it's hard to describe individual players. As usual, you can also use this squid post to talk about the security stories ...

Update on NIST's Post-Quantum Cryptography Program

NIST has posted an update on their post-quantum cryptography program: After spending more than three years examining new approaches to encryption and data protection that could defeat an assault from a quantum computer, the National Institute of Standards and Technology NIST has winnowed the 69...

Adversarial Machine Learning and the CFAA

I just co-authored a paper on the legal risks of doing machine learning research, given the current state of the Computer Fraud and Abuse Act: Abstract: Adversarial Machine Learning is booming with ML researchers increasingly targeting commercial ML systems such as those used in Facebook, Tesla,...

Fawkes: Digital Image Cloaking

Fawkes is a system for manipulating digital images so that they aren't recognized by facial recognition systems. At a high level, Fawkes takes your personal images, and makes tiny, pixel-level changes to them that are invisible to the human eye, in a process we call image cloaking. You can then u...

Hacking a Power Supply

This hack targets the firmware on modern power supplies. Yes, power supplies are also computers. Normally, when a phone is connected to a power brick with support for fast charging, the phone and the power adapter communicate with each other to determine the proper amount of electricity that can ...

On the Twitter Hack

Twitter was hacked this week. Not a few people's Twitter accounts, but all of Twitter. Someone compromised the entire Twitter network, probably by stealing the log-in credentials of one of Twitter's system administrators. Those are the people trusted to ensure that Twitter functions smoothly. The...

Friday Squid Blogging: Squid Found on Provincetown Sandbar

Headline: "Dozens of squid found on Provincetown sandbar." Slow news day. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here...