2980 matches found
Examining the US Cyber Budget
Jason Healey takes a detailed look at the US federal cybersecurity budget and reaches an important conclusion: the US keeps saying that we need to prioritize defense, but in fact we prioritize attack. To its credit, this budget does reveal an overall growth in cybersecurity funding of about 5...
Friday Squid Blogging: Human Cells with Squid-Like Transparency
I think we need more human organs with squid-like features. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here...
Facebook Helped Develop a Tails Exploit
This is a weird story: Hernandez was able to evade capture for so long because he used Tails, a version of Linux designed for users at high risk of surveillance and which routes all inbound and outbound connections through the open-source Tor network to anonymize it. According to Vice, the FBI ha...
Another Intel Speculative Execution Vulnerability
Remember Spectre and Meltdown? Back in early 2018, I wrote: Spectre and Meltdown are pretty catastrophic vulnerabilities, but they only affect the confidentiality of data. Now that they -- and the research into the Intel ME vulnerability -- have shown researchers where to look, more is coming --...
Availability Attacks against Neural Networks
New research on using specially crafted inputs to slow down machine-learning neural network systems: Sponge Examples: Energy-Latency Attacks on Neural Networks shows how to find adversarial examples that cause a DNN to burn more energy, take more time, or both. They affect a wide range of DNN...
Security Analysis of the Democracy Live Online Voting System
New research: "Security Analysis of the Democracy Live Online Voting System": Abstract: Democracy Live's OmniBallot platform is a web-based system for blank ballot delivery, ballot marking, and optionally online voting. Three states -- Delaware, West Virginia, and New Jersey -- recently announced...
Gene Spafford on Internet Voting
Good interview...
Phishing Attacks against Trump and Biden Campaigns
Google's threat analysts have identified state-level attacks from China. I hope both campaigns are working under the assumption that everything they say and do will be dumped on the Internet before the election. That feels like the most likely outcome...
Friday Squid Blogging: Shark vs. Squid
National Geographic has a photo of a 7-foot long shark that fought a giant squid and lived to tell the tale. Or, at least, lived to show off the suction marks on his skin. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blo...
New Research: "Privacy Threats in Intimate Relationships"
I just published a new paper with Karen Levy of Cornell: "Privacy Threats in Intimate Relationships." Abstract: This article provides an overview of intimate threats: a class of privacy threats that can arise within our families, romantic partnerships, close friendships, and caregiving...
Zoom's Commitment to User Security Depends on Whether you Pay It or Not
Zoom was doing so well.... And now we have this: Corporate clients will get access to Zoom's end-to-end encryption service now being developed, but Yuan said free users won't enjoy that level of privacy, which makes it impossible for third parties to decipher communications. "Free users for sure ...
Wallpaper that Crashes Android Phones
This is interesting: The image, a seemingly innocuous sunset or dawn sky above placid waters, may be viewed without harm. But if loaded as wallpaper, the phone will crash. The fault does not appear to have been maliciously created. Rather, according to developers following Ice Universe's Twitter...
"Sign in with Apple" Vulnerability
Researcher Bhavuk Jain discovered a vulnerability in the "Sign in with Apple" feature, and received a $100,000 bug bounty from Apple. Basically, forged tokens could gain access to pretty much any account. It is fixed. EDITED TO ADD 6/2: Another story...
Password Changing After a Breach
This study shows that most people don't change their passwords after a breach, and if they do they change it to a weaker password. Abstract: To protect against misuse of passwords compromised in a breach, consumers should promptly change affected passwords and any similar passwords on other...
Friday Squid Blogging: Humboldt Squid Communication
Humboldt Squid communicate by changing their skin patterns and glowing. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here...
Bogus Security Technology: An Anti-5G USB Stick
The 5GBioShield sells for £339.60, and the description sounds like snake oil: ...its website, which describes it as a USB key that "provides protection for your home and family, thanks to the wearable holographic nano-layer catalyser, which can be worn or placed near to a smartphone or any other...
Facebook Announces Messenger Security Features that Don't Compromise Privacy
Note that this is "announced," so we don't know when it's actually going to be implemented. Facebook today announced new features for Messenger that will alert you when messages appear to come from financial scammers or potential child abusers, displaying warnings in the Messenger app that provid...
Thermal Imaging as Security Theater
Seems like thermal imaging is the security theater technology of today. These features are so tempting that thermal cameras are being installed at an increasing pace. They're used in airports and other public transportation centers to screen travelers, increasingly used by companies to screen...
Websites Conducting Port Scans
Security researcher Charlie Belmer is reporting that commercial websites such as eBay are conducting port scans of their visitors. Looking at the list of ports they are scanning, they are looking for VNC services being run on the host, which is the same thing that was reported for bank sites. I...
Bluetooth Vulnerability: BIAS
This is new research on a Bluetooth vulnerability called BIAS that allows someone to impersonate a trusted device: Abstract: Bluetooth BR/EDR is a pervasive technology for wireless communication used by billions of devices. The Bluetooth standard includes a legacy authentication procedure and a...
Friday Squid Blogging: Squid Can Edit Their Own Genomes
This is new news: Revealing yet another super-power in the skillful squid, scientists have discovered that squid massively edit their own genetic instructions not only within the nucleus of their neurons, but also within the axon -- the long, slender neural projections that transmit electrical...
Ann Mitchell, Bletchley Park Cryptanalyst, Dies
Obituary...
Bart Gellman on Snowden
Bart Gellman's long-awaited at least by me book on Edward Snowden, Dark Mirror: Edward Snowden and the American Surveillance State, will finally be published in a couple of weeks. There is an adapted excerpt in the Atlantic. It's an interesting read, mostly about the government surveillance of hi...
Criminals and the Normalization of Masks
I was wondering about this: Masks that have made criminals stand apart long before bandanna-wearing robbers knocked over stagecoaches in the Old West and ski-masked bandits held up banks now allow them to blend in like concerned accountants, nurses and store clerks trying to avoid a deadly virus...
AI and Cybersecurity
Ben Buchanan has written "A National Security Research Agenda for Cybersecurity and Artificial Intelligence." It's really good -- well worth reading...
Ramsey Malware
A new malware, called Ramsey, can jump air gaps: ESET said they've been able to track down three different versions of the Ramsay malware, one compiled in September 2019 Ramsay v1, and two others in early and late March 2020 Ramsay v2.a and v2.b. Each version was different and infected victims...
Friday Squid Blogging: Vegan "Squid" Made from Chickpeas
It's beyond Beyond Meat. A Singapore company wants to make vegan "squid" -- and shrimp and crab -- from chickpeas. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here...
On Marcus Hutchins
Long and nuanced story about Marcus Hutchins, the British hacker who wrote most of the Kronos malware and also stopped WannaCry in real time. Well worth reading...
US Government Exposes North Korean Malware
US Cyber Command has uploaded North Korean malware samples to the VirusTotal aggregation repository, adding to the malware samples it uploaded in February. The first of the new malware variants, COPPERHEDGE, is described as a Remote Access Tool RAT "used by advanced persistent threat APT cyber...
New US Electronic Warfare Platform
The Army is developing a new electronic warfare pod capable of being put on drones and on trucks. ...the Silent Crow pod is now the leading contender for the flying flagship of the Army's rebuilt electronic warfare force. Army EW was largely disbanded after the Cold War, except for short-range...
Attack Against PC Thunderbolt Port
The attack requires physical access to the computer, but it's pretty devastating: On Thunderbolt-enabled Windows or Linux PCs manufactured before 2019, his technique can bypass the login screen of a sleeping or locked computer -- and even its hard disk encryption -- to gain full access to the...
Another California Data Privacy Law
The California Consumer Privacy Act is a lesson in missed opportunities. It was passed in haste, to stop a ballot initiative that would have been even more restrictive: In September 2017, Alastair Mactaggart and Mary Ross proposed a statewide ballot initiative entitled the "California Consumer...
Friday Squid Blogging: Jurassic Squid Attack
It's the oldest squid attack on record: An ancient squid-like creature with 10 arms covered in hooks had just crushed the skull of its prey in a vicious attack when disaster struck, killing both predator and prey, according to a Jurassic period fossil of the duo found on the southern coast of...
Used Tesla Components Contain Personal Information
Used Tesla components, sold on eBay, still contain personal information, even after a factory reset. This is a decades-old problem. It's a problem with used hard drives. It's a problem with used photocopiers and printers. It will be a problem with IoT devices. It'll be a problem with everything,...
iOS XML Bug
This is a good explanation of an iOS bug that allowed someone to break out of the application sandbox. A summary: What a crazy bug, and Siguza's explanation is very cogent. Basically, it comes down to this: XML is terrible. iOS uses XML for Plists, and Plists are used everywhere in iOS and MacOS...
ILOVEYOU Virus
It's the twentieth anniversary of the ILOVEYOU virus, and here are three interesting articles about it and its effects on software design...
Malware in Google Apps
Interesting story of malware hidden in Google Apps. This particular campaign is tied to the government of Vietnam. At a remote virtual version of its annual Security Analyst Summit, researchers from the Russian security firm Kaspersky today plan to present research about a hacking campaign they...
Denmark, Sweden, Germany, the Netherlands and France SIGINT Alliance
This paper describes a SIGINT and code-breaking alliance between Denmark, Sweden, Germany, the Netherlands and France called Maximator: Abstract: This article is first to report on the secret European five-partner sigint alliance Maximator that started in the late 1970s. It discloses the name...
Friday Squid Blogging: Cocaine Smuggled in Squid
Makes sense; there's room inside a squid's body cavity: Latin American drug lords have sent bumper shipments of cocaine to Europe in recent weeks, including one in a cargo of squid, even though the coronavirus epidemic has stifled legitimate transatlantic trade, senior anti-narcotics officials sa...
Me on COVID-19 Contact Tracing Apps
I was quoted in BuzzFeed: "My problem with contact tracing apps is that they have absolutely no value," Bruce Schneier, a privacy expert and fellow at the Berkman Klein Center for Internet & Society at Harvard University, told BuzzFeed News. "I'm not even talking about the privacy concerns, I mea...
Securing Internet Videoconferencing Apps: Zoom and Others
The NSA just published a survey of video conferencing apps. So did Mozilla. Zoom is on the good list, with some caveats. The company has done a lot of work addressing previous security concerns. It still has a bit to go on end-to-end encryption. Matthew Green looked at this. Zoom does offer...
How Did Facebook Beat a Federal Wiretap Demand?
This is interesting: Facebook Inc. in 2018 beat back federal prosecutors seeking to wiretap its encrypted Messenger app. Now the American Civil Liberties Union is seeking to find out how. The entire proceeding was confidential, with only the result leaking to the press. Lawyers for the ACLU and t...
Fooling NLP Systems Through Word Swapping
MIT researchers have built a system that fools natural-language processing systems by swapping words with synonyms: The software, developed by a team at MIT, looks for the words in a sentence that are most important to an NLP classifier and replaces them with a synonym that a human would find...
Automatic Instacart Bots
Instacart is taking legal action against bots that automatically place orders: Before it closed, to use Cartdash users first selected what items they want from Instacart as normal. Once that was done, they had to provide Cartdash with their Instacart email address, password, mobile number, tip...
Friday Squid Blogging: Humboldt Squid Backlight Themselves to Communicate More Clearly
This is neat: Deep in the Pacific Ocean, six-foot-long Humboldt squid are known for being aggressive, cannibalistic and, according to new research, good communicators. Known as "red devils," the squid can rapidly change the color of their skin, making different patterns to communicate, something...
Global Surveillance in the Wake of COVID-19
OneZero is tracking thirty countries around the world who are implementing surveillance programs in the wake of COVID-19: The most common form of surveillance implemented to battle the pandemic is the use of smartphone location data, which can track population-level movement down to enforcing...
Chinese COVID-19 Disinformation Campaign
The New York Times is reporting on state-sponsored disinformation campaigns coming out of China: Since that wave of panic, United States intelligence agencies have assessed that Chinese operatives helped push the messages across platforms, according to six American officials, who spoke on the...
New iPhone Zero-Day Discovered
Last year, ZecOps discovered two iPhone zero-day exploits. They will be patched in the next iOS release: Avraham declined to disclose many details about who the targets were, and did not say whether they lost any data as a result of the attacks, but said "we were a bit surprised about who was...
Another Story of Bad 1970s Encryption
This one is from the Netherlands. It seems to be clever cryptanalysis rather than a backdoor. The Dutch intelligence service has been able to read encrypted communications from dozens of countries since the late 1970s thanks to a microchip, according to research by de Volkskrant on Thursday. The...
Vulnerability Finding Using Machine Learning
Microsoft is training a machine-learning system to find software bugs: At Microsoft, 47,000 developers generate nearly 30 thousand bugs a month. These items get stored across over 100 AzureDevOps and GitHub repositories. To better label and prioritize bugs at that scale, we couldn't just apply mo...