2960 matches found
NSA Security Awareness Posters
From a FOIA request, over a hundred old NSA security awareness posters. Here are the BBC's favorites. Here are Motherboard's favorites. I have a related personal story. Back in 1993, during the first Crypto Wars, I and a handful of other academic cryptographers visited the NSA for some meeting or...
U.S. Department of Interior Grounding All Drones
The Department of Interior is grounding all non-emergency drones due to security concerns: The order comes amid a spate of warnings and bans at multiple government agencies, including the Department of Defense, about possible vulnerabilities in Chinese-made drone systems that could be allowing...
Collating Hacked Data Sets
Two Harvard undergraduates completed a project where they went out on the dark web and found a bunch of stolen datasets. Then they correlated all the information, and combined it with additional, publicly available, information. No surprise: the result was much more detailed and personal. "What w...
Customer Tracking at Ralphs Grocery Store
To comply with California's new data privacy law, companies that collect information on consumers and users are forced to be more transparent about it. Sometimes the results are creepy. Here's an article about Ralphs, a California supermarket chain owned by Kroger: ...the form proceeds to state...
Google Receives Geofence Warrants
Sometimes it's hard to tell the corporate surveillance operations from the government ones: Google reportedly has a database called Sensorvault in which it stores location data for millions of devices going back almost a decade. The article is about geofence warrants, where the police go to...
Modern Mass Surveillance: Identify, Correlate, Discriminate
Communities across the United States are starting to ban facial recognition technologies. In May of last year, San Francisco banned facial recognition; the neighboring city of Oakland soon followed, as did Somerville and Brookline in Massachusetts a statewide ban may follow. In December, San Dieg...
Smartphone Election in Washington State
This year: King County voters will be able to use their name and birthdate to log in to a Web portal through the Internet browser on their phones, says Bryan Finney, the CEO of Democracy Live, the Seattle-based voting company providing the technology. Once voters have completed their ballots, the...
Friday Squid Blogging: More on the Giant Squid's DNA
Following on from last week's post, here's more information on sequencing the DNA of the giant squid. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here...
Technical Report of the Bezos Phone Hack
Motherboard obtained and published the technical report on the hack of Jeff Bezos's phone, which is being attributed to Saudi Arabia, specifically to Crown Prince Mohammed bin Salman. ...investigators set up a secure lab to examine the phone and its artifacts and spent two days poring over the...
Apple Abandoned Plans for Encrypted iCloud Backup after FBI Complained
This is new from Reuters: More than two years ago, Apple told the FBI that it planned to offer users end-to-end encryption when storing their phone data on iCloud, according to one current and three former FBI officials and one current and one former Apple employee. Under that plan, primarily...
Half a Million IoT Device Passwords Published
It's a list of easy-to-guess passwords for IoT devices on the Internet as recently as last October and November. Useful for anyone putting together a bot network: A hacker has published this week a massive list of Telnet credentials for more than 515,000 servers, home routers, and IoT Internet of...
Brazil Charges Glenn Greenwald with Cybercrimes
Glenn Greenwald has been charged with cybercrimes in Brazil, stemming from publishing information and documents that were embarrassing to the government. The charges are that he actively helped the people who actually did the hacking: Citing intercepted messages between Mr. Greenwald and the...
SIM Hijacking
SIM hijacking -- or SIM swapping -- is an attack where a fraudster contacts your cell phone provider and convinces them to switch your account to a phone that they control. Since your smartphone often serves as a security measure or backup verification system, this allows the fraudster to take ov...
Clearview AI and Facial Recognition
The New York Times has a long story about Clearview AI, a small company that scrapes identified photos of people from pretty much everywhere, and then uses unstated magical AI technology to identify people in other photos. His tiny company, Clearview AI, devised a groundbreaking facial recognitio...
Friday Squid Blogging: Giant Squid Genome Analyzed
This is fantastic work: In total, the researchers identified approximately 2.7 billion DNA base pairs, which is around 90 percent the size of the human genome. There's nothing particularly special about that size, especially considering that the axolotl genome is 10 times larger than the human...
Securing Tiffany's Move
Story of how Tiffany & Company moved all of its inventory from one store to another. Short summary: careful auditing and a lot of police...
Critical Windows Vulnerability Discovered by NSA
Yesterday's Microsoft Windows patches included a fix for a critical vulnerability in the system's crypto library. A spoofing vulnerability exists in the way Windows CryptoAPI Crypt32.dll validates Elliptic Curve Cryptography ECC certificates. An attacker could exploit the vulnerability by using a...
Upcoming Speaking Engagements
This is a current list of where and when I am scheduled to speak: I'm speaking at Indiana University Bloomington on January 30, 2020. I'll be at RSA Conference 2020 in San Francisco. On Wednesday, February 26, at 2:50 PM, I'll be part of a panel on "How to Reduce Supply Chain Risk: Lessons from...
5G Security
The security risks inherent in Chinese-made 5G networking equipment are easy to understand. Because the companies that make the equipment are subservient to the Chinese government, they could be forced to include backdoors in the hardware or software to give Beijing remote access. Eavesdropping i...
Artificial Personas and Public Discourse
Presidential campaign season is officially, officially, upon us now, which means it's time to confront the weird and insidious ways in which technology is warping politics. One of the biggest threats on the horizon: artificial personas are coming, and they're poised to take over political debate...
Friday Squid Blogging: Stuffed Squid with Vegetables and Pancetta
A Croatian recipe. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here...
Police Surveillance Tools from Special Services Group
Special Services Group, a company that sells surveillance tools to the FBI, DEA, ICE, and other US government agencies, has had its secret sales brochure published. Motherboard received the brochure as part of a FOIA request to the Irvine Police Department in California. "The Tombstone Cam is our...
New SHA-1 Attack
There's a new, practical, collision attack against SHA-1: In this paper, we report the first practical implementation of this attack, and its impact on real-world security with a PGP/GnuPG impersonation attack. We managed to significantly reduce the complexity of collisions attack against SHA-1: ...
USB Cable Kill Switch for Laptops
BusKill is designed to wipe your laptop Linux only if it is snatched from you in a public place: The idea is to connect the BusKill cable to your Linux laptop on one end, and to your belt, on the other end. When someone yanks your laptop from your lap or table, the USB cable disconnects from the...
Mailbox Master Keys
Here's a physical-world example of why master keys are a bad idea. It's a video of two postal thieves using a master key to open apartment building mailboxes. Changing the master key for physical mailboxes is a logistical nightmare, which is why this problem won't be fixed anytime soon...
Friday Squid Blogging: Giant Squid Video from the Gulf of Mexico
Fantastic video: Scientists had used a specialized camera system developed by Widder called the Medusa, which uses red light undetectable to deep sea creatures and has allowed scientists to discover species and observe elusive ones. The probe was outfitted with a fake jellyfish that mimicked the...
Chrome Extension Stealing Cryptocurrency Keys and Passwords
A malicious Chrome extension surreptitiously steals Ethereum keys and passwords: According to Denley, the extension is dangerous to users in two ways. First, any funds ETH coins and ERC0-based tokens managed directly inside the extension are at risk. Denley says that the extension sends the priva...
Mysterious Drones Are Flying over Colorado
No one knows who they belong to. Well, of course someone knows. And my guess is that it's likely that we will know soon. EDITED TO ADD 1/3: Another article...
Hacking School Surveillance Systems
Lance Vick suggesting that students hack their schools' surveillance systems. "This is an ethical minefield that I feel students would be well within their rights to challenge, and if needed, undermine," he said. Of course, there are a lot more laws in place against this sort of thing than there...
Friday Squid Blogging: New Species of Bobtail Squid
Euprymna brenneri was discovered in the waters of Okinawa. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here...
Chinese Hackers Bypassing Two-Factor Authentication
Interesting story of how a Chinese state-sponsored hacking group is bypassing the RSA SecurID two-factor authentication system. How they did it remains unclear; although, the Fox-IT team has their theory. They said APT20 stole an RSA SecurID software token from a hacked system, which the Chinese...
ToTok Is an Emirati Spying Tool
The smartphone messaging app ToTok is actually an Emirati spying tool: But the service, ToTok, is actually a spying tool, according to American officials familiar with a classified intelligence assessment and a New York Times investigation into the app and its developers. It is used by the...
Friday Squid Blogging: Streamlined Quick Unfolding Investigation Drone
Yet another squid acronym. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here...
Lousy IoT Security
DTEN makes smart screens and whiteboards for videoconferencing systems. Forescout found that their security is terrible: In total, our researchers discovered five vulnerabilities of four different kinds: Data exposure: PDF files of shared whiteboards e.g. meeting notes and other sensitive files...
Attacker Causes Epileptic Seizure over the Internet
This isn't a first, but I think it will be the first conviction: The GIF set off a highly unusual court battle that is expected to equip those in similar circumstances with a new tool for battling threatening trolls and cyberbullies. On Monday, the man who sent Eichenwald the moving image, John...
Iranian Attacks on Industrial Control Systems
New details: At the CyberwarCon conference in Arlington, Virginia, on Thursday, Microsoft security researcher Ned Moran plans to present new findings from the company's threat intelligence group that show a shift in the activity of the Iranian hacker group APT33, also known by the names Holmium,...
Security Vulnerabilities in the RCS Texting Protocol
Interesting research: SRLabs founder Karsten Nohl, a researcher with a track record of exposing security flaws in telephony systems, argues that RCS is in many ways no better than SS7, the decades-old phone system carriers still used for calling and texting, which has long been known to be...
Upcoming Speaking Engagements
This is a current list of where and when I am scheduled to speak: I'm speaking at SecIT by Heise in Hannover, Germany on March 26, 2020. The list is maintained on this page...
Friday Squid Blogging: Color-Changing Properties of the Opalescent Inshore Squid
Interesting stuff. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here...
EFF on the Mechanics of Corporate Surveillance
EFF has published a comprehensible and very readable "deep dive" into the technologies of corporate surveillance, both on the Internet and off. Well worth reading and sharing. Boing Boing post...
Scaring People into Supporting Backdoors
Back in 1998, Tim May warned us of the "Four Horsemen of the Infocalypse": "terrorists, pedophiles, drug dealers, and money launderers." I tended to cast it slightly differently. This is me from 2005: Beware the Four Horsemen of the Information Apocalypse: terrorists, drug dealers, kidnappers, an...
Extracting Data from Smartphones
Privacy International has published a detailed, technical examination of how data is extracted from smartphones...
Reforming CDA 230
There's a serious debate on reforming Section 230 of the Communications Decency Act. I am in the process of figuring out what I believe, and this is more a place to put resources and listen to people's comments. The EFF has written extensively on why it is so important and dismantling it will be...
Failure Modes in Machine Learning
Interesting taxonomy of machine-learning failures pdf that encompasses both mistakes and attacks, or -- in their words -- intentional and unintentional failure modes. It's a good basis for threat modeling...
Friday Squid Blogging: Squidfall Safety
Watchmen supporting material. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here...
Andy Ellis on Risk Assessment
Andy Ellis, the CSO of Akamai, gave a great talk about the psychology of risk at the Business of Software conference this year. I've written about this before. One quote of mine: "The problem is our brains are intuitively suited to the sorts of risk management decisions endemic to living in small...
Election Machine Insecurity Story
Interesting story of a flawed computer voting machine and a paper ballot available for recount. All ended well, but only because of that paper backup. Vote totals in a Northampton County judge's race showed one candidate, Abe Kassis, a Democrat, had just 164 votes out of 55,000 ballots across mor...
Becoming a Tech Policy Activist
Carolyn McCarthy gave an excellent TEDx talk about becoming a tech policy activist. It's a powerful call for public-interest technologists...
RSA-240 Factored
This just in: We are pleased to announce the factorization of RSA-240, from RSA's challenge list, and the computation of a discrete logarithm of the same size 795 bits: RSA-240 = 12462036678171878406583504460810659043482037465167880575481878888328...
The Story of Tiversa
The New Yorker has published the long and interesting story of the cybersecurity firm Tiversa. Watching "60 Minutes," Boback saw a remarkable new business angle. Here was a multibillion-dollar industry with a near-existential problem and no clear solution. He did not know it then, but, as he turn...