Friday Squid Blogging: Eat Less Squid

The UK's Marine Conservation Society is urging people to eat less squid. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here...

Security in a World of Physically Capable Computers

It's no secret that computers are insecure. Stories like the recent Facebook hack, the Equifax hack and the hacking of government agencies are remarkable for how unremarkable they really are. They might make headlines for a few days, but they're just the newsworthy tip of a very large iceberg. Th...

Another Bloomberg Story about Supply-Chain Hardware Attacks from China

Bloomberg has another story about hardware surveillance implants in equipment made in China. This implant is different from the one Bloomberg reported on last week. That story has been denied by pretty much everyone else, but Bloomberg is sticking by its story and its sources. I linked to other...

Security Vulnerabilities in US Weapons Systems

The US Government Accounting Office just published a new report: "Weapons Systems Cyber Security: DOD Just Beginning to Grapple with Scale of Vulnerabilities" summary here. The upshot won't be a surprise to any of my regular readers: they're vulnerable. From the summary: Automation and connectivi...

Access Now Is Looking for a Chief Security Officer

The international digital human rights organization Access Now I am on the board is looking to hire a Chief Security Officer. I believe that, somewhere, there is a highly qualified security person who has had enough of corporate life and wants instead to make a difference in the world. If that's...

The US National Cyber Strategy

Last month, the White House released the "National Cyber Strategy of the United States of America. I generally don't have much to say about these sorts of documents. They're filled with broad generalities. Who can argue with: Defend the homeland by protecting networks, systems, functions, and dat...

Defeating the "Deal or No Deal" Arcade Game

Two teenagers figured out how to beat the "Deal or No Deal" arcade game by filming the computer animation and then slowing it down enough to determine where the big prize was hidden...

Friday Squid Blogging: Watch Squid Change Colors

This is an amazing short video of a squid -- I don't know the species -- changing its color instantly. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here...

Detecting Credit Card Skimmers

Interesting research paper: "Fear the Reaper: Characterization and Fast Detection of Card Skimmers": Abstract: Payment card fraud results in billions of dollars in losses annually. Adversaries increasingly acquire card data using skimmers, which are attached to legitimate payment devices includin...

Conspiracy Theories around the "Presidential Alert"

Noted conspiracy theorist John McAfee tweeted: The "Presidential alerts": they are capable of accessing the E911 chip in your phones -- giving them full access to your location, microphone, camera and every function of your phone. This not a rant, this is from me, still one of the leading...

Chinese Supply Chain Hardware Attack

Bloomberg is reporting about a Chinese espionage operating involving inserting a tiny chip into computer products made in China. I've written about alternate link this threat more generally. Supply-chain security is an insurmountably hard problem. Our IT industry is inexorably international, and...

Helen Nissenbaum on Data Privacy and Consent

This is a fantastic Q with Cornell Tech Professor Helen Nissenbaum on data privacy and why it's wrong to focus on consent. I'm not going to pull a quote, because you should read the whole thing...

The Effects of GDPR's 72-Hour Notification Rule

The EU's GDPR regulation requires companies to report a breach within 72 hours. Alex Stamos, former Facebook CISO now at Stanford University, points out how this can be a problem: Interesting impact of the GDPR 72-hour deadline: companies announcing breaches before investigations are complete. 1...

Terahertz Millimeter-Wave Scanners

Interesting article on terahertz millimeter-wave scanners and their uses to detect terrorist bombers. The heart of the device is a block of electronics about the size of a 1990s tower personal computer. It comes housed in a musician's black case, akin to the one Spinal Tap might use on tour. At t...

Sophisticated Voice Phishing Scams

Brian Krebs is reporting on some new and sophisticated phishing scams over the telephone. I second his advice: "never give out any information about yourself in response to an unsolicited phone call." Always call them back, and not using the number offered to you by the caller. Always. EDITED TO...

Facebook Is Using Your Two-Factor Authentication Phone Number to Target Advertising

From Kashmir Hill: Facebook is not content to use the contact information you willingly put into your Facebook profile for advertising. It is also using contact information you handed over for security purposes and contact information you didn't hand over at all, but that was collected from other...

More on the Five Eyes Statement on Encryption and Backdoors

Earlier this month, I wrote about a statement by the Five Eyes countries about encryption and back doors. Short summary: they like them. One of the weird things about the statement is that it was clearly written from a law-enforcement perspective, though we normally think of the Five Eyes as a...

Friday Squid Blogging: Squid Protein Used in Variable Thermal Conductivity Material

This is really neat. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here...

Major Tech Companies Finally Endorse Federal Privacy Regulation

The major tech companies, scared that states like California might impose actual privacy regulations, have now decided that they can better lobby the federal government for much weaker national legislation that will preempt any stricter state measures. I'm sure they'll still do all they can to...

Yet Another IoT Cybersecurity Document

This one is from NIST: "Considerations for Managing Internet of Things IoT Cybersecurity and Privacy Risks." It's still in draft. Remember, there are many others...

Counting People Through a Wall with WiFi

Interesting research: In the team's experiments, one WiFi transmitter and one WiFi receiver are behind walls, outside a room in which a number of people are present. The room can get very crowded with as many as 20 people zigzagging each other. The transmitter sends a wireless signal whose receiv...

Evidence for the Security of PKCS #1 Digital Signatures

This is interesting research: "On the Security of the PKCS1 v1.5 Signature Scheme": Abstract: The RSA PKCS1 v1.5 signature algorithm is the most widely used digital signature scheme in practice. Its two main strengths are its extreme simplicity, which makes it very easy to implement, and that...

New Variants of Cold-Boot Attack

If someone has physical access to your locked -- but still running -- computer, they can probably break the hard drive's encryption. This is a "cold boot" attack, and one we thought solved. We have not: To carry out the attack, the F-Secure researchers first sought a way to defeat the the...

Friday Squid Blogging: British Columbia "Squid Run" Is a Tourist Attraction

On James Island. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here...

New Findings About Prime Number Distribution Almost Certainly Irrelevant to Cryptography

Lots of people are e-mailing me about this new result on the distribution of prime numbers. While interesting, it has nothing to do with cryptography. Cryptographers aren't interested in how to find prime numbers, or even in the distribution of prime numbers. Public-key cryptography algorithms li...

AES Resulted in a $250-Billion Economic Benefit

NIST has released a new study concluding that the AES encryption standard has resulted in a $250-billion worldwide economic benefit over the past 20 years. I have no idea how to even begin to assess the quality of the study and its conclusions -- it's all in the 150-page report, though -- but I d...

Security Vulnerability in ESS ExpressVote Touchscreen Voting Computer

Of course the ESS ExpressVote voting computer will have lots of security vulnerabilities. It's a computer, and computers have lots of vulnerabilities. This particular vulnerability is particularly interesting because it's the result of a security mistake in the design process. Someone didn't thin...

Pegasus Spyware Used in 45 Countries

Citizen Lab has published a new report about the Pegasus spyware. From a ZDNet article: The malware, known as Pegasus or Trident, was created by Israeli cyber-security firm NSO Group and has been around for at least three years -- when it was first detailed in a report over the summer of 2016. Th...

Public Shaming of Companies for Bad Security

Troy Hunt makes some good points, with good examples...

NSA Attacks Against Virtual Private Networks

A 2006 document from the Snowden archives outlines successful NSA operations against "a number of "high potential" virtual private networks, including those of media organization Al Jazeera, the Iraqi military and internet service organizations, and a number of airline reservation systems." It's...

Friday Squid Blogging: Dissecting a Giant Squid

Lessons learned. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here...

Click Here to Kill Everybody Reviews and Press Mentions

It's impossible to know all the details, but my latest book seems to be selling well. Initial reviews have been really positive: Boing Boing, Financial Times, Harris Online, Kirkus Reviews, Nature, Politico, and Virus Bulletin. I've also done a bunch of interviews -- either written or radio/podca...

Quantum Computing and Cryptography

Quantum computing is a new way of computing -- one that could allow humankind to perform computations that are simply impossible using today's computing technologies. It allows for very fast searching, something that would break some of the encryption algorithms we use today. And it allows us to...

Security Risks of Government Hacking

Some of us -- myself included -- have proposed lawful government hacking as an alternative to backdoors. A new report from the Center of Internet and Society looks at the security risks of allowing government hacking. They include: Disincentive for vulnerability disclosure Cultivation of a market...

Security Vulnerability in Smart Electric Outlets

A security vulnerability in Belkin's Wemo Insight "smartplugs" allows hackers to not only take over the plug, but use it as a jumping-off point to attack everything else on the network. From the Register: The bug underscores the primary risk posed by IoT devices and connected appliances. Because...

Using Hacked IoT Devices to Disrupt the Power Grid

This is really interesting research: "BlackIoT: IoT Botnet of High Wattage Devices Can Disrupt the Power Grid": Abstract: We demonstrate that an Internet of Things IoT botnet of high wattage devices -- such as air conditioners and heaters -- gives a unique ability to adversaries to launch...

Friday Squid Blogging: 100-kg Squid Caught Off the Coast of Madeira

News. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here...

Reddit AMA

I did a Reddit AMA on Thursday, September 6...

Five-Eyes Intelligence Services Choose Surveillance Over Security

The Five Eyes -- the intelligence consortium of the rich English-speaking countries the US, Canada, the UK, Australia, and New Zealand -- have issued a "Statement of Principles on Access to Evidence and Encryption" where they claim their needs for surveillance outweigh everyone's needs for securi...

Using a Smartphone's Microphone and Speakers to Eavesdrop on Passwords

It's amazing that this is even possible: "SonarSnoop: Active Acoustic Side-Channel Attacks": Abstract: We report the first active acoustic side-channel attack. Speakers are used to emit human inaudible acoustic signals and the echo is recorded via microphones, turning the acoustic system of a sma...

New Book Announcement: Click Here to Kill Everybody

I am pleased to announce the publication of my latest book: Click Here to Kill Everybody: Security and Survival in a Hyper-connected World. In it, I examine how our new immersive world of physically capable computers affects our security. I argue that this changes everything about security. Attac...

Friday Squid Blogging: Giant Squid Washes up on Wellington Beach

Another giant squid washed up on a beach, this time in Wellington, New Zealand. Is this a global trend? As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here...

I'm Doing a Reddit AMA

On Thursday, September 6, starting at 10:00 am CDT, I'll be doing a Reddit "Ask Me Anything" in association with the Ford Foundation. It's about my new book, but -- of course -- you can ask me anything. No promises that I will answer everything...

Upcoming Speaking Engagements

This is a current list of where and when I am scheduled to speak: I'm giving a book talk on Click Here to Kill Everybody at the Ford Foundation in New York City, on September 5, 2018. The Aspen Institute's Cybersecurity & Technology Program is holding a book launch for Click Here to Kill Everybod...

Eavesdropping on Computer Screens through the Webcam Mic

Yet another way of eavesdropping on someone's computer activity: using the webcam microphone to "listen" to the computer's screen...

Cheating in Bird Racing

I've previously written about people cheating in marathon racing by driving -- or otherwise getting near the end of the race by faster means than running. In China, two people were convicted of cheating in a pigeon race: The essence of the plan involved training the pigeons to believe they had tw...

CIA Network Exposed through Insecure Communications System

Interesting story of a CIA intelligence network in China that was exposed partly because of a computer security failure: Although they used some of the same coding, the interim system and the main covert communication platform used in China at this time were supposed to be clearly separated. In...

NotPetya

Andy Greenberg wrote a fascinating account of the Russian NotPetya worm, with an emphasis on its effects on the company Maersk. BoingBoing post...

Future Cyberwar

A report for the Center for Strategic and International Studies looks at surprise and war. One of the report's cyberwar scenarios is particularly compelling. It doesn't just map cyber onto today's tactics, but completely reimagines future tactics that include a cyber component quote starts on pag...

Friday Squid Blogging: Clubhook Squid Washes Up on Oregon Beach

This seems to have happened twice in two weeks. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here...