2979 matches found
MD5 and SHA-1 Still Used in 2018
Last week, the Scientific Working Group on Digital Evidence published a draft document -- "SWGDE Position on the Use of MD5 and SHA1 Hash Algorithms in Digital and Multimedia Forensics" -- where it accepts the use of MD5 and SHA-1 in digital forensics applications: While SWGDE promotes the adopti...
Friday Squid Blogging: Illegal North Korean Squid Fishing
North Korea is engaged in even more illegal squid fishing than previously. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here...
Drone Denial-of-Service Attack against Gatwick Airport
Someone is flying a drone over Gatwick Airport in order to disrupt service: Chris Woodroofe, Gatwick's chief operating officer, said on Thursday afternoon there had been another drone sighting which meant it was impossible to say when the airport would reopen. He told BBC News: "There are 110,000...
Fraudulent Tactics on Amazon Marketplace
Fascinating article about the many ways Amazon Marketplace sellers sabotage each other and defraud customers. The opening example: framing a seller for false advertising by buying fake five-star reviews for their products. Defacement: Sellers armed with the accounts of Amazon distributors sometim...
Congressional Report on the 2017 Equifax Data Breach
The US House of Representatives Committee on Oversight and Government Reform has just released a comprehensive report on the 2017 Equifax hack. It's a great piece of writing, with a detailed timeline, root cause analysis, and lessons learned. Lance Spitzner also commented on this. Here is my...
Teaching Cybersecurity Policy
Peter Swire proposes a a pedagogic framework for teaching cybersecurity policy. Specifically, he makes real the old joke about adding levels to the OSI networking stack: an organizational layer, a government layer, and an international layer...
New Shamoon Variant
A new variant of the Shamoon malware has destroyed significant amounts of data at a UAE "heavy engineering company" and the Italian oil and gas contractor Saipem. Shamoon is the Iranian malware that was targeted against the Saudi Arabian oil company, Saudi Aramco, in 2012 and 2016. We have no ide...
Real-Time Attacks Against Two-Factor Authentication
Attackers are targeting two-factor authentication systems: Attackers working on behalf of the Iranian government collected detailed information on targets and used that knowledge to write spear-phishing emails that were tailored to the targets' level of operational security, researchers with...
Friday Squid Blogging: More Problems with the Squid Emoji
Piling on from last week's post, the squid emoji's siphon is in the wrong place. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here...
Marriott Hack Reported as Chinese State-Sponsored
The New York Times and Reuters are reporting that China was behind the recent hack of Marriott Hotels. Note that this is still uncomfirmed, but interesting if it is true. Reuters: Private investigators looking into the breach have found hacking tools, techniques and procedures previously used in...
New Australian Backdoor Law
Last week, Australia passed a law giving the government the ability to demand backdoors in computers and communications systems. Details are still to be defined, but it's really bad. Note: Many people e-mailed me to ask why I haven't blogged this yet. One, I was busy with other things. And two,...
2018 Annual Report from AI Now
The research group AI Now just published its annual report. It's an excellent summary of today's AI security challenges, as well as a policy agenda to address them. This is related, and also worth reading...
Friday Squid Blogging: Problems with the Squid Emoji
The Monterey Bay Aquarium has some problems with the squid emoji. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here...
Back Issues of the NSA's Cryptolog
Five years ago, the NSA published 23 years of its internal magazine, Cryptolog. There were lots of redactions, of course. What's new is a nice user interface for the issues, noting highlights and levels of redaction...
Banks Attacked through Malicious Hardware Connected to the Local Network
Kaspersky is reporting on a series of bank hacks -- called DarkVishnya -- perpetrated through malicious hardware being surreptitiously installed into the target network: In 2017-2018, Kaspersky Lab specialists were invited to research a series of cybertheft incidents. Each attack had a common...
Your Personal Data is Already Stolen
In an excellent blog post, Brian Krebs makes clear something I have been saying for a while: Likewise for individuals, it pays to accept two unfortunate and harsh realities: Reality 1: Bad guys already have access to personal data points that you may believe should be secret but which nevertheles...
Security Risks of Chatbots
Good essay on the security risks -- to democratic discourse -- of chatbots...
Bad Consumer Security Advice
There are lots of articles about there telling people how to better secure their computers and online accounts. While I agree with some of it, this article contains some particularly bad advice: 1. Never, ever, ever use public unsecured Wi-Fi such as the Wi-Fi in a café, hotel or airport. To...
The DoJ's Secret Legal Arguments to Break Cryptography
Earlier this year, the US Department of Justice made a series of legal arguments as to why Facebook should be forced to help the government wiretap Facebook Messenger. Those arguments are still sealed. The ACLU is suing to make them public...
Friday Squid Blogging: Japanese Squid-Fishing Towns in Decline
It's a problem: But now, fluctuations in ocean temperatures, years of overfishing and lax regulatory oversight have drastically depleted populations of the translucent squid in waters around Japan. As usual, you can also use this squid post to talk about the security stories in the news that I...
Click Here to Kill Everybody News
My latest book is doing well. And I've been giving lots of talks and interviews about it. I can recommend three interviews: the Cyberlaw podcast with Stewart Baker, the Lawfare podcast with Ben Wittes, and Le Show with Henry Shearer. My book talk at Google is also available. The Audible version w...
Three-Rotor Enigma Machine Up for Auction Today
Sotheby's is auctioning off a working, I think three-rotor Enigma machine today. They're expecting it to sell for about $200K. I have an Enigma, but it's missing the rotors...
That Bloomberg Supply-Chain-Hack Story
Back in October, Bloomberg reported that China has managed to install backdoors into server equipment that ended up in networks belonging to -- among others -- Apple and Amazon. Pretty much everybody has denied it including the US DHS and the UK NCSC. Bloomberg has stood by its story -- and is...
FBI Takes Down a Massive Advertising Fraud Ring
The FBI announced that it dismantled a large Internet advertising fraud network, and arrested eight people: A 13-count indictment was unsealed today in federal court in Brooklyn charging Aleksandr Zhukov, Boris Timokhin, Mikhail Andreev, Denis Avdeev, Dmitry Novikov, Sergey Ovsyannikov, Aleksandr...
Distributing Malware By Becoming an Admin on an Open-Source Project
The module "event-stream" was infected with malware by an anonymous someone who became an admin on the project. Cory Doctorow points out that this is a clever new attack vector: Many open source projects attain a level of "maturity" where no one really needs any new features and there aren't a lo...
Propaganda and the Weakening of Trust in Government
On November 4, 2016, the hacker "Guccifer 2.0,: a front for Russia's military intelligence service, claimed in a blogpost that the Democrats were likely to use vulnerabilities to hack the presidential elections. On November 9, 2018, President Donald Trump started tweeting about the senatorial...
How Surveillance Inhibits Freedom of Expression
In my book Data and Goliath, I write about the value of privacy. I talk about how it is essential for political liberty and justice, and for commercial fairness and equality. I talk about how it increases personal freedom and individual autonomy, and how the lack of it makes us all less secure. B...
Friday Squid Blogging: Good Squid Fishing in the Exmouth Gulf
The conditions are ideal for squid fishing in the Exmouth Gulf in West Australia. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here...
Using Machine Learning to Create Fake Fingerprints
Researchers are able to create fake fingerprints that result in a 20% false-positive rate. The problem is that these sensors obtain only partial images of users' fingerprints -- at the points where they make contact with the scanner. The paper noted that since partial prints are not as distinctiv...
Information Attacks against Democracies
Democracy is an information system. That's the starting place of our new paper: "Common-Knowledge Attacks on Democracy." In it, we look at democracy through the lens of information security, trying to understand the current waves of Internet disinformation attacks. Specifically, we wanted to...
The PCLOB Needs a Director
The US Privacy and Civil Liberties Oversight Board is looking for a director. Among other things, this board has some oversight role over the NSA. More precisely, it can examine what any executive-branch agency is doing about counterterrorism. So it can examine the program of TSA watchlists, NSA...
What Happened to Cyber 9/11?
A recent article in the Atlantic asks why we haven't seen a"cyber 9/11" in the past fifteen or so years. I, too, remember the increasingly frantic and fearful warnings of a "cyber Peal Harbor," "cyber Katrina" -- when that was a thing -- or "cyber 9/11." I made fun of those warnings back then. Th...
Worst-Case Thinking Breeds Fear and Irrationality
Here's a crazy story from the UK. Basically, someone sees a man and a little girl leaving a shopping center. Instead of thinking "it must be a father and daughter, which happens millions of times a day and is perfectly normal," he thinks "this is obviously a case of child abduction and I must ale...
Israeli Surveillance Gear
The Israeli Defense Force mounted a botched raid in Gaza. They were attempting to install surveillance gear, which they ended up leaving behind. There are photos -- scroll past the video. Israeli media is claiming that the capture of this gear by Hamas causes major damage to Israeli electronic...
Friday Squid Blogging: Squid Sculptures
Pretty. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here...
Mailing Tech Support a Bomb
I understand his frustration, but this is extreme: When police asked Cryptopay what could have motivated Salonen to send the company a pipe bomb or, rather, two pipe bombs, which is what investigators found when they picked apart the explosive package the only thing the company could think of...
Hidden Cameras in Streetlights
Both the US Drug Enforcement Administration DEA and Immigration and Customs Enforcement ICE are hiding surveillance cameras in streetlights. According to government procurement data, the DEA has paid a Houston, Texas company called Cowboy Streetlight Concealments LLC roughly $22,000 since June 20...
Chip Cards Fail to Reduce Credit Card Fraud in the US
A new study finds that credit card fraud has not declined since the introduction of chip cards in the US. The majority of stolen card information comes from hacked point-of-sale terminals. The reasons seem to be twofold. One, the US uses chip-and-signature instead of chip-and-PIN, obviating the...
More Spectre/Meltdown-Like Attacks
Back in January, we learned about a class of vulnerabilities against microprocessors that leverages various performance and efficiency shortcuts for attack. I wrote that the first two attacks would be just the start: It shouldn't be surprising that microprocessor designers have been building...
Upcoming Speaking Engagements
This is a current list of where and when I am scheduled to speak: I'm speaking at Kiwicon in Wellington, New Zealand on November 16, 2018. I'm appearing on IBM Resilient's End of Year Review webinar on "The Top Cyber Security Trends in 2018 and Predictions for the Year Ahead," December 6, 2018 at...
Oracle and "Responsible Disclosure"
I've been writing about "responsible disclosure" for over a decade; here's an essay from 2007. Basically, it's a tacit agreement between researchers and software vendors. Researchers agree to withhold their work until software companies fix the vulnerabilities, and software vendors agree not to...
New IoT Security Regulations
Due to ever-evolving technological advances, manufacturers are connecting consumer goods -- from toys to light bulbs to major appliances -- to the Internet at breakneck speeds. This is the Internet of Things, and it's a security nightmare. The Internet of Things fuses products with communicatio...
Hiding Secret Messages in Fingerprints
This is a fun steganographic application: hiding a message in a fingerprint image. Can't see any real use for it, but that's okay...
Friday Squid Blogging: Australian Fisherman Gets Inked
Pretty good video. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here...
The Pentagon Is Publishing Foreign Nation-State Malware
This is a new thing: The Pentagon has suddenly started uploading malware samples from APTs and other nation-state sources to the website VirusTotal, which is essentially a malware zoo that's used by security pros and antivirus/malware detection engines to gain a better understanding of the threat...
Privacy and Security of Data at Universities
Interesting paper: "Open Data, Grey Data, and Stewardship: Universities at the Privacy Frontier," by Christine Borgman: Abstract: As universities recognize the inherent value in the data they collect and hold, they encounter unforeseen challenges in stewarding those data in ways that balance...
iOS 12.1 Vulnerability
This is really just to point out that computer security is really hard: Almost as soon as Apple released iOS 12.1 on Tuesday, a Spanish security researcher discovered a bug that exploits group Facetime calls to give anyone access to an iPhone users' contact information with no need for a passcode...
Consumer Reports Reviews Wireless Home-Security Cameras
Consumer Reports is starting to evaluate the security of IoT devices. As part of that, it's reviewing wireless home-security cameras. It found significant security vulnerabilities in D-Link cameras: In contrast, D-Link doesn't store video from the DCS-2630L in the cloud. Instead, the camera has i...
Security of Solid-State-Drive Encryption
Interesting research: "Self-encrypting deception: weaknesses in the encryption of solid state drives SSDs": Abstract: We have analyzed the hardware full-disk encryption of several SSDs by reverse engineering their firmware. In theory, the security guarantees offered by hardware encryption are...
Troy Hunt on Passwords
Troy Hunt has a good essay about why passwords are here to stay, despite all their security problems: This is why passwords aren't going anywhere in the foreseeable future and why insert thing here isn't going to kill them. No amount of focusing on how bad passwords are or how many accounts have...