2979 matches found
ToTok Is an Emirati Spying Tool
The smartphone messaging app ToTok is actually an Emirati spying tool: But the service, ToTok, is actually a spying tool, according to American officials familiar with a classified intelligence assessment and a New York Times investigation into the app and its developers. It is used by the...
Friday Squid Blogging: Streamlined Quick Unfolding Investigation Drone
Yet another squid acronym. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here...
Lousy IoT Security
DTEN makes smart screens and whiteboards for videoconferencing systems. Forescout found that their security is terrible: In total, our researchers discovered five vulnerabilities of four different kinds: Data exposure: PDF files of shared whiteboards e.g. meeting notes and other sensitive files...
Attacker Causes Epileptic Seizure over the Internet
This isn't a first, but I think it will be the first conviction: The GIF set off a highly unusual court battle that is expected to equip those in similar circumstances with a new tool for battling threatening trolls and cyberbullies. On Monday, the man who sent Eichenwald the moving image, John...
Iranian Attacks on Industrial Control Systems
New details: At the CyberwarCon conference in Arlington, Virginia, on Thursday, Microsoft security researcher Ned Moran plans to present new findings from the company's threat intelligence group that show a shift in the activity of the Iranian hacker group APT33, also known by the names Holmium,...
Security Vulnerabilities in the RCS Texting Protocol
Interesting research: SRLabs founder Karsten Nohl, a researcher with a track record of exposing security flaws in telephony systems, argues that RCS is in many ways no better than SS7, the decades-old phone system carriers still used for calling and texting, which has long been known to be...
Upcoming Speaking Engagements
This is a current list of where and when I am scheduled to speak: I'm speaking at SecIT by Heise in Hannover, Germany on March 26, 2020. The list is maintained on this page...
Friday Squid Blogging: Color-Changing Properties of the Opalescent Inshore Squid
Interesting stuff. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here...
EFF on the Mechanics of Corporate Surveillance
EFF has published a comprehensible and very readable "deep dive" into the technologies of corporate surveillance, both on the Internet and off. Well worth reading and sharing. Boing Boing post...
Scaring People into Supporting Backdoors
Back in 1998, Tim May warned us of the "Four Horsemen of the Infocalypse": "terrorists, pedophiles, drug dealers, and money launderers." I tended to cast it slightly differently. This is me from 2005: Beware the Four Horsemen of the Information Apocalypse: terrorists, drug dealers, kidnappers, an...
Extracting Data from Smartphones
Privacy International has published a detailed, technical examination of how data is extracted from smartphones...
Reforming CDA 230
There's a serious debate on reforming Section 230 of the Communications Decency Act. I am in the process of figuring out what I believe, and this is more a place to put resources and listen to people's comments. The EFF has written extensively on why it is so important and dismantling it will be...
Failure Modes in Machine Learning
Interesting taxonomy of machine-learning failures pdf that encompasses both mistakes and attacks, or -- in their words -- intentional and unintentional failure modes. It's a good basis for threat modeling...
Friday Squid Blogging: Squidfall Safety
Watchmen supporting material. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here...
Andy Ellis on Risk Assessment
Andy Ellis, the CSO of Akamai, gave a great talk about the psychology of risk at the Business of Software conference this year. I've written about this before. One quote of mine: "The problem is our brains are intuitively suited to the sorts of risk management decisions endemic to living in small...
Election Machine Insecurity Story
Interesting story of a flawed computer voting machine and a paper ballot available for recount. All ended well, but only because of that paper backup. Vote totals in a Northampton County judge's race showed one candidate, Abe Kassis, a Democrat, had just 164 votes out of 55,000 ballots across mor...
Becoming a Tech Policy Activist
Carolyn McCarthy gave an excellent TEDx talk about becoming a tech policy activist. It's a powerful call for public-interest technologists...
RSA-240 Factored
This just in: We are pleased to announce the factorization of RSA-240, from RSA's challenge list, and the computation of a discrete logarithm of the same size 795 bits: RSA-240 = 12462036678171878406583504460810659043482037465167880575481878888328...
The Story of Tiversa
The New Yorker has published the long and interesting story of the cybersecurity firm Tiversa. Watching "60 Minutes," Boback saw a remarkable new business angle. Here was a multibillion-dollar industry with a near-existential problem and no clear solution. He did not know it then, but, as he turn...
Cameras that Automatically Detect Mobile Phone Use
New South Wales is implementing a camera system that automatically detects when a driver is using a mobile phone...
Friday Squid Blogging: Squid-Like Underwater Drone
The Sea Hunting Autonomous Reconnaissance Drone SHARD swims like a squid and can explode on command. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here...
Manipulating Machine Learning Systems by Manipulating Training Data
Interesting research: "TrojDRL: Trojan Attacks on Deep Reinforcement Learning Agents": Abstract:: Recent work has identified that classification models implemented as neural networks are vulnerable to data-poisoning and Trojan attacks at training time. In this work, we show that these training-ti...
DHS Mandates Federal Agencies to Run Vulnerability Disclosure Policy
The DHS is requiring all federal agencies to develop a vulnerability disclosure policy. The goal is that people who discover vulnerabilities in government systems have a mechanism for reporting them to someone who might actually do something about it. The devil is in the details, of course, but...
Friday Squid Blogging: T-Shirt
"Squid Pro Quo" T-shirt. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here...
The NSA Warns of TLS Inspection
The NSA has released a security advisory warning of the dangers of TLS inspection: Transport Layer Security Inspection TLSI, also known as TLS break and inspect, is a security process that allows enterprises to decrypt traffic, inspect the decrypted content for threats, and then re-encrypt the...
GPS Manipulation
Long article on the manipulation of GPS in Shanghai. It seems not to be some Chinese military program, but ships who are stealing sand. The Shanghai "crop circles," which somehow spoof each vessel to a different false location, are something new. "I'm still puzzled by this," says Humphreys. "I...
Iran Has Shut Off its Internet
Iran has gone pretty much entirely offline in the wake of nationwide protests. This is the best article detailing what's going on; this is also good. AccessNow has a global campaign to stop Internet shutdowns. TITLE EDITED TO REDUCE CONFUSION...
Security Vulnerabilities in Android Firmware
Researchers have discovered and revealed 146 vulnerabilities in various incarnations of Android smartphone firmware. The vulnerabilities were found by scanning the phones of 29 different Android makers, and each is unique to a particular phone or maker. They were found using automatic tools, and ...
Friday Squid Blogging: Planctotuethis Squid
Neat video, and an impressive-looking squid. I can't figure out how long it is. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here...
TPM-Fail Attacks Against Cryptographic Coprocessors
Really interesting research: TPM-FAIL: TPM meets Timing and Lattice Attacks, by Daniel Moghimi, Berk Sunar, Thomas Eisenbarth, and Nadia Heninger. Abstract: Trusted Platform Module TPM serves as a hardware-based root of trust that protects cryptographic keys from privileged system and physical...
Upcoming Speaking Engagements
This is a current list of where and when I am scheduled to speak: I'm speaking on "Securing a World of Physically Capable Computers" at the Indian Institute of Science in Bangalore, India on December 12, 2019. The list is maintained on this page...
Technology and Policymakers
Technologists and policymakers largely inhabit two separate worlds. It's an old problem, one that the British scientist CP Snow identified in a 1959 essay entitled The Two Cultures. He called them sciences and humanities, and pointed to the split as a major hindrance to solving the world's...
NTSB Investigation of Fatal Driverless Car Accident
Autonomous systems are going to have to do much better than this. The Uber car that hit and killed Elaine Herzberg in Tempe, Ariz., in March 2018 could not recognize all pedestrians, and was being driven by an operator likely distracted by streaming video, according to documents released by the...
Identifying and Arresting Ransomware Criminals
The Wall Street Journal has a story about how two people were identified as the perpetrators of a ransomware scheme. They were found because -- as generally happens -- they made mistakes covering their tracks. They were investigated because they had the bad luck of locking up Washington, DC's vid...
Fooling Voice Assistants with Lasers
Interesting: Siri, Alexa, and Google Assistant are vulnerable to attacks that use lasers to inject inaudible -- and sometimes invisible -- commands into the devices and surreptitiously cause them to unlock doors, visit websites, and locate, unlock, and start vehicles, researchers report in a...
Friday Squid Blogging: 80-Foot Steel Kraken Deliberately Sunk
The headline gives the story: "An 80-Foot Steel Kraken Will Create an Artificial Coral Reef Near the British Virgin Islands." As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here...
xHelper Malware for Android
xHelper is not interesting because of its infection mechanism; the user has to side-load an app onto his phone. It's not interesting because of its payload; it seems to do nothing more than show unwanted ads. it's interesting because of its persistence: Furthermore, even if users spot the xHelper...
Eavesdropping on SMS Messages inside Telco Networks
Fireeye reports on a Chinese-sponsored espionage effort to eavesdrop on text messages: FireEye Mandiant recently discovered a new malware family used by APT41 a Chinese APT group that is designed to monitor and save SMS traffic from specific phone numbers, IMSI numbers and keywords for subsequent...
Details of an Airbnb Fraud
This is a fascinating article about a bait-and-switch Airbnb fraud. The article focuses on one particular group of scammers and how they operate, using the fact that Airbnb as a company doesn't do much to combat fraud on its platform. But I am more interested in how the fraudsters essentially...
Obfuscation as a Privacy Tool
This essay discusses the futility of opting out of surveillance, and suggests data obfuscation as an alternative. We can apply obfuscation in our own lives by using practices and technologies that make use of it, including: The secure browser Tor, which among other anti-surveillance technologies...
Homemade TEMPEST Receiver
Tom's Guide writes about home brew TEMPEST receivers: Today, dirt-cheap technology and free software make it possible for ordinary citizens to run their own Tempest programs and listen to what their own -- and their neighbors' -- electronic devices are doing. Elliott, a researcher at Boston-based...
Friday Squid Blogging: Triassic Kraken
Research paper: "Triassic Kraken: The Berlin Ichthyosaur Death Assemblage Interpreted as a Giant Cephalopod Midden": Abstract: The Luning Formation at Berlin Ichthyosaur State Park, Nevada, hosts a puzzling assemblage of at least 9 huge ≤14 m juxtaposed ichthyosaurs Shonisaurus popularis...
Resources for Measuring Cybersecurity
Kathryn Waldron at R Street has collected all of the different resources and methodologies for measuring cybersecurity...
A Broken Random Number Generator in AMD Microcode
Interesting story. I always recommend using a random number generator like Fortuna, even if you're using a hardware random source. It's just safer...
WhatsApp Sues NSO Group
WhatsApp is suing the Israeli cyberweapons arms manufacturer NSO Group in California court: WhatsApp's lawsuit, filed in a California court on Tuesday, has demanded a permanent injunction blocking NSO from attempting to access WhatsApp computer systems and those of its parent company, Facebook. I...
ICT Supply-Chain Security
The Carnegie Endowment for Peace published a comprehensive report on ICT information and communication technologies supply-chain security and integrity. It's a good read, but nothing that those who are following this issue don't already know...
Former FBI General Counsel Jim Baker Chooses Encryption Over Backdoors
In an extraordinary essay, the former FBI general counsel Jim Baker makes the case for strong encryption over government-mandated backdoors: In the face of congressional inaction, and in light of the magnitude of the threat, it is time for governmental authorities -- including law enforcement -...
Friday Squid Blogging: Researchers Investigating Using Squid Propulsion for Underwater Robots
Interesting article and paper. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here...
Dark Web Site Taken Down without Breaking Encryption
The US Department of Justice unraveled a dark web child-porn website, leading to the arrest of 337 people in at least 18 countries. This was all accomplished not through any backdoors in communications systems, but by analyzing the bitcoin transactions and following the money: Welcome to Video ma...
Mapping Security and Privacy Research across the Decades
This is really interesting: "A Data-Driven Reflection on 36 Years of Security and Privacy Research," by Aniqua Baset and Tamara Denning: Abstract: Meta-research---research about research---allows us, as a community, to examine trends in our research and make informed decisions regarding the cours...