2979 matches found
Reverse Location Search Warrants
The police are increasingly getting search warrants for information about all cell phones in a certain location at a certain time: Police departments across the country have been knocking at Google's door for at least the last two years with warrants to tap into the company's extensive stores of...
Details on Recent DNS Hijacking
At the end of January, the US Department of Homeland Security issued a warning regarding serious DNS hijacking attempts against US government domains. Brian Krebs wrote an excellent article detailing the attacks and their implications. Strongly recommended...
Estonia's Volunteer Cyber Militia
Interesting -- although short and not very detailed -- article about Estonia's volunteer cyber-defense militia. Padar's militia of amateur IT workers, economists, lawyers, and other white-hat types are grouped in the city of Tartu, about 65 miles from the Russian border, and in the capital,...
I Am Not Associated with Swift Recovery Ltd.
It seems that someone from a company called Swift Recovery Ltd. is impersonating me -- at least on Telegram. The person is using a photo of me, and is using details of my life available on Wikipedia to convince people that they are me. They are not. If anyone has any more information -- stories,...
Cataloging IoT Vulnerabilities
Recent articles about IoT vulnerabilities describe hacking of construction cranes, supermarket freezers, and electric scooters...
Friday Squid Blogging: Sharp-Eared Enope Squid
Beautiful photo of a three-inch-long squid. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here...
Reconstructing SIGSALY
Lessons learned in reconstructing the World War II-era SIGSALY voice encryption system...
USB Cable with Embedded Wi-Fi Controller
It's only a prototype, but this USB cable has an embedded Wi-Fi controller. Whoever controls that Wi-Fi connection can remotely execute commands on the attached computer...
Cyberinsurance and Acts of War
I had not heard about this case before. Zurich Insurance has refused to pay Mondelez International's claim of $100 million in damages from NotPetya. It claims it is an act of war and therefor not covered. Mondelez is suing. Those turning to cyber insurance to manage their exposure presently face...
Blockchain and Trust
In his 2008 white paper that first proposed bitcoin, the anonymous Satoshi Nakamoto concluded with: "We have proposed a system for electronic transactions without relying on trust." He was referring to blockchain, the system behind bitcoin cryptocurrency. The circumvention of trust is a great...
Friday Squid Blogging: The Hawaiian Bobtail Squid Genome
The Hawaiian Bobtail Squid's genome is half again the size of a human's. Other facts: The Hawaiian bobtail squid has two different symbiotic organs, and researchers were able to show that each of these took different paths in their evolution. This particular species of squid has a light organ tha...
China's AI Strategy and its Security Implications
Gregory C. Allen at the Center for a New American Security has a new report with some interesting analysis and insights into China's AI strategy, commercial, government, and military. There are numerous security -- and national security -- implications...
Using Gmail "Dot Addresses" to Commit Fraud
In Gmail addresses, the dots don't matter. The account "[email protected]" maps to the exact same address as "[email protected]" and "[email protected]" -- and so on. Note: I own none of those addresses, if they are actually valid. This fact can be used to commit fraud:...
Major Zcash Vulnerability Fixed
Zcash just fixed a vulnerability that would have allowed "infinite counterfeit" Zcash. Like all the other blockchain vulnerabilities and updates, this demonstrates the ridiculousness of the notion that code can replace people, that trust can be encompassed in the protocols, or that human governan...
Facebook's New Privacy Hires
The Wired headline sums it up nicely -- "Facebook Hires Up Three of Its Biggest Privacy Critics": In December, Facebook hired Nathan White away from the digital rights nonprofit Access Now, and put him in the role of privacy policy manager. On Tuesday of this week, lawyers Nate Cardozo, of the...
Friday Squid Blogging: Squid with Chorizo, Tomato, and Beans
Nice recipe. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here...
Public-Interest Tech at the RSA Conference
Our work in cybersecurity is inexorably intertwined with public policy and -- more generally -- the public interest. It's obvious in the debates on encryption and vulnerability disclosure, but it's also part of the policy discussions about the Internet of Things, cryptocurrencies, artificial...
Security Flaws in Children's Smart Watches
A year ago, the Norwegian Consumer Council published an excellent security analysis of children's GPS-connected smart watches. The security was terrible. Not only could parents track the children, anyone else could also track the children. A recent analysis checked if anything had improved after...
Security Analysis of the LIFX Smart Light Bulb
The security is terrible: In a very short limited amount of time, three vulnerabilities have been discovered: Wifi credentials of the user have been recovered stored in plaintext into the flash memory. No security settings. The device is completely open no secure boot, no debug interface disabled...
iPhone FaceTime Vulnerability
This is kind of a crazy iPhone vulnerability: it's possible to call someone on FaceTime and listen on their microphone -- and see from their camera -- before they accept the call. This is definitely an embarrassment, and Apple was right to disable Group FaceTime until it's fixed. But it's hard to...
Japanese Government Will Hack Citizens' IoT Devices
The Japanese government is going to run penetration tests against all the IoT devices in their country, in an effort to 1 figure out what's insecure, and 2 help consumers secure them: The survey is scheduled to kick off next month, when authorities plan to test the password security of over 200...
Friday Squid Blogging: Squids on the Tree of Life
Interesting. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here...
Hacking the GCHQ Backdoor
Last week, I evaluated the security of a recent GCHQ backdoor proposal for communications systems. Furthering the debate, Nate Cardozo and Seth Schoen of EFF explain how this sort of backdoor can be detected: In fact, we think when the ghost feature is active -- silently inserting a secret...
Military Carrier Pigeons in the Era of Electronic Warfare
They have advantages: Pigeons are certainly no substitute for drones, but they provide a low-visibility option to relay information. Considering the storage capacity of microSD memory cards, a pigeon's organic characteristics provide front line forces a relatively clandestine mean to transport...
The Evolution of Darknets
This is interesting: To prevent the problems of customer binding, and losing business when darknet markets go down, merchants have begun to leave the specialized and centralized platforms and instead ventured to use widely accessible technology to build their own communications and operational...
Hacking Construction Cranes
Construction cranes are vulnerable to hacking: In our research and vulnerability discoveries, we found that weaknesses in the controllers can be easily taken advantage of to move full-sized machines such as cranes used in construction sites and factories. In the different attack classes that we'v...
Clever Smartphone Malware Concealment Technique
This is clever: Malicious apps hosted in the Google Play market are trying a clever trick to avoid detection -- they monitor the motion-sensor input of an infected device before installing a powerful banking trojan to make sure it doesn't load on emulators researchers use to detect attacks. The...
Friday Squid Blogging: Squid Lollipops
Two squid lollipops, handmade by Shinri Tezuka. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here...
Evaluating the GCHQ Exceptional Access Proposal
The so-called Crypto Wars have been going on for 25 years now. Basically, the FBI -- and some of their peer agencies in the UK, Australia, and elsewhere -- argue that the pervasive use of civilian encryption is hampering their ability to solve crimes and that they need the tech companies to make...
Prices for Zero-Day Exploits Are Rising
Companies are willing to pay ever-increasing amounts for good zero-day exploits against hard-to-break computers and applications: On Monday, market-leading exploit broker Zerodium said it would pay up to $2 million for zero-click jailbreaks of Apple's iOS, $1.5 million for one-click iOS jailbreak...
El Chapo's Encryption Defeated by Turning His IT Consultant
Impressive police work: In a daring move that placed his life in danger, the I.T. consultant eventually gave the F.B.I. his system's secret encryption keys in 2011 after he had moved the network's servers from Canada to the Netherlands during what he told the cartel's leaders was a routine upgrad...
Alex Stamos on Content Moderation and Security
Former Facebook CISO Alex Stamos argues that increasing political pressure on social media platforms to moderate content will give them a pretext to turn all end-to-end crypto off -- which would be more profitable for them and bad for society. If we ask tech companies to fix ancient societal ills...
Upcoming Speaking Engagements
This is a current list of where and when I am scheduled to speak: I'm speaking at A New Initiative for Poland in Warsaw, January 16-17, 2019. I'm speaking at the Munich Cyber Security Conference MCSC on February 14, 2019. The list is maintained on this page...
Why Internet Security Is So Bad
I recently read two different essays that make the point that while Internet security is terrible, it really doesn't affect people enough to make it an issue. This is true, and is something I worry will change in a world of physically capable computers. Automation, autonomy, and physical agency...
Friday Squid Blogging: New Giant Squid Video
This is a fantastic video of a young giant squid named Heck swimming around Toyama Bay near Tokyo. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here...
Using a Fake Hand to Defeat Hand-Vein Biometrics
Nice work: One attraction of a vein based system over, say, a more traditional fingerprint system is that it may be typically harder for an attacker to learn how a user's veins are positioned under their skin, rather than lifting a fingerprint from a held object or high quality photograph, for...
Security Vulnerabilities in Cell Phone Systems
Good essay on the inherent vulnerabilities in the cell phone standards and the market barriers to fixing them. So far, industry and policymakers have largely dragged their feet when it comes to blocking cell-site simulators and SS7 attacks. Senator Ron Wyden, one of the few lawmakers vocal about...
EU Offering Bug Bounties on Critical Open-Source Software
The EU is offering "bug bounties on Free Software projects that the EU institutions rely on." Slashdot thread...
Machine Learning to Detect Software Vulnerabilities
No one doubts that artificial intelligence AI and machine learning ML will transform cybersecurity. We just don't know how, or when. While the literature generally focuses on the different uses of AI by attackers and defenders and the resultant arms race between the two I want to talk about...
New Attack Against Electrum Bitcoin Wallets
This is clever: How the attack works: Attacker added tens of malicious servers to the Electrum wallet network. Users of legitimate Electrum wallets initiate a Bitcoin transaction. If the transaction reaches one of the malicious servers, these servers reply with an error message that urges users t...
Friday Squid Blogging: The Future of the Squid Market
It's growing. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here...
Podcast Interview with Eva Galperin
Nice interview with the EFF's director of cybersecurity, Eva Galperin...
Long-Range Familial Searching Forensics
Good article on using long-range familial searching -- basically, DNA matching of distant relatives -- as a police forensics tool. EDITED TO ADD 1/5: A smattering of papers on the topic...
China's APT10
Wired has an excellent article on China's APT10 hacking group. Specifically, on how they hacked managed service providers in order to get to their customers' networks. I am reminded of the NSA's "I Hunt Sysadmins" presentation, published by the Intercept. EDITED TO ADD 1/5: Another article on the...
Friday Squid Blogging: Squid-Focused Menus in Croatia
This is almost over: From 1 December 2018 -- 6 January 2019, Days of Adriatic squid will take place at restaurants all over north-west Istria. Restaurants will be offering affordable full-course menus based on Adriatic squid, combined with quality local olive oil and fine wines. As usual, you can...
Click Here to Kill Everybody Available as an Audiobook
Click Here to Kill Everybody is finally available on Audible.com. I have ten download codes. Not having anything better to do with them, here they are: 1. HADQSSFC98WCQ 2. LDLMC6AJLBDJY 3. YWSY8CXYMQNJ6 4. JWM7SGNUXX7DB 5. UPKAJ6MHB2LEF 6. M85YN36UR926H 7. 9ULE4NFAH2SLF 8. GU7A79GSDCXAT 9...
Massive Ad Fraud Scheme Relied on BGP Hijacking
This is a really interesting story of an ad fraud scheme that relied on hijacking the Border Gateway Protocol: Members of 3ve pronounced "eve" used their large reservoir of trusted IP addresses to conceal a fraud that otherwise would have been easy for advertisers to detect. The scheme employed a...
Stealing Nativity Displays
The New York Times is reporting on the security measures people are using to protect nativity displays...
Human Rights by Design
Good essay: "Advancing Human-Rights-By-Design In The Dual-Use Technology Industry," by Jonathon Penney, Sarah McKune, Lex Gill, and Ronald J. Deibert: But businesses can do far more than these basic measures. They could adopt a "human-rights-by-design" principle whereby they commit to designing...
Glitter Bomb against Package Thieves
Stealing packages from unattended porches is a rapidly rising crime, as more of us order more things by mail. One person hid a glitter bomb and a video recorder in a package, posting the results when thieves opened the box. At least, that's what might have happened. At least some of the video was...