2979 matches found
Kidnapping Fraud
Fake kidnapping fraud: "Most commonly we have unsolicited calls to potential victims in Australia, purporting to represent the people in authority in China and suggesting to intending victims here they have been involved in some sort of offence in China or elsewhere, for which they're being held...
Friday Squid Blogging: Squid Comic
It's not very good, but it has a squid in it. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here...
Security and Human Behavior (SHB 2018)
I'm at Carnegie Mellon University, at the eleventh Workshop on Security and Human Behavior. SHB is a small invitational gathering of people studying various aspects of the human side of security, organized each year by Alessandro Acquisti, Ross Anderson, and myself. The 50 or so people in the roo...
Detecting Lies through Mouse Movements
Interesting research: "The detection of faked identity using unexpected questions and mouse dynamics," by Merulin Monaro, Luciano Gamberini, and Guiseppe Sartori. Abstract: The detection of faked identities is a major problem in security. Current memory-detection techniques cannot be used as they...
Font Steganography
Interesting research in steganography at the font level...
Supermarket Shoplifting
The rise of self-checkout has caused a corresponding rise in shoplifting...
Another Spectre-Like CPU Vulnerability
Google and Microsoft researchers have disclosed another Spectre-like CPU side-channel vulnerability, called "Speculative Store Bypass." Like the others, the fix will slow the CPU down. The German tech site Heise reports that more are coming. I'm not surprised. Writing about Spectre and Meltdown i...
Japan's Directorate for Signals Intelligence
The Intercept has a long article on Japan's equivalent of the NSA: the Directorate for Signals Intelligence. Interesting, but nothing really surprising. The directorate has a history that dates back to the 1950s; its role is to eavesdrop on communications. But its operations remain so highly...
Friday Squid Blogging: Flying Squid
Flying squid are real. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here...
Maliciously Changing Someone's Address
Someone changed the address of UPS corporate headquarters to his own apartment in Chicago. The company discovered it three months later. The problem, of course, is that in the US there isn't any authentication of change-of-address submissions: According to the Postal Service, nearly 37 million...
White House Eliminates Cybersecurity Position
The White House has eliminated the cybersecurity coordinator position. This seems like a spectacularly bad idea...
Accessing Cell Phone Location Information
The New York Times is reporting about a company called Securus Technologies that gives police the ability to track cell phone locations without a warrant: The service can find the whereabouts of almost any cellphone in the country within seconds. It does this by going through a system typically...
Sending Inaudible Commands to Voice Assistants
Researchers have demonstrated the ability to send inaudible commands to voice assistants like Alexa, Siri, and Google Assistant. Over the last two years, researchers in China and the United States have begun demonstrating that they can send hidden commands that are undetectable to the human ear t...
Details on a New PGP Vulnerability
A new PGP vulnerability was announced today. Basically, the vulnerability makes use of the fact that modern e-mail programs allow for embedded HTML objects. Essentially, if an attacker can intercept and modify a message in transit, he can insert code that sends the plaintext in a URL to a remote...
Critical PGP Vulnerability
EFF is reporting that a critical vulnerability has been discovered in PGP and S/MIME. No details have been published yet, but one of the researchers wrote: We'll publish critical vulnerabilities in PGP/GPG and S/MIME email encryption on 2018-05-15 07:00 UTC. They might reveal the plaintext of...
Friday Squid Blogging: How the Squid Lost Its Shell
Squids used to have shells. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here...
Airline Ticket Fraud
New research: "Leaving on a jet plane: the trade in fraudulently obtained airline tickets:" Abstract: Every day, hundreds of people fly on airline tickets that have been obtained fraudulently. This crime script analysis provides an overview of the trade in these tickets, drawing on interviews wit...
Supply-Chain Security
Earlier this month, the Pentagon stopped selling phones made by the Chinese companies ZTE and Huawei on military bases because they might be used to spy on their users. It's a legitimate fear, and perhaps a prudent action. But it's just one instance of the much larger issue of securing our supply...
Virginia Beach Police Want Encrypted Radios
This article says that the Virginia Beach police are looking to buy encrypted radios. Virginia Beach police believe encryption will prevent criminals from listening to police communications. They said officer safety would increase and citizens would be better protected. Someone should ask them if...
The US Is Unprepared for Election-Related Hacking in 2018
This survey and report is not surprising: The survey of nearly forty Republican and Democratic campaign operatives, administered through November and December 2017, revealed that American political campaign staff -- primarily working at the state and congressional levels -- are not only unprepare...
Ray Ozzie's Encryption Backdoor
Last month, Wired published a long article about Ray Ozzie and his supposed new scheme for adding a backdoor in encrypted devices. It's a weird article. It paints Ozzie's proposal as something that "attains the impossible" and "satisfies both law enforcement and privacy purists," when 1 it's bare...
Friday Squid Blogging: US Army Developing 3D-Printable Battlefield Robot Squid
The next major war will be super weird. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here...
Detecting Laptop Tampering
Micah Lee ran a two-year experiment designed to detect whether or not his laptop was ever tampered with. The results are inconclusive, but demonstrate how difficult it can be to detect laptop tampering...
LC4: Another Pen-and-Paper Cipher
Interesting symmetric cipher: LC4: Abstract: ElsieFour LC4 is a low-tech cipher that can be computed by hand; but unlike many historical ciphers, LC4 is designed to be hard to break. LC4 is intended for encrypted communication between humans only, and therefore it encrypts and decrypts plaintexts...
NIST Issues Call for "Lightweight Cryptography" Algorithms
This is interesting: Creating these defenses is the goal of NIST's lightweight cryptography initiative, which aims to develop cryptographic algorithm standards that can work within the confines of a simple electronic device. Many of the sensors, actuators and other micromachines that will functio...
IoT Inspector Tool from Princeton
Researchers at Princeton University have released IoT Inspector, a tool that analyzes the security and privacy of IoT devices by examining the data they send across the Internet. They've already used the tool to study a bunch of different IoT devices. From their blog post: Finding 3: Many IoT...
Security Vulnerabilities in VingCard Electronic Locks
Researchers have disclosed a massive vulnerability in the VingCard eletronic lock system, used in hotel rooms around the world: With a $300 Proxmark RFID card reading and writing tool, any expired keycard pulled from the trash of a target hotel, and a set of cryptographic tricks developed over...
Friday Squid Blogging: Bizarre Contorted Squid
This bizarre contorted squid might be a new species, or a previously known species exhibiting a new behavior. No one knows. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here...
TSB Bank Disaster
This seems like an absolute disaster: The very short version is that a UK bank, TSB, which had been merged into and then many years later was spun out of Lloyds Bank, was bought by the Spanish bank Banco Sabadell in 2015. Lloyds had continued to run the TSB systems and was to transfer them over t...
New NSA/Cyber Command Head Confirmed by Senate
It's Lt. Gen. Paul Nakasone. I know nothing about him...
Two NSA Algorithms Rejected by the ISO
The ISO has rejected two symmetric encryption algorithms: SIMON and SPECK. These algorithms were both designed by the NSA and made public in 2013. They are optimized for small and low-cost processors like IoT devices. The risk of using NSA-designed ciphers, of course, is that they include...
Baseball Code
Info on the coded signals used by the Colorado Rockies...
Computer Alarm that Triggers When Lid Is Opened
"Do Not Disturb" is a Macintosh app that send an alert when the lid is opened. The idea is to detect computer tampering. Wired article: Do Not Disturb goes a step further than just the push notification. Using the Do Not Disturb iOS app, a notified user can send themselves a picture snapped with...
Russia is Banning Telegram
Russia has banned the secure messaging app Telegram. It's making an absolute mess of the ban -- blocking 16 million IP addresses, many belonging to the Amazon and Google clouds -- and it's not even clear that it's working. But, more importantly, I'm not convinced Telegram is secure in the first...
Yet Another Biometric: Ear Shape
This acoustic technology identifies individuals by their ear shapes. No information about either false positives or false negatives...
Friday Squid Blogging: Squid Prices Rise as Catch Decreases
In Japan: Last year's haul sank 15% to 53,000 tons, according to the JF Zengyoren national federation of fishing cooperatives. The squid catch has fallen by half in just two years. The previous low was plumbed in 2016. Lighter catches have been blamed on changing sea temperatures, which impedes t...
Securing Elections
Elections serve two purposes. The first, and obvious, purpose is to accurately choose the winner. But the second is equally important: to convince the loser. To the extent that an election system is not transparently and auditably accurate, it fails in that second purpose. Our election systems ar...
Lifting a Fingerprint from a Photo
Police in the UK were able to read a fingerprint from a photo of a hand: Staff from the unit's specialist imaging team were able to enhance a picture of a hand holding a number of tablets, which was taken from a mobile phone, before fingerprint experts were able to positively identify that the ha...
Oblivious DNS
Interesting idea: ...we present Oblivious DNS ODNS, which is a new design of the DNS ecosystem that allows current DNS servers to remain unchanged and increases privacy for data in motion and at rest. In the ODNS system, both the client is modified with a local resolver, and there is a new...
Hijacking Emergency Sirens
Turns out it's easy to hijack emergency sirens with a radio transmitter...
The DMCA and its Chilling Effects on Research
The Center for Democracy and Technology has a good summary of the current state of the DMCA's chilling effects on security research. To underline the nature of chilling effects on hacking and security research, CDT has worked to describe how tinkerers, hackers, and security researchers of all typ...
Friday Squid Blogging: Eating Firefly Squid
In Tokama, Japan, you can watch the firefly squid catch and eat them in various ways: "It's great to eat hotaruika around when the seasons change, which is when people tend to get sick," said Ryoji Tanaka, an executive at the Toyama prefectural federation of fishing cooperatives. "In addition to...
COPPA Compliance
Interesting research: "'Won't Somebody Think of the Children?' Examining COPPA Compliance at Scale": Abstract: We present a scalable dynamic analysis framework that allows for the automatic evaluation of the privacy behaviors of Android apps. We use our system to analyze mobile apps' compliance...
Cybersecurity Insurance
Good article about how difficult it is to insure an organization against Internet attacks, and how expensive the insurance is. Companies like retailers, banks, and healthcare providers began seeking out cyberinsurance in the early 2000s, when states first passed data breach notification laws. But...
The Digital Security Exchange Is Live
Last year I wrote about the Digital Security Exchange. The project is live: The DSX works to strengthen the digital resilience of U.S. civil society groups by improving their understanding and mitigation of online threats. We do this by pairing civil society and social sector organizations with...
DARPA Funding in AI-Assisted Cybersecurity
DARPA is launching a program aimed at vulnerability discovery via human-assisted AI. The new DARPA program is called CHESS Computers and Humans Exploring Software Security, and they're holding a proposers day in a week and a half. This is the kind of thing that can dramatically change the...
Obscure E-Mail Vulnerability
This vulnerability is a result of an interaction between two different ways of handling e-mail addresses. Gmail ignores dots in addresses, so [email protected] is the same as [email protected] is the same as [email protected]. Note: I do not own any of those email addresse...
Friday Squid Blogging: Sake Decanters Made of Dried Squid
This is interesting. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here...
Subverting Backdoored Encryption
This is a really interesting research result. This paper proves that two parties can create a secure communications channel using a communications system with a backdoor. It's a theoretical result, so it doesn't talk about how easy that channel is to create. And the assumptions on the adversary a...
Public Hearing on IoT Risks
The US Consumer Product Safety Commission is holding hearings on IoT risks: The U.S. Consumer Product Safety Commission CPSC, Commission, or we will conduct a public hearing to receive information from all interested parties about potential safety issues and hazards associated with...