2979 matches found
White House Chief of Staff John Kelly's Cell Phone was Tapped
Politico reports that White House Chief of Staff John Kelly's cell phone was compromised back in December. I know this is news because of who he is, but I hope every major government official of any country assumes that their commercial off-the-shelf cell phone is compromised. Even allies spy on...
Friday Squid Blogging: Baby Ichthyosaurus Fed on Squid
New discovery: paper and article. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here...
Yet Another Russian Hack of the NSA -- This Time with Kaspersky's Help
The Wall Street Journal has a bombshell of a story. Yet another NSA contractor took classified documents home with him. Yet another Russian intelligence operation stole copies of those documents. The twist this time is that the Russians identified the documents because the contractor had Kaspersk...
Replacing Social Security Numbers
In the wake of the Equifax break, I've heard calls to replace Social Security numbers. Steve Bellovin explains why this is hard...
HP Shared ArcSight Source Code with Russians
Reuters is reporting that HP Enterprise gave the Russians a copy of the ArcSight source code. The article highlights that ArcSight is used by the Pentagon to protect classified networks, but the security risks are much broader. Any weaknesses the Russians discover could be used against any ArcSig...
E-Mail Tracking
Interesting survey paper: on the privacy implications of e-mail tracking: Abstract: We show that the simple act of viewing emails contains privacy pitfalls for the unwary. We assembled a corpus of commercial mailing-list emails, and find a network of hundreds of third parties that track email...
Remote Malware Attacks on ATMs
This report discusses the new trend of remote malware attacks against ATMs...
Friday Squid Blogging: Squid Empire Is a New Book
Regularly I receive mail from people wanting to advertise on, write for, or sponsor posts on my blog. My rule is that I say no to everyone. There is no amount of money or free stuff that will get me to write about your security product or service. With regard to squid, however, I have no such...
Deloitte Hacked
The large accountancy firm Deloitte was hacked, losing client e-mails and files. The hackers had access inside the company's networks for months. Deloitte is doing its best to downplay the severity of this hack, but Brian Krebs reports that the hack "involves the compromise of all administrator...
New Internet Explorer Bug
There's a newly discovered bug in Internet Explorer that allows any currently visited website to learn the contents of the address bar when the user hits enter. This feels important; the site I am at now has no business knowing where I go next...
Department of Homeland Security to Collect Social Media of Immigrants and Citizens
New rules give the DHS permission to collect "social media handles, aliases, associated identifiable information, and search results" as part of people's immigration file. The Federal Register has the details, which seems to also include US citizens that communicate with immigrants. This is part ...
The Data Tinder Collects, Saves, and Uses
Under European law, service providers like Tinder are required to show users what information they have on them when requested. This author requested, and this is what she received: Some 800 pages came back containing information such as my Facebook "likes," my photos from Instagram even after I...
GPS Spoofing Attacks
Wired has a story about a possible GPS spoofing attack by Russia: After trawling through AIS data from recent years, evidence of spoofing becomes clear. Goward says GPS data has placed ships at three different airports and there have been other interesting anomalies. "We would find very large oil...
Friday Squid Blogging: Using Squid Ink to Detect Gum Disease
A new dental imagery method, using squid ink, light, and ultrasound. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here...
Boston Red Sox Caught Using Technology to Steal Signs
The Boston Red Sox admitted to eavesdropping on the communications channel between catcher and pitcher. Stealing signs is believed to be particularly effective when there is a runner on second base who can both watch what hand signals the catcher is using to communicate with the pitcher and can...
ISO Rejects NSA Encryption Algorithms
The ISO has decided not to approve two NSA-designed block encryption algorithms: Speck and Simon. It's because the NSA is not trusted to put security ahead of surveillance: A number of them voiced their distrust in emails to one another, seen by Reuters, and in written comments that are part of t...
What the NSA Collects via 702
New York Times reporter Charlie Savage writes about some bad statistics we're all using: Among surveillance legal policy specialists, it is common to cite a set of statistics from an October 2011 opinion by Judge John Bates, then of the FISA Court, about the volume of internet communications the...
Apple's FaceID
This is a good interview with Apple's SVP of Software Engineering about FaceID. Honestly, I don't know what to think. I am confident that Apple is not collecting a photo database, but not optimistic that it can't be hacked with fake faces. I dislike the fact that the police can point the phone at...
Bluetooth Vulnerabilities
A bunch of Bluetooth vulnerabilities are being reported, some pretty nasty. BlueBorne concerns us because of the medium by which it operates. Unlike the majority of attacks today, which rely on the internet, a BlueBorne attack spreads through the air. This works similarly to the two less extensiv...
Friday Squid Blogging: Another Giant Squid Caught off the Coast of Kerry
The Flannery family have caught four giant squid, two this year. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here...
Another iPhone Change to Frustrate the Police
I recently wrote about the new ability to disable the Touch ID login on iPhones. This is important because of a weirdness in current US law that protects people's passcodes from forced disclosure in ways it does not protect actions: being forced to place a thumb on a fingerprint reader. There's...
Hacking Robots
Researchers have demonstrated hacks against robots, taking over and controlling their camera, speakers, and movements. News article...
On the Equifax Data Breach
Last Thursday, Equifax reported a data breach that affects 143 million US customers, about 44% of the population. It's an extremely serious breach; hackers got access to full names, Social Security numbers, birth dates, addresses, driver's license numbers -- exactly the sort of information...
Hacking Voice Assistant Systems with Inaudible Voice Commands
Turns out that all the major voice assistants -- Siri, Google Now, Samsung S Voice, Huawei HiVoice, Cortana and Alexa -- listen at audio frequencies the human ear can't hear. Hackers can hijack those systems with inaudible commands that their owners can't hear. News articles...
Securing a Raspberry Pi
A Raspberry Pi is a tiny computer designed for makers and all sorts of Internet-of-Things types of projects. Make magazine has an article about securing it. Reading it, I am struck by how much work it is to secure. I fear that this is beyond the capabilities of most tinkerers, and the result will...
A Hardware Privacy Monitor for iPhones
Andrew "bunnie" Huang and Edward Snowden have designed a hardware device that attaches to an iPhone and monitors it for malicious surveillance activities, even in instances where the phone's operating system has been compromised. They call it an Introspection Engine, and their use model is a...
Friday Squid Blogging: Make-Your-Own Squid Candy
It's Japanese. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here...
ShadowBrokers Releases NSA UNITEDRAKE Manual
The ShadowBrokers released the manual for UNITEDRAKE, a sophisticated NSA Trojan that targets Windows machines: Able to compromise Windows PCs running on XP, Windows Server 2003 and 2008, Vista, Windows 7 SP 1 and below, as well as Windows 8 and Windows Server 2012, the attack tool acts as a...
Research on What Motivates ISIS -- and Other -- Fighters
Interesting research from Nature Human Behaviour: "The devoted actor's will to fight and the spiritual dimension of human conflict": Abstract: Frontline investigations with fighters against the Islamic State ISIL or ISIS, combined with multiple online studies, address willingness to fight and die...
Security Vulnerabilities in AT&T Routers
They're actually Arris routers, sold or given away by AT&T.; There are several security vulnerabilities, some of them very serious. They can be fixed, but because these are routers it takes some skill. We don't know how many routers are affected, and estimates range from thousands to 138,000. Amo...
Security Flaw in Estonian National ID Card
We have no idea how bad this really is: On 30 August, an international team of researchers informed the Estonian Information System Authority RIA of a vulnerability potentially affecting the digital use of Estonian ID cards. The possible vulnerability affects a total of almost 750,000 ID-cards...
New Techniques in Fake Reviews
Research paper: "Automated Crowdturfing Attacks and Defenses in Online Review Systems." Abstract: Malicious crowdsourcing forums are gaining traction as sources of spreading misinformation online, but are limited by the costs of hiring and managing human workers. In this paper, we identify a new...
Friday Squid Blogging: Bioluminescent Squid
There's a beautiful picture of a tiny squid in this New York Times article on bioluminescence -- and a dramatic one of a vampire squid. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here...
Russian Hacking Tools Codenamed WhiteBear Exposed
Kaspersky Labs exposed a highly sophisticated set of hacking tools from Russia called WhiteBear. From February to September 2016, WhiteBear activity was narrowly focused on embassies and consular operations around the world. All of these early WhiteBear targets were related to embassies and...
Journalists Generally Do Not Use Secure Communication
This should come as no surprise: Alas, our findings suggest that secure communications haven't yet attracted mass adoption among journalists. We looked at 2,515 Washington journalists with permanent credentials to cover Congress, and we found only 2.5 percent of them solicit end-to-end encrypted...
A Framework for Cyber Security Insurance
New paper: "Policy measures and cyber insurance: a framework," by Daniel Woods and Andrew Simpson, Journal of Cyber Policy, 2017. Abstract: The role of the insurance industry in driving improvements in cyber security has been identified as mutually beneficial for both insurers and policy-makers. ...
Proof that HMAC-DRBG has No Back Doors
New research: "Verified Correctness and Security of mbedTLS HMAC-DRBG," by Katherine Q. Ye, Matthew Green, Naphat Sanguansin, Lennart Beringer, Adam Petcher, and Andrew W. Appel. Abstract: We have formalized the functional specification of HMAC-DRBG NIST 800-90A, and we have proved its...
The NSA's 2014 Media Engagement and Outreach Plan
Interesting post-Snowden reading, just declassified. U External Communication will address at least one of "fresh look" narratives: 1. U NSA does not access everything. 2. U NSA does not collect indiscriminately on U.S. Persons and foreign nationals. 3. U NSA does not weaken encryption. 4. U NSA...
Ross Anderson on the History of the Crypto Wars in the UK
Ross Anderson gave a talk on the history of the Crypto Wars in the UK. I am intimately familiar with the US story, but didn't know as much about Britain's verson. Hour-long video. Summary...
Hacking a Phone Through a Replacement Touchscreen
Researchers demonstrated a really clever hack: they hid malware in a replacement smart phone screen. The idea is that you would naively bring your smart phone in for repair, and the repair shop would install this malicious screen without your knowledge. The malware is hidden in touchscreen...
Friday Squid Blogging: Prehistoric Dolphins that Ate Squid
Paleontologists have discovered a prehistoric toothless dolphin that fed by vacuuming up squid: There actually are modern odontocetes that don't really use their teeth either. Male beaked whales, for example, usually have one pair of teeth that is only used to fight for females, whose teeth stay...
Military Robots as a Nature Analog
This very interesting essay looks at the future of military robotics and finds many analogs in nature: Imagine a low-cost drone with the range of a Canada goose, a bird that can cover 1,500 miles in a single day at an average speed of 60 miles per hour. Planet Earth profiled a single flock of sno...
Massive Government Data Leak in Sweden
Seems to be incompetence rather than malice, but a good example of the dangers of blindly trusting the cloud...
Your Personal Bodycam
Shonin is a personal bodycam up on Kickstarter. There are a lot of complicated issues surrounding bodycams -- for example, it's obvious that police bodycams reduce violence -- but the one thing everyone is certain about is that they will proliferate. I'm not sure society is fully ready for the...
Insider Attack on Lottery Software
Eddie Tipton, a programmer for the Multi-State Lottery Association, secretly installed software that allowed him to predict jackpots. What's surprising to me is how many lotteries don't use real random number generators. What happened to picking golf balls out of wind-blown steel cages on...
iOS 11 Allows Users to Disable Touch ID
A new feature in Apple's new iPhone operating system -- iOS 11 -- will allow users to quickly disable Touch ID. A new setting, designed to automate emergency services calls, lets iPhone users tap the power button quickly five times to call 911. This doesn't automatically dial the emergency servic...
Friday Squid Blogging: Brittle Star Catches a Squid
Watch a brittle star catch a squid, and then lose it to another brittle star. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here...
More on My LinkedIn Account
I have successfully gotten the fake LinkedIn account in my name deleted. To prevent someone from doing this again, I signed up for LinkedIn. This is my first -- and only -- post on that account: My Only LinkedIn Post Yes, Really Welcome to my LinkedIn page. It looks empty because I'm never here. ...
Unfixable Automobile Computer Security Vulnerability
There is an unpatchable vulnerability that affects most modern cars. It's buried in the Controller Area Network CAN: Researchers say this flaw is not a vulnerability in the classic meaning of the word. This is because the flaw is more of a CAN standard design choice that makes it unpatchable...
Do the Police Need a Search Warrant to Access Cell Phone Location Data?
The US Supreme Court is deciding a case that will establish whether the police need a warrant to access cell phone location data. This week I signed on to an amicus brief from a wide array of security technologists outlining the technical arguments as why the answer should be yes. Susan Landau...