2979 matches found
Amazon's Door Lock Is Amazon's Bid to Control Your Home
Interesting essay about Amazon's smart lock: When you add Amazon Key to your door, something more sneaky also happens: Amazon takes over. You can leave your keys at home and unlock your door with the Amazon Key app -- but it's really built for Amazon deliveries. To share online access with family...
Security Vulnerability in Apple's HomeKit
The story of the recent vulnerability in Apple's HomeKit...
Details on the Mirai Botnet Authors
Brian Krebs has a long article on the Mirai botnet authors, who pled guilty...
GCHQ Found -- and Disclosed -- a Windows 10 Vulnerability
Now this is good news. The UK's National Cyber Security Centre NCSC -- part of GCHQ -- found a serious vulnerability in Windows Defender their anti-virus component. Instead of keeping it secret and all of us vulnerable, it alerted Microsoft. I'd like believe the US does this, too...
Lessons Learned from the Estonian National ID Security Flaw
Estonia recently suffered a major flaw in the security of their national ID card. This article discusses the fix and the lessons learned from the incident: In the future, the infrastructure dependency on one digital identity platform must be decreased, the use of several alternatives must be...
Friday Squid Blogging: Baby Sea Otters Prefer Shrimp to Squid
At least, this one does. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here...
Tracking People Without GPS
Interesting research: The trick in accurately tracking a person with this method is finding out what kind of activity they're performing. Whether they're walking, driving a car, or riding in a train or airplane, it's pretty easy to figure out when you know what you're looking for. The sensors can...
Security Planner
Security Planner is a custom security advice tool from Citizen Lab. Answer a few questions, and it gives you a few simple things you can do to improve your security. It's not meant to be comprehensive, but instead to give people things they can actually do to immediately improve their security. I...
Friday Squid Blogging: Fake Squid Seized in Cambodia
Falsely labeled squid snacks were seized in Cambodia. I don't know what food product it really was. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here...
Mozilla's Guide to Privacy-Aware Christmas Shopping
Mozilla reviews the privacy practices of Internet-connected toys, home accessories, exercise equipment, and more...
Websites Use Session-Replay Scripts to Eavesdrop on Every Keystroke and Mouse Movement
The security researchers at Princeton are posting You may know that most websites have third-party analytics scripts that record which pages you visit and the searches you make. But lately, more and more sites use "session replay" scripts. These scripts record your keystrokes, mouse movements, an...
Amazon Creates Classified US Cloud
Amazon has a cloud for US classified data. The physical and computer requirements for handling classified information are considerable, both in terms of technology and procedure. I am surprised that a company with no experience dealing with classified data was able to do it...
Vulnerability in Amazon Key
Amazon Key is an IoT door lock that can enable one-time access codes for delivery people. To further secure that system, Amazon sells Cloud Cam, a camera that watches the door to ensure that delivery people don't abuse their one-time access privilege. Cloud Cam has been hacked: But now security...
Friday Squid Blogging: Peru and Chile Address Squid Overfishing
Peru and Chile have a new plan. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here...
New White House Announcement on the Vulnerability Equities Process
The White House has released a new version of the Vulnerabilities Equities Process VEP. This is the inter-agency process by which the US government decides whether to inform the software vendor of a vulnerability it finds, or keep it secret and use it to eavesdrop on or attack other systems. You...
Motherboard Digital Security Guide
This digital security guide by Motherboard is very good. I put alongside EFF's "Surveillance Self-Defense" and John Scott-Railton's "Digital Security Low Hanging Fruit." There's also "Digital Security and Privacy for Human Rights Defenders." There are too many of these...
Apple FaceID Hacked
It only took a week: On Friday, Vietnamese security firm Bkav released a blog post and video showing that -- by all appearances -- they'd cracked FaceID with a composite mask of 3-D-printed plastic, silicone, makeup, and simple paper cutouts, which in combination tricked an iPhone X into unlockin...
Long Article on NSA and the Shadow Brokers
The New York Times just published a long article on the Shadow Brokers and their effects on NSA operations. Summary: it's been an operational disaster, the NSA still doesn't know who did it or how, and NSA morale has suffered considerably. This is me on the Shadow Brokers from last May...
Google's Data on Login Thefts
This is interesting research and data: With Google accounts as a case-study, we teamed up with the University of California, Berkeley to better understand how hijackers attempt to take over accounts in the wild. From March 2016 to March 2017, we analyzed several black markets to see how hijackers...
Friday Squid Blogging: Squid Season May Start Earlier Next Year
Squid fisherman in Argentina have asked regulators to start the squid season earlier in 2018. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here...
New Research in Invisible Inks
It's a lot more chemistry than I understand: Invisible inks based on "smart" fluorescent materials have been shining brightly if only you could see them in the data-encryption/decryption arena lately.... But some of the materials are costly or difficult to prepare, and many of these inks remain...
Hacking a Fingerprint Biometric
Embedded in this story about infidelity and a mid-flight altercation, there's an interesting security tidbit: The woman had unlocked her husband's phone using his thumb impression when he was sleeping...
Facebook Fingerprinting Photos to Prevent Revenge Porn
This is a pilot project in Australia: Individuals who have shared intimate, nude or sexual images with partners and are worried that the partner or ex-partner might distribute them without their consent can use Messenger to send the images to be "hashed." This means that the company converts the...
Me on the Equifax Breach
Testimony and Statement for the Record of Bruce Schneier Fellow and Lecturer, Belfer Center for Science and International Affairs, Harvard Kennedy School Fellow, Berkman Center for Internet and Society at Harvard Law School Hearing on "Securing Consumers' Credit Data in the Age of Digital Commerc...
Cybercriminals Infiltrating E-Mail Networks to Divert Large Customer Payments
There's a new criminal tactic involving hacking an e-mail account of a company that handles high-value transactions and diverting payments. Here it is in real estate: The scam generally works like this: Hackers find an opening into a title company's or realty agent's email account, track upcoming...
Daphne Caruana Galizia's Murder and the Security of WhatsApp
Daphne Caruana Galizia was a Maltese journalist whose anti-corruption investigations exposed powerful people. She was murdered in October by a car bomb. Galizia used WhatsApp to communicate securely with her sources. Now that she is dead, the Maltese police want to break into her phone or the app...
Friday Squid Blogging: Squid Product Recall
Lidl is recalling two of its packaged squid products because of the presence of struvite salt crystals. The danger is unclear. The article says that struvite crystals "may be mistaken as glass fragments," which isn't actually dangerous. It also says: "As these salt crystals may cause injury, the...
Fraud Detection in PokƩmon Go
I play PokƩmon Go. There, I've admitted it. One of the interesting aspects of the game I've been watching is how the game's publisher, Niantic, deals with cheaters. There are three basic types of cheating in PokƩmon Go. The first is botting, where a computer plays the game instead of a person. Th...
Heart Size: Yet Another Biometric
Turns out that heart size doesn't change throughout your adult life, and you can use low-level Doppler radar to scan the size -- even at a distance -- as a biometric. Research paper to be available soon...
Attack on Old ANSI Random Number Generator
Almost 20 years ago, I wrote a paper that pointed to a potential flaw in the ANSI X9.17 RNG standard. Now, new research has found that the flaw exists in some implementations of the RNG standard. Here's the research paper, the website -- complete with cute logo -- for the attack, and Matthew...
Google Login Security for High-Risk Users
Google has a new login service for high-risk users. It's good, but unforgiving. Logging in from a desktop will require a special USB key, while accessing your data from a mobile device will similarly require a Bluetooth dongle. All non-Google services and apps will be exiled from reaching into yo...
Friday Squid Blogging: Steel Mesh Giant Squid Used as Artificial Reef
Researchers in the British Virgin Islands have sunk a giant squid made out of steel mesh to serve as an artificial reef. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here...
FBI Increases Its Anti-Encryption Rhetoric
Earlier this month, Deputy Attorney General Rod Rosenstein gave a speech warning that a world with encryption is a world without law -- or something like that. The EFF's Kurt Opsahl takes it apart pretty thoroughly. Last week, FBI Director Christopher Wray said much the same thing. This is an ide...
The Science of Interrogation
Fascinating article about two psychologists who are studying interrogation techniques. Now, two British researchers are quietly revolutionising the study and practice of interrogation. Earlier this year, in a meeting room at the University of Liverpool, I watched a video of the Diola interview...
CSE Releases Malware Analysis Tool
The Communications Security Establishment of Canada -- basically, Canada's version of the NSA -- has released a suite of malware analysis tools: Assemblyline is described by CSE as akin to a conveyor belt: files go in, and a handful of small helper applications automatically comb through each one...
Reaper Botnet
It's based on the Mirai code, but much more virulent: While Mirai caused widespread outages, it impacted IP cameras and internet routers by simply exploiting their weak or default passwords. The latest botnet threat, known as alternately as IoT Troop or Reaper, has evolved that strategy, using...
Hacking Back
Hacking back is a terrible idea that just will not die. Josephine Wolff takes apart the new hacking back bill that was introduced in the House recently...
Friday Squid Blogging: "How the Squid Lost Its Shell"
Interesting essay by Danna Staaf, the author of Squid Empire. I mentioned the book two weeks ago. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here...
Wondermark on Security
Another comic...
Denuvo DRM Cracked within a Day of Release
Denuvo is probably the best digital-rights management system, used to protect computer games. It's regularly cracked within a day. If Denuvo can no longer provide even a single full day of protection from cracks, though, that protection is going to look a lot less valuable to publishers. But that...
Security Flaws in Children's Smart Watches
The Norwegian Consumer Council has published a report detailing a series of security and privacy flaws in smart watches marketed to children. Press release. News article. This is the same group that found all those security and privacy vulnerabilities in smart dolls. EDITED TO ADD 10/21: Slashdot...
IoT Cybersecurity: What's Plan B?
In August, four US Senators introduced a bill designed to improve Internet of Things IoT security. The IoT Cybersecurity Improvement Act of 2017 is a modest piece of legislation. It doesn't regulate the IoT market. It doesn't single out any industries for particular attention, or force any...
Security Flaw in Infineon Smart Cards and TPMs
A security flaw in Infineon smart cards and TPMs allows an attacker to recover private keys from the public keys. Basically, the key generation algorithm sometimes creates public keys that are vulnerable to Coppersmith's attack: While all keys generated with the library are much weaker than they...
New KRACK Attack Against Wi-Fi Encryption
Mathy Vanhoef has just published a devastating attack against WPA2, the 14-year-old encryption protocol used by pretty much all wi-fi systems. Its an interesting attack, where the attacker forces the protocol to reuse a key. The authors call this attack KRACK, for Key Reinstallation Attacks This ...
Friday Squid Blogging: International Squid Awareness Day
It's International Cephalopod Awareness Days this week, and Tuesday was Squid Day. I can't believe I missed it. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here...
My Blogging
Blog regulars will notice that I haven't been posting as much lately as I have in the past. There are two reasons. One, it feels harder to find things to write about. So often it's the same stories over and over. I don't like repeating myself. Two, I am busy writing a book. The title is still:...
Technology to Out Sex Workers
Two related stories: PornHub is using machine learning algorithms to identify actors in different videos, so as to better index them. People are worried that it can really identify them, by linking their stage names to their real names. Facebook somehow managed to link a sex worker's clients unde...
Impersonating iOS Password Prompts
This is an interesting security vulnerability: because it is so easy to impersonate iOS password prompts, a malicious app can steal your password just by asking. Why does this work? iOS asks the user for their iTunes password for many reasons, the most common ones are recently installed iOS...
More on Kaspersky and the Stolen NSA Attack Tools
Both the New York Times and the Washington Post are reporting that Israel has penetrated Kaspersky's network and detected the Russian operation. From the New York Times: Israeli intelligence officers informed the NSA that, in the course of their Kaspersky hack, they uncovered evidence that Russia...
Changes in Password Best Practices
NIST recently published its four-volume SP800-63b Digital Identity Guidelines. Among other things, it makes three important suggestions when it comes to passwords: 1. Stop it with the annoying password complexity rules. They make passwords harder to remember. They increase errors because...