2979 matches found
Friday Squid Blogging: Dissecting a Giant Squid
Lessons learned. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here...
Click Here to Kill Everybody Reviews and Press Mentions
It's impossible to know all the details, but my latest book seems to be selling well. Initial reviews have been really positive: Boing Boing, Financial Times, Harris Online, Kirkus Reviews, Nature, Politico, and Virus Bulletin. I've also done a bunch of interviews -- either written or radio/podca...
Quantum Computing and Cryptography
Quantum computing is a new way of computing -- one that could allow humankind to perform computations that are simply impossible using today's computing technologies. It allows for very fast searching, something that would break some of the encryption algorithms we use today. And it allows us to...
Security Risks of Government Hacking
Some of us -- myself included -- have proposed lawful government hacking as an alternative to backdoors. A new report from the Center of Internet and Society looks at the security risks of allowing government hacking. They include: Disincentive for vulnerability disclosure Cultivation of a market...
Security Vulnerability in Smart Electric Outlets
A security vulnerability in Belkin's Wemo Insight "smartplugs" allows hackers to not only take over the plug, but use it as a jumping-off point to attack everything else on the network. From the Register: The bug underscores the primary risk posed by IoT devices and connected appliances. Because...
Using Hacked IoT Devices to Disrupt the Power Grid
This is really interesting research: "BlackIoT: IoT Botnet of High Wattage Devices Can Disrupt the Power Grid": Abstract: We demonstrate that an Internet of Things IoT botnet of high wattage devices -- such as air conditioners and heaters -- gives a unique ability to adversaries to launch...
Friday Squid Blogging: 100-kg Squid Caught Off the Coast of Madeira
News. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here...
Reddit AMA
I did a Reddit AMA on Thursday, September 6...
Five-Eyes Intelligence Services Choose Surveillance Over Security
The Five Eyes -- the intelligence consortium of the rich English-speaking countries the US, Canada, the UK, Australia, and New Zealand -- have issued a "Statement of Principles on Access to Evidence and Encryption" where they claim their needs for surveillance outweigh everyone's needs for securi...
Using a Smartphone's Microphone and Speakers to Eavesdrop on Passwords
It's amazing that this is even possible: "SonarSnoop: Active Acoustic Side-Channel Attacks": Abstract: We report the first active acoustic side-channel attack. Speakers are used to emit human inaudible acoustic signals and the echo is recorded via microphones, turning the acoustic system of a sma...
New Book Announcement: Click Here to Kill Everybody
I am pleased to announce the publication of my latest book: Click Here to Kill Everybody: Security and Survival in a Hyper-connected World. In it, I examine how our new immersive world of physically capable computers affects our security. I argue that this changes everything about security. Attac...
Friday Squid Blogging: Giant Squid Washes up on Wellington Beach
Another giant squid washed up on a beach, this time in Wellington, New Zealand. Is this a global trend? As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here...
I'm Doing a Reddit AMA
On Thursday, September 6, starting at 10:00 am CDT, I'll be doing a Reddit "Ask Me Anything" in association with the Ford Foundation. It's about my new book, but -- of course -- you can ask me anything. No promises that I will answer everything...
Upcoming Speaking Engagements
This is a current list of where and when I am scheduled to speak: I'm giving a book talk on Click Here to Kill Everybody at the Ford Foundation in New York City, on September 5, 2018. The Aspen Institute's Cybersecurity & Technology Program is holding a book launch for Click Here to Kill Everybod...
Eavesdropping on Computer Screens through the Webcam Mic
Yet another way of eavesdropping on someone's computer activity: using the webcam microphone to "listen" to the computer's screen...
Cheating in Bird Racing
I've previously written about people cheating in marathon racing by driving -- or otherwise getting near the end of the race by faster means than running. In China, two people were convicted of cheating in a pigeon race: The essence of the plan involved training the pigeons to believe they had tw...
CIA Network Exposed through Insecure Communications System
Interesting story of a CIA intelligence network in China that was exposed partly because of a computer security failure: Although they used some of the same coding, the interim system and the main covert communication platform used in China at this time were supposed to be clearly separated. In...
NotPetya
Andy Greenberg wrote a fascinating account of the Russian NotPetya worm, with an emphasis on its effects on the company Maersk. BoingBoing post...
Future Cyberwar
A report for the Center for Strategic and International Studies looks at surprise and war. One of the report's cyberwar scenarios is particularly compelling. It doesn't just map cyber onto today's tactics, but completely reimagines future tactics that include a cyber component quote starts on pag...
Friday Squid Blogging: Clubhook Squid Washes Up on Oregon Beach
This seems to have happened twice in two weeks. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here...
John Mueller and Mark Stewart on the Risks of Terrorism
Another excellent paper by the Mueller/Stewart team: "Terrorism and Bathtubs: Comparing and Assessing the Risks": Abstract: The likelihood that anyone outside a war zone will be killed by an Islamist extremist terrorist is extremely small. In the United States, for example, some six people have...
Good Primer on Two-Factor Authentication Security
Stuart Schechter published a good primer on the security issues surrounding two-factor authentication. While it's often an important security measure, it's not a panacea. Stuart discusses the usability and security issues that you have to think about before deploying the system...
"Two Stage" BMW Theft Attempt
Modern cars have alarm systems that automatically connect to a remote call center. This makes cars harder to steal, since tripping the alarm causes a quick response. This article describes a theft attempt that tried to neutralize that security system. In the first attack, the thieves just disable...
James Mickens on the Current State of Computer Security
James Mickens gave an excellent keynote at the USENIX Security Conference last week, talking about the social aspects of security -- racism, sexism, etc. -- and the problems with machine learning and the Internet. Worth watching...
Friday Squid Blogging: Firefly Squid Museum
The Hotaruika Museum is a museum devoted to firefly squid in Toyama, Japan. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here...
New Ways to Track Internet Browsing
Interesting research on web tracking: "Who Left Open the Cookie Jar? A Comprehensive Evaluation of Third-Party Cookie Policies: Abstract: Nowadays, cookies are the most prominent mechanism to identify and authenticate users on the Internet. Although protected by the Same Origin Policy, popular...
Speculation Attack Against Intel's SGX
Another speculative-execution attack against Intel's SGX. At a high level, SGX is a new feature in modern Intel CPUs which allows computers to protect users' data even if the entire system falls under the attacker's control. While it was previously believed that SGX is resilient to speculative...
Hacking Police Bodycams
Suprising no one, the security of police bodycams is terrible. Mitchell even realized that because he can remotely access device storage on models like the Fire Cam OnCall, an attacker could potentially plant malware on some of the cameras. Then, when the camera connects to a PC for syncing, it...
Google Tracks its Users Even if They Opt-Out of Tracking
Google is tracking you, even if you turn off tracking: Google says that will prevent the company from remembering where you've been. Google's support page on the subject states: "You can turn off Location History at any time. With Location History off, the places you go are no longer stored." Tha...
Identifying Programmers by their Coding Style
Fascinating research de-anonymizing code -- from either source code or compiled code: Rachel Greenstadt, an associate professor of computer science at Drexel University, and Aylin Caliskan, Greenstadt's former PhD student and now an assistant professor at George Washington University, have found...
Friday Squid Blogging: New Tool for Grabbing Squid and other Fragile Sea Creatures
Interesting video of a robot grabber that's delicate enough to capture squid and even jellyfish in the ocean. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here...
xkcd on Voting Computers
Funny and true...
Don't Fear the TSA Cutting Airport Security. Be Glad That They're Talking about It.
Last week, CNN reported that the Transportation Security Administration is considering eliminating security at U.S. airports that fly only smaller planes -- 60 seats or fewer. Passengers connecting to larger planes would clear security at their destinations. To be clear, the TSA has put forth no...
Detecting Phishing Sites with Machine Learning
Really interesting article: A trained eye or even a not-so-trained one can discern when something phishy is going on with a domain or subdomain name. There are search tools, such as Censys.io, that allow humans to specifically search through the massive pile of certificate log entries for sites...
SpiderOak's Warrant Canary Died
BoingBoing has the story. I have never quite trusted the idea of a warrant canary. But here it seems to have worked. Presumably, if SpiderOak wanted to replace the warrant canary with a transparency report, they would have written something explaining their decision. To have it simply disappear i...
Measuring the Rationality of Security Decisions
Interesting research: "Dancing Pigs or Externalities? Measuring the Rationality of Security Decisions": Abstract: Accurately modeling human decision-making in security is critical to thinking about when, why, and how to recommend that users adopt certain secure behaviors. In this work, we conduct...
Hacking the McDonald's Monopoly Sweepstakes
Long and interesting story -- now two decades old -- of massive fraud perpetrated against the McDonald's Monopoly sweepstakes. The central fraudster was the person in charge of securing the winning tickets...
Friday Squid Blogging: Calamari Squid Catching Prey
The calamari squid grabs prey three feet away with its fast tentacles. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here...
Three of My Books Are Available in DRM-Free E-Book Format
Humble Bundle sells groups of e-books at ridiculously low prices, DRM free. This month, the bundles are all Wiley titles, including three of my books: Applied Cryptography, Secrets and Lies, and Cryptography Engineering. $15 gets you everything, and they're all DRM-free. Even better, a portion of...
How the US Military Can Better Keep Hackers
Interesting commentary: The military is an impossible place for hackers thanks to antiquated career management, forced time away from technical positions, lack of mission, non-technical mid- and senior-level leadership, and staggering pay gaps, among other issues. It is possible the military need...
Using In-Game Purchases to Launder Money
Evidence that stolen credit cards are being used to purchase items in games like Clash of Clans, which are then resold for cash...
GCHQ on Quantum Key Distribution
The UK's GCHQ delivers a brutally blunt assessment of quantum key distribution: QKD protocols address only the problem of agreeing keys for encrypting data. Ubiquitous on-demand modern services such as verifying identities and data integrity, establishing network sessions, providing access contro...
Backdoors in Cisco Routers
We don't know if this is error or deliberate action, but five backdoors have been discovered already this year...
Hacking a Robot Vacuum
The Diqee 360 robotic vacuum cleaner can be turned into a surveillance device. The attack requires physical access to the device, so in the scheme of things it's not a big deal. But why in the world is the vacuum equipped with a microphone?...
The Poor Cybersecurity of US Space Assets
Good policy paper summary here on the threats, current state, and potential policy solutions for the poor security of US space systems...
Identifying People by Metadata
Interesting research: "You are your Metadata: Identification and Obfuscation of Social Media Users using Metadata Information," by Beatrice Perez, Mirco Musolesi, and Gianluca Stringhini. Abstract: Metadata are associated to most of the information we produce in our daily interactions and...
Friday Squid Blogging: Squid Deception
This is a fantastic video of a squid attracting prey with a tentacle that looks like a smaller squid. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here...
New Report on Police Digital Forensics Techniques
According to a new CSIS report, "going dark" is not the most pressing problem facing law enforcement in the age of digital data: Over the past year, we conducted a series of interviews with federal, state, and local law enforcement officials, attorneys, service providers, and civil society groups...
Third Annual Cybercrime Conference
Ross Anderson liveblogged the Third Annual Cybercrime Conference...
Google Employees Use a Physical Token as Their Second Authentication Factor
Krebs on Security is reporting that all 85,000 Google employees use two-factor authentication with a physical token. A Google spokesperson said Security Keys now form the basis of all account access at Google. "We have had no reported or confirmed account takeovers since implementing security key...