2980 matches found
Friday Squid Blogging: On the Efficacy of Squid as Bait
How to use squid as bait. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here...
The DoD Isn't Fixing Its Security Problems
It has produced several reports outlining what's wrong and what needs to be fixed. It's not fixing them: GAO looked at three DoD-designed initiatives to see whether the Pentagon is following through on its own goals. In a majority of cases, DoD has not completed the cybersecurity training and...
California Needlessly Reduces Privacy During COVID-19 Pandemic
This one isn't even related to contact tracing: On March 17, 2020, the federal government relaxed a number of telehealth-related regulatory requirements due to COVID-19. On April 3, 2020, California Governor Gavin Newsom issued Executive Order N-43-20 the Order, which relaxes various telehealth...
Upcoming Speaking Engagements
This is a current list of where and when I am scheduled to speak: I'm being interviewed on "Hacking in the Public Interest" as part of the Black Hat Webcast Series, on Thursday, April 16, 2020 at 2:00 PM EDT. The list is maintained on this page...
Ransomware Now Leaking Stolen Documents
Originally, ransomware didn't involve any data theft. Malware would encrypt the data on your computer, and demand a ransom for the encryption key. Now ransomware is increasingly involving both encryption and exfiltration. Brian Krebs wrote about this in December. It's a further incentive for the...
Contact Tracing COVID-19 Infections via Smartphone Apps
Google and Apple have announced a joint project to create a privacy-preserving COVID-19 contact tracing app. Details, such as we have them, are here. It's similar to the app being developed at MIT, and similar to others being described and developed elsewhere. It's nice seeing the privacy...
Friday Squid Blogging: Amazingly Realistic Squid Drawings
The squid drawings of Yuuki Tokuda are simply incredible. I tried to figure out how to buy one of them, but everything is in Japanese. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here...
Kubernetes Security
Attack matrix for Kubernetes, using the MITRE ATT framework. A good first step towards understand the security of this suddenly popular and very complex container orchestration system...
Microsoft Buys Corp.com
A few months ago, Brian Krebs told the story of the domain corp.com, and how it is basically a security nightmare: At issue is a problem known as "namespace collision," a situation where domain names intended to be used exclusively on an internal company network end up overlapping with domains th...
RSA-250 Factored
RSA-250 has been factored. This computation was performed with the Number Field Sieve algorithm, using the open-source CADO-NFS software. The total computation time was roughly 2700 core-years, using Intel Xeon Gold 6130 CPUs as a reference 2.1GHz: RSA-250 sieving: 2450 physical core-years RSA-25...
Cybersecurity During COVID-19
Three weeks ago could it possibly be that long already?, I wrote about the increased risks of working remotely during the COVID-19 pandemic. One, employees are working from their home networks and sometimes from their home computers. These systems are more likely to be out of date, unpatched, and...
Emotet Malware Causes Physical Damage
Microsoft is reporting that an Emotet malware infection shut down a network by causing computers to overheat and then crash. The Emotet payload was delivered and executed on the systems of Fabrikam -- a fake name Microsoft gave the victim in their case study -- five days after the employee's user...
Friday Squid Blogging: On Squid Communication
They can communicate using bioluminescent flashes: New research published this week in Proceedings of the National Academy of Sciences presents evidence for a previously unknown semantic-like ability in Humboldt squid. What's more, these squid can enhance the visibility of their skin patterns by...
Security and Privacy Implications of Zoom
Over the past few weeks, Zoom's use has exploded since it became the video conferencing platform of choice in today's COVID-19 world. My own university, Harvard, uses it for all of its classes. Boris Johnson had a cabinet meeting over Zoom. Over that same period, the company has been exposed for...
Bug Bounty Programs Are Being Used to Buy Silence
Investigative report on how commercial bug-bounty programs like HackerOne, Bugcrowd, and SynAck are being used to silence researchers: Used properly, bug bounty platforms connect security researchers with organizations wanting extra scrutiny. In exchange for reporting a security flaw, the...
Marriott Was Hacked -- Again
Marriott announced another data breach, this one affecting 5.2 million people: At this point, we believe that the following information may have been involved, although not all of this information was present for every guest involved: Contact Details e.g., name, mailing address, email address, an...
Dark Web Hosting Provider Hacked
Daniel's Hosting, which hosts about 7,600 dark web portals for free, has been hacked and is down. It's unclear when, or if, it will be back up...
Clarifying the Computer Fraud and Abuse Act
A federal court has ruled that violating a website's terms of service is not "hacking" under the Computer Fraud and Abuse Act. The plaintiffs wanted to investigate possible racial discrimination in online job markets by creating accounts for fake employers and job seekers. Leading job sites have...
Privacy vs. Surveillance in the Age of COVID-19
The trade-offs are changing: As countries around the world race to contain the pandemic, many are deploying digital surveillance tools as a means to exert social control, even turning security agency technologies on their own civilians. Health and law enforcement authorities are understandably...
Friday Squid Blogging: Squid Can Edit Their Own Genome
Amazing: Revealing yet another super-power in the skillful squid, scientists have discovered that squid massively edit their own genetic instructions not only within the nucleus of their neurons, but also within the axon -- the long, slender neural projections that transmit electrical impulses to...
Story of Gus Weiss
This is a long and fascinating article about Gus Weiss, who masterminded a long campaign to feed technical disinformation to the Soviet Union, which may or may not have caused a massive pipeline explosion somewhere in Siberia in the 1980s, if in fact there even was a massive pipeline explosion...
On Cyber Warranties
Interesting article discussing cyber-warranties, and whether they are an effective way to transfer risk as envisioned by Ackerlof's "market for lemons" or a marketing trick. The conclusion: Warranties must transfer non-negligible amounts of liability to vendors in order to meaningfully overcome t...
Facial Recognition for People Wearing Masks
The Chinese facial recognition company Hanwang claims it can recognize people wearing masks: The company now says its masked facial recognition program has reached 95 percent accuracy in lab tests, and even claims that it is more accurate in real life, where its cameras take multiple photos of a...
Internet Voting in Puerto Rico
Puerto Rico is considered allowing for Internet voting. I have joined a group of security experts in a letter opposing the bill. Cybersecurity experts agree that under current technology, no practically proven method exists to securely, verifiably, or privately return voted materials over the...
Hacking Voice Assistants with Ultrasonic Waves
I previously wrote about hacking voice assistants with lasers. Turns you can do much the same thing with ultrasonic waves: Voice assistants -- the demo targeted Siri, Google Assistant, and Bixby -- are designed to respond when they detect the owner's voice after noticing a trigger phrase such as...
Friday Squid Blogging: Squid Orders Down in Italy
COVID-19 is depressing the demand for squid in Italy. The article is a week old, and already seems almost comically quaint. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here...
Emergency Surveillance During COVID-19 Crisis
Israel is using emergency surveillance powers to track people who may have COVID-19, joining China and Iran in using mass surveillance in this way. I believe pressure will increase to leverage existing corporate surveillance infrastructure for these purposes in the US and other countries. With th...
Work-from-Home Security Advice
SANS has made freely available its "Work-from-Home Awareness Kit." When I think about how COVID-19's security measures are affecting organizational networks, I see several interrelated problems: One, employees are working from their home networks and sometimes from their home computers. These...
The Insecurity of WordPress and Apache Struts
Interesting data: A study that analyzed all the vulnerability disclosures between 2010 and 2019 found that around 55% of all the security bugs that have been weaponized and exploited in the wild were for two major application frameworks, namely WordPress and Apache Struts. The Drupal content...
TSA Admits Liquid Ban Is Security Theater
The TSA is allowing people to bring larger bottles of hand sanitizer with them on airplanes: Passengers will now be allowed to travel with containers of liquid hand sanitizer up to 12 ounces. However, the agency cautioned that the shift could mean slightly longer waits at checkpoint because the...
Friday Squid Blogging: New Report on Squid Markets
This report costs $2,000. Please don't buy it for me. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here...
The EARN-IT Act
Prepare for another attack on encryption in the U.S. The EARN-IT Act purports to be about protecting children from predation, but it's really about forcing the tech companies to break their encryption schemes: The EARN IT Act would create a "National Commission on Online Child Sexual Exploitation...
The Whisper Secret-Sharing App Exposed Locations
This is a big deal: Whisper, the secret-sharing app that called itself the "safest place on the Internet," left years of users' most intimate confessions exposed on the Web tied to their age, location and other details, raising alarm among cybersecurity researchers that users could have been...
LA Covers Up Bad Cybersecurity
This is bad in several dimensions. The Los Angeles Department of Water and Power has been accused of deliberately keeping widespread gaps in its cybersecurity a secret from regulators in a large-scale coverup involving the city's mayor...
CIA Dirty Laundry Aired
Joshua Schulte, the CIA employee standing trial for leaking the Wikileaks Vault 7 CIA hacking tools, maintains his innocence. And during the trial, a lot of shoddy security and sysadmin practices are coming out: All this raises a question, though: just how bad is the CIA's security that it wasn't...
Cybersecurity Law Casebook
Robert Chesney teaches cybersecurity at the University of Texas School of Law. He recently published a fantastic casebook, which is a good source for anyone studying this...
Friday Squid Blogging: The Effect of Noise on Squid
Two articles. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here...
More on Crypto AG
One follow-on to the story of Crypto AG being owned by the CIA: this interview with a Washington Post reporter. The whole thing is worth reading or listening to, but I was struck by these two quotes at the end: ...in South America, for instance, many of the governments that were using Crypto...
Security of Health Information
The world is racing to contain the new COVID-19 virus that is spreading around the globe with alarming speed. Right now, pandemic disease experts at the World Health Organization WHO, the US Centers for Disease Control and Prevention CDC, and other public-health agencies are gathering information...
Let's Encrypt Vulnerability
The BBC is reporting a vulnerability in the Let's Encrypt certificate service: In a notification email to its clients, the organisation said: "We recently discovered a bug in the Let's Encrypt certificate authority code. "Unfortunately, this means we need to revoke the certificates that were...
Wi-Fi Chip Vulnerability
There's a vulnerability in Wi-Fi hardware that breaks the encryption: The vulnerability exists in Wi-Fi chips made by Cypress Semiconductor and Broadcom, the latter a chipmaker Cypress acquired in 2016. The affected devices include iPhones, iPads, Macs, Amazon Echos and Kindles, Android devices,...
Facebook's Download-Your-Data Tool Is Incomplete
Privacy International has the details: Key facts: Despite Facebook claim, "Download Your Information" doesn't provide users with a list of all advertisers who uploaded a list with their personal data. As a user this means you can't exercise your rights under GDPR because you don't know which...
Friday Squid Blogging: Squid Eggs
Cool photo. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here. EDITED TO ADD 3/4: I just deleted a slew of comments about COVID 19. I may reinstate some of them later; right now I want some time t...
Humble Bundle's 2020 Cybersecurity Books
For years, Humble Bundle has been selling great books at a "pay what you can afford" model. This month, they're featuring as many as nineteen cybersecurity books for as little as $1, including four of mine. These are digital copies, all DRM-free. Part of the money goes to support the EFF or Let's...
Deep Learning to Find Malicious Email Attachments
Google presented its system of using deep-learning techniques to identify malicious email attachments: At the RSA security conference in San Francisco on Tuesday, Google's security and anti-abuse research lead Elie Bursztein will present findings on how the new deep-learning scanner for documents...
Securing the Internet of Things through Class-Action Lawsuits
This law journal article discusses the role of class-action litigation to secure the Internet of Things. Basically, the article postulates that 1 market realities will produce insecure IoT devices, and 2 political failures will leave that industry unregulated. Result: insecure IoT. It proposes...
Newly Declassified Study Demonstrates Uselessness of NSA's Phone Metadata Program
The New York Times is reporting on the NSA's phone metadata program, which the NSA shut down last year: A National Security Agency system that analyzed logs of Americans' domestic phone calls and text messages cost $100 million from 2015 to 2019, but yielded only a single significant investigatio...
Firefox Enables DNS over HTTPS
This is good news: Whenever you visit a website -- even if it's HTTPS enabled -- the DNS query that converts the web address into an IP address that computers can read is usually unencrypted. DNS-over-HTTPS, or DoH, encrypts the request so that it can't be intercepted or hijacked in order to send...
Russia Is Trying to Tap Transatlantic Cables
The Times of London is reporting that Russian agents are in Ireland probing transatlantic communications cables. Ireland is the landing point for undersea cables which carry internet traffic between America, Britain and Europe. The cables enable millions of people to communicate and allow financi...
Friday Squid Blogging: 13-foot Giant Squid Caught off New Zealand Coast
It's probably a juvenile: Researchers aboard the New Zealand-based National Institute of Water and Atmospheric Research Ltd NIWA research vessel Tangaroa were on an expedition to survey hoki, New Zealand's most valuable commercial fish, in the Chatham Rise an area of ocean floor to the east of...