2979 matches found
Friday Squid Blogging: Eating More Squid
This research paper concludes that we'll be eating more squid in the future. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here...
How to Punish Cybercriminals
Interesting policy paper by Third Way: "To Catch a Hacker: Toward a comprehensive strategy to identify, pursue, and punish malicious cyber actors": In this paper, we argue that the United States currently lacks a comprehensive overarching strategic approach to identify, stop and punish...
Buying Used Voting Machines on eBay
This is not surprising: This year, I bought two more machines to see if security had improved. To my dismay, I discovered that the newer model machines -- those that were used in the 2016 election -- are running Windows CE and have USB ports, along with other components, that make them even easie...
Was the Triton Malware Attack Russian in Origin?
The conventional story is that Iran targeted Saudi Arabia with Triton in 2017. New research from FireEye indicates that it might have been Russia. I don't know. FireEye likes to attribute all sorts of things to Russia, but the evidence here looks pretty good...
ID Systems Throughout the 50 States
Jim Harper at CATO has a good survey of state ID systems in the US...
Cell Phone Security and Heads of State
Earlier this week, the New York Times reported that the Russians and the Chinese were eavesdropping on President Donald Trump's personal cell phone and using the information gleaned to better influence his behavior. This should surprise no one. Security experts have been talking about the potenti...
More on the Supermicro Spying Story
I've blogged twice about the Bloomberg story that China bugged Supermicro networking equipment destined to the US. We still don't know if the story is true, although I am increasingly skeptical because of the lack of corroborating evidence to emerge. We don't know anything more, but this is the...
Security Vulnerability in Internet-Connected Construction Cranes
This seems bad: The F25 software was found to contain a capture replay vulnerability -- basically an attacker would be able to eavesdrop on radio transmissions between the crane and the controller, and then send their own spoofed commands over the air to seize control of the crane. "These devices...
Friday Squid Blogging: Squid Falsely Labeled as Octopus
Two New Yorkers have been charged with importing squid from Peru and then reselling it as octopus. Yet another problem that a blockchain-enabled supply-chain system won't solve. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read ...
Detecting Fake Videos
This story nicely illustrates the arms race between technologies to create fake videos and technologies to detect fake videos: These fakes, while convincing if you watch a few seconds on a phone screen, aren't perfect yet. They contain tells, like creepily ever-open eyes, from flaws in their...
Android Ad-Fraud Scheme
BuzzFeed is reporting on a scheme where fraudsters buy legitimate Android apps, track users' behavior in order to mimic it in a way that evades bot detectors, and then uses bots to perpetuate an ad-fraud scheme. After being provided with a list of the apps and websites connected to the scheme,...
China's Hacking of the Border Gateway Protocol
This is a long -- and somewhat technical -- paper by Chris C. Demchak and Yuval Shavitt about China's repeated hacking of the Internet Border Gateway Protocol BGP: "China's Maxim Leave No Access Point Unexploited: The Hidden Story of China Telecom's BGP Hijacking." BGP hacking is how large...
On Disguise
The former CIA Chief of Disguise has a fascinating video about her work...
Are the Police Using Smart-Home IoT Devices to Spy on People?
IoT devices are surveillance devices, and manufacturers generally use them to collect data on their customers. Surveillance is still the business model of the Internet, and this data is used against the customers' interests: either by the device manufacturer or by some third party the manufacture...
Friday Squid Blogging: Roasted Squid with Tomatillo Salsa
Recipe and commentary. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here...
West Virginia Using Internet Voting
This is crazy and dangerous. West Virginia is allowing people to vote via a smart-phone app. Even crazier, the app uses blockchain -- presumably because they have no idea what the security issues with voting actually are...
Government Perspective on Supply Chain Security
This is an interesting interview with a former NSA employee about supply chain security. I consider this to be an insurmountable problem right now...
Privacy for Tigers
Ross Anderson has some new work: As mobile phone masts went up across the world's jungles, savannas and mountains, so did poaching. Wildlife crime syndicates can not only coordinate better but can mine growing public data sets, often of geotagged images. Privacy matters for tigers, for snow...
How DNA Databases Violate Everyone's Privacy
If you're an American of European descent, there's a 60% chance you can be uniquely identified by public information in DNA databases. This is not information that you have made public; this is information your relatives have made public. Research paper: "Identity inference of genomic data using...
Upcoming Speaking Engagements
This is a current list of where and when I am scheduled to speak: I'm speaking at Data in Smarter Cities in New York City on October 23, 2018. I'm speaking at the Cyber Security Summit in Minneapolis, Minnesota on October 24, 2018. I'm speaking at ISF's 29th Annual World Congress in Las Vegas,...
Friday Squid Blogging: Eat Less Squid
The UK's Marine Conservation Society is urging people to eat less squid. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here...
Security in a World of Physically Capable Computers
It's no secret that computers are insecure. Stories like the recent Facebook hack, the Equifax hack and the hacking of government agencies are remarkable for how unremarkable they really are. They might make headlines for a few days, but they're just the newsworthy tip of a very large iceberg. Th...
Another Bloomberg Story about Supply-Chain Hardware Attacks from China
Bloomberg has another story about hardware surveillance implants in equipment made in China. This implant is different from the one Bloomberg reported on last week. That story has been denied by pretty much everyone else, but Bloomberg is sticking by its story and its sources. I linked to other...
Security Vulnerabilities in US Weapons Systems
The US Government Accounting Office just published a new report: "Weapons Systems Cyber Security: DOD Just Beginning to Grapple with Scale of Vulnerabilities" summary here. The upshot won't be a surprise to any of my regular readers: they're vulnerable. From the summary: Automation and connectivi...
Access Now Is Looking for a Chief Security Officer
The international digital human rights organization Access Now I am on the board is looking to hire a Chief Security Officer. I believe that, somewhere, there is a highly qualified security person who has had enough of corporate life and wants instead to make a difference in the world. If that's...
The US National Cyber Strategy
Last month, the White House released the "National Cyber Strategy of the United States of America. I generally don't have much to say about these sorts of documents. They're filled with broad generalities. Who can argue with: Defend the homeland by protecting networks, systems, functions, and dat...
Defeating the "Deal or No Deal" Arcade Game
Two teenagers figured out how to beat the "Deal or No Deal" arcade game by filming the computer animation and then slowing it down enough to determine where the big prize was hidden...
Friday Squid Blogging: Watch Squid Change Colors
This is an amazing short video of a squid -- I don't know the species -- changing its color instantly. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here...
Detecting Credit Card Skimmers
Interesting research paper: "Fear the Reaper: Characterization and Fast Detection of Card Skimmers": Abstract: Payment card fraud results in billions of dollars in losses annually. Adversaries increasingly acquire card data using skimmers, which are attached to legitimate payment devices includin...
Conspiracy Theories around the "Presidential Alert"
Noted conspiracy theorist John McAfee tweeted: The "Presidential alerts": they are capable of accessing the E911 chip in your phones -- giving them full access to your location, microphone, camera and every function of your phone. This not a rant, this is from me, still one of the leading...
Chinese Supply Chain Hardware Attack
Bloomberg is reporting about a Chinese espionage operating involving inserting a tiny chip into computer products made in China. I've written about alternate link this threat more generally. Supply-chain security is an insurmountably hard problem. Our IT industry is inexorably international, and...
Helen Nissenbaum on Data Privacy and Consent
This is a fantastic Q with Cornell Tech Professor Helen Nissenbaum on data privacy and why it's wrong to focus on consent. I'm not going to pull a quote, because you should read the whole thing...
The Effects of GDPR's 72-Hour Notification Rule
The EU's GDPR regulation requires companies to report a breach within 72 hours. Alex Stamos, former Facebook CISO now at Stanford University, points out how this can be a problem: Interesting impact of the GDPR 72-hour deadline: companies announcing breaches before investigations are complete. 1...
Terahertz Millimeter-Wave Scanners
Interesting article on terahertz millimeter-wave scanners and their uses to detect terrorist bombers. The heart of the device is a block of electronics about the size of a 1990s tower personal computer. It comes housed in a musician's black case, akin to the one Spinal Tap might use on tour. At t...
Sophisticated Voice Phishing Scams
Brian Krebs is reporting on some new and sophisticated phishing scams over the telephone. I second his advice: "never give out any information about yourself in response to an unsolicited phone call." Always call them back, and not using the number offered to you by the caller. Always. EDITED TO...
Facebook Is Using Your Two-Factor Authentication Phone Number to Target Advertising
From Kashmir Hill: Facebook is not content to use the contact information you willingly put into your Facebook profile for advertising. It is also using contact information you handed over for security purposes and contact information you didn't hand over at all, but that was collected from other...
More on the Five Eyes Statement on Encryption and Backdoors
Earlier this month, I wrote about a statement by the Five Eyes countries about encryption and back doors. Short summary: they like them. One of the weird things about the statement is that it was clearly written from a law-enforcement perspective, though we normally think of the Five Eyes as a...
Friday Squid Blogging: Squid Protein Used in Variable Thermal Conductivity Material
This is really neat. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here...
Major Tech Companies Finally Endorse Federal Privacy Regulation
The major tech companies, scared that states like California might impose actual privacy regulations, have now decided that they can better lobby the federal government for much weaker national legislation that will preempt any stricter state measures. I'm sure they'll still do all they can to...
Yet Another IoT Cybersecurity Document
This one is from NIST: "Considerations for Managing Internet of Things IoT Cybersecurity and Privacy Risks." It's still in draft. Remember, there are many others...
Counting People Through a Wall with WiFi
Interesting research: In the team's experiments, one WiFi transmitter and one WiFi receiver are behind walls, outside a room in which a number of people are present. The room can get very crowded with as many as 20 people zigzagging each other. The transmitter sends a wireless signal whose receiv...
Evidence for the Security of PKCS #1 Digital Signatures
This is interesting research: "On the Security of the PKCS1 v1.5 Signature Scheme": Abstract: The RSA PKCS1 v1.5 signature algorithm is the most widely used digital signature scheme in practice. Its two main strengths are its extreme simplicity, which makes it very easy to implement, and that...
New Variants of Cold-Boot Attack
If someone has physical access to your locked -- but still running -- computer, they can probably break the hard drive's encryption. This is a "cold boot" attack, and one we thought solved. We have not: To carry out the attack, the F-Secure researchers first sought a way to defeat the the...
Friday Squid Blogging: British Columbia "Squid Run" Is a Tourist Attraction
On James Island. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here...
New Findings About Prime Number Distribution Almost Certainly Irrelevant to Cryptography
Lots of people are e-mailing me about this new result on the distribution of prime numbers. While interesting, it has nothing to do with cryptography. Cryptographers aren't interested in how to find prime numbers, or even in the distribution of prime numbers. Public-key cryptography algorithms li...
AES Resulted in a $250-Billion Economic Benefit
NIST has released a new study concluding that the AES encryption standard has resulted in a $250-billion worldwide economic benefit over the past 20 years. I have no idea how to even begin to assess the quality of the study and its conclusions -- it's all in the 150-page report, though -- but I d...
Security Vulnerability in ESS ExpressVote Touchscreen Voting Computer
Of course the ESS ExpressVote voting computer will have lots of security vulnerabilities. It's a computer, and computers have lots of vulnerabilities. This particular vulnerability is particularly interesting because it's the result of a security mistake in the design process. Someone didn't thin...
Pegasus Spyware Used in 45 Countries
Citizen Lab has published a new report about the Pegasus spyware. From a ZDNet article: The malware, known as Pegasus or Trident, was created by Israeli cyber-security firm NSO Group and has been around for at least three years -- when it was first detailed in a report over the summer of 2016. Th...
Public Shaming of Companies for Bad Security
Troy Hunt makes some good points, with good examples...
NSA Attacks Against Virtual Private Networks
A 2006 document from the Snowden archives outlines successful NSA operations against "a number of "high potential" virtual private networks, including those of media organization Al Jazeera, the Iraqi military and internet service organizations, and a number of airline reservation systems." It's...