Cameras that Automatically Detect Mobile Phone Use

New South Wales is implementing a camera system that automatically detects when a driver is using a mobile phone...

Friday Squid Blogging: Squid-Like Underwater Drone

The Sea Hunting Autonomous Reconnaissance Drone SHARD swims like a squid and can explode on command. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here...

Manipulating Machine Learning Systems by Manipulating Training Data

Interesting research: "TrojDRL: Trojan Attacks on Deep Reinforcement Learning Agents": Abstract:: Recent work has identified that classification models implemented as neural networks are vulnerable to data-poisoning and Trojan attacks at training time. In this work, we show that these training-ti...

DHS Mandates Federal Agencies to Run Vulnerability Disclosure Policy

The DHS is requiring all federal agencies to develop a vulnerability disclosure policy. The goal is that people who discover vulnerabilities in government systems have a mechanism for reporting them to someone who might actually do something about it. The devil is in the details, of course, but...

Friday Squid Blogging: T-Shirt

"Squid Pro Quo" T-shirt. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here...

The NSA Warns of TLS Inspection

The NSA has released a security advisory warning of the dangers of TLS inspection: Transport Layer Security Inspection TLSI, also known as TLS break and inspect, is a security process that allows enterprises to decrypt traffic, inspect the decrypted content for threats, and then re-encrypt the...

GPS Manipulation

Long article on the manipulation of GPS in Shanghai. It seems not to be some Chinese military program, but ships who are stealing sand. The Shanghai "crop circles," which somehow spoof each vessel to a different false location, are something new. "I'm still puzzled by this," says Humphreys. "I...

Iran Has Shut Off its Internet

Iran has gone pretty much entirely offline in the wake of nationwide protests. This is the best article detailing what's going on; this is also good. AccessNow has a global campaign to stop Internet shutdowns. TITLE EDITED TO REDUCE CONFUSION...

Security Vulnerabilities in Android Firmware

Researchers have discovered and revealed 146 vulnerabilities in various incarnations of Android smartphone firmware. The vulnerabilities were found by scanning the phones of 29 different Android makers, and each is unique to a particular phone or maker. They were found using automatic tools, and ...

Friday Squid Blogging: Planctotuethis Squid

Neat video, and an impressive-looking squid. I can't figure out how long it is. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here...

TPM-Fail Attacks Against Cryptographic Coprocessors

Really interesting research: TPM-FAIL: TPM meets Timing and Lattice Attacks, by Daniel Moghimi, Berk Sunar, Thomas Eisenbarth, and Nadia Heninger. Abstract: Trusted Platform Module TPM serves as a hardware-based root of trust that protects cryptographic keys from privileged system and physical...

Upcoming Speaking Engagements

This is a current list of where and when I am scheduled to speak: I'm speaking on "Securing a World of Physically Capable Computers" at the Indian Institute of Science in Bangalore, India on December 12, 2019. The list is maintained on this page...

Technology and Policymakers

Technologists and policymakers largely inhabit two separate worlds. It's an old problem, one that the British scientist CP Snow identified in a 1959 essay entitled The Two Cultures. He called them sciences and humanities, and pointed to the split as a major hindrance to solving the world's...

NTSB Investigation of Fatal Driverless Car Accident

Autonomous systems are going to have to do much better than this. The Uber car that hit and killed Elaine Herzberg in Tempe, Ariz., in March 2018 could not recognize all pedestrians, and was being driven by an operator likely distracted by streaming video, according to documents released by the...

Identifying and Arresting Ransomware Criminals

The Wall Street Journal has a story about how two people were identified as the perpetrators of a ransomware scheme. They were found because -- as generally happens -- they made mistakes covering their tracks. They were investigated because they had the bad luck of locking up Washington, DC's vid...

Fooling Voice Assistants with Lasers

Interesting: Siri, Alexa, and Google Assistant are vulnerable to attacks that use lasers to inject inaudible­ -- and sometimes invisible­ -- commands into the devices and surreptitiously cause them to unlock doors, visit websites, and locate, unlock, and start vehicles, researchers report in a...

Friday Squid Blogging: 80-Foot Steel Kraken Deliberately Sunk

The headline gives the story: "An 80-Foot Steel Kraken Will Create an Artificial Coral Reef Near the British Virgin Islands." As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here...

xHelper Malware for Android

xHelper is not interesting because of its infection mechanism; the user has to side-load an app onto his phone. It's not interesting because of its payload; it seems to do nothing more than show unwanted ads. it's interesting because of its persistence: Furthermore, even if users spot the xHelper...

Eavesdropping on SMS Messages inside Telco Networks

Fireeye reports on a Chinese-sponsored espionage effort to eavesdrop on text messages: FireEye Mandiant recently discovered a new malware family used by APT41 a Chinese APT group that is designed to monitor and save SMS traffic from specific phone numbers, IMSI numbers and keywords for subsequent...

Details of an Airbnb Fraud

This is a fascinating article about a bait-and-switch Airbnb fraud. The article focuses on one particular group of scammers and how they operate, using the fact that Airbnb as a company doesn't do much to combat fraud on its platform. But I am more interested in how the fraudsters essentially...

Obfuscation as a Privacy Tool

This essay discusses the futility of opting out of surveillance, and suggests data obfuscation as an alternative. We can apply obfuscation in our own lives by using practices and technologies that make use of it, including: The secure browser Tor, which among other anti-surveillance technologies...

Homemade TEMPEST Receiver

Tom's Guide writes about home brew TEMPEST receivers: Today, dirt-cheap technology and free software make it possible for ordinary citizens to run their own Tempest programs and listen to what their own -- and their neighbors' -- electronic devices are doing. Elliott, a researcher at Boston-based...

Friday Squid Blogging: Triassic Kraken

Research paper: "Triassic Kraken: The Berlin Ichthyosaur Death Assemblage Interpreted as a Giant Cephalopod Midden": Abstract: The Luning Formation at Berlin Ichthyosaur State Park, Nevada, hosts a puzzling assemblage of at least 9 huge ≤14 m juxtaposed ichthyosaurs Shonisaurus popularis...

Resources for Measuring Cybersecurity

Kathryn Waldron at R Street has collected all of the different resources and methodologies for measuring cybersecurity...

A Broken Random Number Generator in AMD Microcode

Interesting story. I always recommend using a random number generator like Fortuna, even if you're using a hardware random source. It's just safer...

WhatsApp Sues NSO Group

WhatsApp is suing the Israeli cyberweapons arms manufacturer NSO Group in California court: WhatsApp's lawsuit, filed in a California court on Tuesday, has demanded a permanent injunction blocking NSO from attempting to access WhatsApp computer systems and those of its parent company, Facebook. I...

ICT Supply-Chain Security

The Carnegie Endowment for Peace published a comprehensive report on ICT information and communication technologies supply-chain security and integrity. It's a good read, but nothing that those who are following this issue don't already know...

Former FBI General Counsel Jim Baker Chooses Encryption Over Backdoors

In an extraordinary essay, the former FBI general counsel Jim Baker makes the case for strong encryption over government-mandated backdoors: In the face of congressional inaction, and in light of the magnitude of the threat, it is time for governmental authorities­ -- including law enforcement­ -...

Friday Squid Blogging: Researchers Investigating Using Squid Propulsion for Underwater Robots

Interesting article and paper. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here...

Dark Web Site Taken Down without Breaking Encryption

The US Department of Justice unraveled a dark web child-porn website, leading to the arrest of 337 people in at least 18 countries. This was all accomplished not through any backdoors in communications systems, but by analyzing the bitcoin transactions and following the money: Welcome to Video ma...

Mapping Security and Privacy Research across the Decades

This is really interesting: "A Data-Driven Reflection on 36 Years of Security and Privacy Research," by Aniqua Baset and Tamara Denning: Abstract: Meta-research---research about research---allows us, as a community, to examine trends in our research and make informed decisions regarding the cours...

NordVPN Breached

There was a successful attack against NordVPN: Based on the command log, another of the leaked secret keys appeared to secure a private certificate authority that NordVPN used to issue digital certificates. Those certificates might be issued for other servers in NordVPN's network or for a variety...

Public Voice Launches Petition for an International Moratorium on Using Facial Recognition for Mass Surveillance

Coming out of the Privacy Commissioners' Conference in Albania, Public Voice is launching a petition for an international moratorium on using facial recognition software for mass surveillance. You can sign on as an individual or an organization. I did. You should as well. No, I don't think that...

Calculating the Benefits of the Advanced Encryption Standard

NIST has completed a study -- it was published last year, but I just saw it recently -- calculating the costs and benefits of the Advanced Encryption Standard. From the conclusion: The result of performing that operation on the series of cumulated benefits extrapolated for the 169 survey...

Details of the Olympic Destroyer APT

Interesting details on Olympic Destroyer, the nation-state cyberattack against the 2018 Winter Olympic Games in South Korea. Wired's Andy Greenberg presents evidence that the perpetrator was Russia, and not North Korea or China...

Friday Squid Blogging: Six-Foot-Long Mass of Squid Eggs Found on Great Barrier Reef

It's likely the diamondback squid. There's a video. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here...

Why Technologists Need to Get Involved in Public Policy

Last month, I gave a 15-minute talk in London titled: "Why technologists need to get involved in public policy." In it, I try to make the case for public-interest technologists. I also maintain a public-interest tech resources page, which has pretty much everything I can find in this space. If I'...

Adding a Hardware Backdoor to a Networked Computer

Interesting proof of concept: At the CS3sthlm security conference later this month, security researcher Monta Elkins will show how he created a proof-of-concept version of that hardware hack in his basement. He intends to demonstrate just how easily spies, criminals, or saboteurs with even minima...

Using Machine Learning to Detect IP Hijacking

This is interesting research: In a BGP hijack, a malicious actor convinces nearby networks that the best path to reach a specific IP address is through their network. That's unfortunately not very hard to do, since BGP itself doesn't have any security procedures for validating that a message is...

Cracking the Passwords of Early Internet Pioneers

Lots of them weren't very good: BSD co-inventor Dennis Ritchie, for instance, used "dmac" his middle name was MacAlistair; Stephen R. Bourne, creator of the Bourne shell command line interpreter, chose "bourne"; Eric Schmidt, an early developer of Unix software and now the executive chairman of...

Factoring 2048-bit Numbers Using 20 Million Qubits

This theoretical paper shows how to factor 2048-bit RSA moduli with a 20-million qubit quantum computer in eight hours. It's interesting work, but I don't want overstate the risk. We know from Shor's Algorithm that both factoring and discrete logs are easy to solve on a large, working quantum...

Friday Squid Blogging: Apple Fixes Squid Emoji

Apple fixed the squid emoji in iOS 13.1: A squid's siphon helps it move, breathe, and discharge waste, so having the siphon in back makes more sense than having it in front. Now, the poor squid emoji will look like it should, without a siphon on its front. As usual, you can also use this squid po...

I Have a New Book: We Have Root

I just published my third collection of essays: We Have Root. This book covers essays from 2013 to 2017. The first two are Schneier on Security and Carry On. There is nothing in this book is that is not available for free on my website; but if you'd like these essays in an easy-to-carry paperback...

Details on Uzbekistan Government Malware: SandCat

Kaspersky has uncovered an Uzbeki hacking operation, mostly due to incompetence on the part of the government hackers. The group's lax operational security includes using the name of a military group with ties to the SSS to register a domain used in its attack infrastructure; installing Kaspersky...

New Reductor Nation-State Malware Compromises TLS

Kaspersky has a detailed blog post about a new piece of sophisticated malware that it's calling Reductor. The malware is able to compromise TLS traffic by infecting the computer with hacked TLS engine substituted on the fly, "marking" infected TLS handshakes by compromising the underlining...

Wi-Fi Hotspot Tracking

Free Wi-Fi hotspots can track your location, even if you don't connect to them. This is because your phone or computer broadcasts a unique MAC address. What distinguishes location-based marketing hotspot providers like Zenreach and Euclid is that the personal information you enter in the captive...

Cheating at Professional Poker

Interesting story about someone who is almost certainly cheating at professional poker. But then I start to see things that seem so obvious, but I wonder whether they aren't just paranoia after hours and hours of digging into the mystery. Like the fact that he starts wearing a hat that has a...

Illegal Data Center Hidden in Former NATO Bunker

Interesting: German investigators said Friday they have shut down a data processing center installed in a former NATO bunker that hosted sites dealing in drugs and other illegal activities. Seven people were arrested. ... Thirteen people aged 20 to 59 are under investigation in all, including thr...

Speakers Censored at AISA Conference in Melbourne

Two speakers were censored at the Australian Information Security Association's annual conference this week in Melbourne. Thomas Drake, former NSA employee and whistleblower, was scheduled to give a talk on the golden age of surveillance, both government and corporate. Suelette Dreyfus, lecturer ...

New Unpatchable iPhone Exploit Allows Jailbreaking

A new iOS exploit allows jailbreaking of pretty much all version of the iPhone. This is a huge deal for Apple, but at least it doesn't allow someone to remotely hack people's phones. Some details: I wanted to learn how Checkm8 will shape the iPhone experience­ -- particularly as it relates to...