2978 matches found
Friday Squid Blogging: Market Squid in Alaskan Waters
Rising sea temperatures is causing market squid to move north into Alaskan waters. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here...
Unlocking iPhones with Dead People's Fingerprints
It's routine for US police to unlock iPhones with the fingerprints of dead people. It seems only to work with recently dead people...
Facebook and Cambridge Analytica
In the wake of the Cambridge Analytica scandal, news articles and commentators have focused on what Facebook knows about us. A lot, it turns out. It collects data from our posts, our likes, our photos, things we type and delete without posting, and things we do while not on Facebook and even when...
Another Branch Prediction Attack
When Spectre and Meltdown were first announced earlier this year, pretty much everyone predicted that there would be many more attacks targeting branch prediction in microprocessors. Here's another one: In the new attack, an attacker primes the PHT and running branch instructions so that the PHT...
Breaking the Anonymity in the Cryptocurrency Monero
Researchers have exploited a flaw in the cryptocurrency Monero to break the anonymity of transactions. Research paper. BoingBoing post...
Tracing Stolen Bitcoin
Ross Anderson has a really interesting paper on tracing stolen bitcoin. From a blog post: Previous attempts to track tainted coins had used either the "poison" or the "haircut" method. Suppose I open a new address and pay into it three stolen bitcoin followed by seven freshly-mined ones. Then und...
Fooling Face Recognition with Infrared Light
Yet another development in the arms race between facial recognition systems and facial-recognition-system foolers. BoingBoing post...
Adding Backdoors at the Chip Level
Interesting research into undetectably adding backdoors into computer chips during manufacture: "Stealthy dopant-level hardware Trojans: extended version," also available here: Abstract: In recent years, hardware Trojans have drawn the attention of governments and industry as well as the scientif...
Friday Squid Blogging: Giant Squid Stealing Food from Each Other
An interesting hunting strategy: Off of northern Spain, giant squid often feed on schools of fish called blue whiting. The schools swim 400 meters or less below the surface, while the squid prefer to hang out around a mile deep. The squid must ascend to hunt, probably seizing fish from below with...
Zeynep Tufekci on Facebook and Cambridge Analytica
Zeynep Tufekci is particularly cogent about Facebook and Cambridge Analytica. Several news outlets asked me to write about this issue. I didn't, because 1 my book manuscript is due on Monday finally!, and 2 I knew Zeynep would say what I would say, only better...
GreyKey iPhone Unlocker
Some details about the iPhone unlocker from the US company Greyshift, with photos. Little is known about Grayshift or its sales model at this point. We don't know whether sales are limited to US law enforcement, or if it is also selling in other parts of the world. Regardless of that, it's highly...
Reverse Engineering the Cuban Sonic Weapon
Interesting analysis and speculation...
Hijacking Computers for Cryptocurrency Mining
Interesting paper "A first look at browser-based cryptojacking": Abstract: In this paper, we examine the recent trend towards in-browser mining of cryptocurrencies; in particular, the mining of Monero through Coinhive and similar code-bases. In this model, a user visiting a website will download ...
Dan Geer on the Dangers of Computer-Only Systems
A good warning, delivered in classic Dan Geer style...
Israeli Security Attacks AMD by Publishing Zero-Day Exploits
Last week, the Israeli security company CTS Labs published a series of exploits against AMD chips. The publication came with the flashy website, detailed whitepaper, cool vulnerability names -- RYZENFALL, MASTERKEY, FALLOUT, and CHIMERA -- and logos we've come to expect from these sorts of things...
Friday Squid Blogging: New Squid Species Discovered in Australia
A new species of pygmy squid was discovered in Western Australia. It's pretty cute. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here...
Interesting Article on Marcus Hutchins
This is a good article on the complicated story of hacker Marcus Hutchins...
Artificial Intelligence and the Attack/Defense Balance
Artificial intelligence technologies have the potential to upend the longstanding advantage that attack has over defense on the Internet. This has to do with the relative strengths and weaknesses of people and computers, how those all interplay in Internet security, and where AI technologies migh...
The 600+ Companies PayPal Shares Your Data With
One of the effects of GDPR -- the new EU General Data Protection Regulation -- is that we're all going to be learning a lot more about who collects our data and what they do with it. Consider PayPal, that just released a list of over 600 companies they share customer data with. Here's a good...
E-Mailing Private HTTPS Keys
I don't know what to make of this story: The email was sent on Tuesday by the CEO of Trustico, a UK-based reseller of TLS certificates issued by the browser-trusted certificate authorities Comodo and, until recently, Symantec. It was sent to Jeremy Rowley, an executive vice president at DigiCert,...
Greyshift Sells Phone Unlocking Services
Here's another company that claims to unlock phones for a price...
Two New Papers on the Encryption Debate
Seems like everyone is writing about encryption and backdoors this season. "Policy Approaches to the Encryption Debate," R Street Policy Study 133, by Charles Duan, Arthur Rizer, Zach Graves and Mike Godwin. "Encryption Policy in Democratic Regimes," East West Institute. I recently blogged about...
Friday Squid Blogging: Interesting Interview
Here's an hour-long audio interview with squid scientist Sarah McAnulty. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here...
OURSA Conference
Responding to the lack of diversity at the RSA Conference, a group of security experts have announced a competing one-day conference: OUR Security Advocates, or OURSA. It's in San Francisco, and it's during RSA, so you can attend both...
History of the US Army Security Agency
Interesting history.pdf of the US Army Security Agency in the early years of Cold War Germany...
New DDoS Reflection-Attack Variant
This is worrisome: DDoS vandals have long intensified their attacks by sending a small number of specially designed data packets to publicly available services. The services then unwittingly respond by sending a much larger number of unwanted packets to a target. The best known vectors for these...
Security Vulnerabilities in Smart Contracts
Interesting research: "Finding The Greedy, Prodigal, and Suicidal Contracts at Scale": Abstract: Smart contracts -- stateful executable objects hosted on blockchains like Ethereum -- carry billions of dollars worth of coins and cannot be updated once deployed. We present a new systematic...
Intimate Partner Threat
Princeton's Karen Levy has a good article computer security and the intimate partner threat: When you learn that your privacy has been compromised, the common advice is to prevent additional access -- delete your insecure account, open a new one, change your password. This advice is such standard...
Extracting Secrets from Machine Learning Systems
This is fascinating research about how the underlying training data for a machine-learning system can be inadvertently exposed. Basically, if a machine-learning system trains on a dataset that contains secret information, in some cases an attacker can query the system to extract that secret...
Friday Squid Blogging: Searching for Humboldt Squid with Electronic Bait
Video and short commentary. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here...
Malware from Space
Since you don't have enough to worry about, here's a paper postulating that space aliens could send us malware capable of destroying humanity. Abstract: A complex message from space may require the use of computers to display, analyze and understand. Such a message cannot be decontaminated with...
Russians Hacked the Olympics
Two weeks ago, I blogged about the myriad of hacking threats against the Olympics. Last week, the Washington Post reported that Russia hacked the Olympics network and tried to cast the blame on North Korea. Of course, the evidence is classified, so there's no way to verify this claim. And while t...
Apple to Store Encryption Keys in China
Apple is bowing to pressure from the Chinese government and storing encryption keys in China. While I would prefer it if it would take a stand against China, I really can't blame it for putting its business model ahead of its desires for customer privacy. Two more articles...
Cellebrite Unlocks iPhones for the US Government
Forbes reports that the Israeli company Cellebrite can probably unlock all iPhone models: Cellebrite, a Petah Tikva, Israel-based vendor that's become the U.S. government's company of choice when it comes to unlocking mobile devices, is this month telling customers its engineers currently have th...
E-Mail Leaves an Evidence Trail
If you're going to commit an illegal act, it's best not to discuss it in e-mail. It's also best to Google tech instructions rather than asking someone else to do it: One new detail from the indictment, however, points to just how unsophisticated Manafort seems to have been. Here's the relevant...
Friday Squid Blogging: The Symbiotic Relationship Between the Bobtail Squid and a Particular Microbe
This is the story of the Hawaiian bobtail squid and Vibrio fischeri. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here...
Election Security
I joined a letter supporting the Secure Elections Act S. 2261: The Secure Elections Act strikes a careful balance between state and federal action to secure American voting systems. The measure authorizes appropriation of grants to the states to take important and time-sensitive actions, includin...
Harassment By Package Delivery
People harassing women by delivering anonymous packages purchased from Amazon. On the one hand, there is nothing new here. This could have happened decades ago, pre-Internet. But the Internet makes this easier, and the article points out that using prepaid gift cards makes this anonymous. I am...
New Spectre/Meltdown Variants
Researchers have discovered new variants of Spectre and Meltdown. The software mitigations for Spectre and Meltdown seem to block these variants, although the eventual CPU fixes will have to be expanded to account for these new attacks...
Facebook Will Verify the Physical Location of Ad Buyers with Paper Postcards
It's not a great solution, but it's something: The process of using postcards containing a specific code will be required for advertising that mentions a specific candidate running for a federal office, Katie Harbath, Facebook's global director of policy programs, said. The requirement will not...
On the Security of Walls
Interesting history of the security of walls: Dún Aonghasa presents early evidence of the same principles of redundant security measures at work in 13th century castles, 17th century star-shaped artillery fortifications, and even "defense in depth" security architecture promoted today by the...
Friday Squid Blogging: Squid Pin
There's a squid pin on Kickstarter. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here...
New National Academies Report on Crypto Policy
The National Academies has just published "Decrypting the Encryption Debate: A Framework for Decision Makers." It looks really good, although I have not read it yet. Not much news or analysis yet. Please post any links you find in the comments, and I will summarize them here...
Election Security
Good Washington Post op-ed on the need to use voter-verifiable paper ballots to secure elections, as well as risk-limiting audits...
Can Consumers' Online Data Be Protected?
Everything online is hackable. This is true for Equifax's data and the federal Office of Personal Management's data, which was hacked in 2015. If information is on a computer connected to the Internet, it is vulnerable. But just because everything is hackable doesn't mean everything will be hacke...
Jumping Air Gaps
Nice profile of Mordechai Guri, who researches a variety of clever ways to steal data over air-gapped computers. Guri and his fellow Ben-Gurion researchers have shown, for instance, that it's possible to trick a fully offline computer into leaking data to another nearby device via the noise its...
Internet Security Threats at the Olympics
There are a lot: The cybersecurity company McAfee recently uncovered a cyber operation, dubbed Operation GoldDragon, attacking South Korean organizations related to the Winter Olympics. McAfee believes the attack came from a nation state that speaks Korean, although it has no definitive proof tha...
Calling Squid "Calamari" Makes It More Appetizing
Research shows that what a food is called affects how we think about it. Research paper. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here...
Living in a Smart Home
In "The House that Spied on Me," Kashmir Hill outfits her home to be as "smart" as possible and writes about the results...
Water Utility Infected by Cryptocurrency Mining Software
A water utility in Europe has been infected by cryptocurrency mining software. This is a relatively new attack: hackers compromise computers and force them to mine cryptocurrency for them. This is the first time I've seen it infect SCADA systems, though. It seems that this mining software is...