2979 matches found
Hacking a Gene Sequencer by Encoding Malware in a DNA Strand
One of the common ways to hack a computer is to mess with its input data. That is, if you can feed the computer data that it interprets -- or misinterprets -- in a particular way, you can trick the computer into doing things that it wasn't intended to do. This is basically what a buffer overflow...
Bank Robbery Tactic
This video purports to be a bank robbery in Kiev. He first threatens a teller, who basically ignores him because she's behind bullet-proof glass. But then the robber threatens one of her co-workers, who is on his side of the glass. Interesting example of a security system failing for an unexpecte...
Friday Squid Blogging: Squid Eyeballs
Details on how a squid's eye corrects for underwater distortion: Spherical lenses, like the squids', usually can't focus the incoming light to one point as it passes through the curved surface, which causes an unclear image. The only way to correct this is by bending each ray of light differently...
I Seem to Have a LinkedIn Account
I seem to have a LinkedIn account. This comes as a surprise, since I don't have a LinkedIn account, and have never logged in to LinkedIn. Does anyone have any contacts into the company? I would like to report this fraudulent account, and possibly get control of it. I'm not on LinkedIn, but the be...
Confusing Self-Driving Cars by Altering Road Signs
Researchers found that they could confuse the road sign detection algorithms of self-driving cars by adding stickers to the signs on the road. They could, for example, cause a car to think that a stop sign is a 45 mph speed limit sign. The changes are subtle, though -- look at the photo from the...
Turning an Amazon Echo into an Eavesdropping Device
For once, the real story isn't as bad as it seems. A researcher has figured out how to install malware onto an Echo that causes it to stream audio back to a remote controller, but: The technique requires gaining physical access to the target Echo, and it works only on devices sold before 2017. Bu...
More on the Vulnerabilities Equities Process
Richard Ledgett -- a former Deputy Director of the NSA -- argues against the US government disclosing all vulnerabilities: Proponents argue that this would allow patches to be developed, which in turn would help ensure that networks are secure. On its face, this argument might seem to make sense ...
Uber Drivers Hacking the System to Cause Surge Pricing
Interesting story about Uber drivers who have figured out how to game the company's algorithms to cause surge pricing: According to the study. drivers manipulate Uber's algorithm by logging out of the app at the same time, making it think that there is a shortage of cars. ... The study said drive...
Hacking Slot Machines by Reverse-Engineering the Random Number Generators
Interesting story: The venture is built on Alex's talent for reverse engineering the algorithms -- known as pseudorandom number generators, or PRNGs -- that govern how slot machine games behave. Armed with this knowledge, he can predict when certain games are likeliest to spit out moneyinsight...
Friday Squid Blogging: Squid Fake News
I never imagined that there would be fake news about squid. That website lets you write your own stories. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here...
Penetrating a Casino's Network through an Internet-Connected Fish Tank
Attackers used a vulnerability in an Internet-connected fish tank to successfully penetrate a casino's network. BoingBoing post...
Splitting the NSA and US Cyber Command
Rumor is that the Trump administration will separate the NSA and US Cyber Command. I have long thought this was a good idea. Here's a good discussion of what it does and doesn't mean...
Voting Machine Security
Last week, DefCon hosted a "Voter Hacker Village" event. Every single voting machine there was easily hackable. Here are detailed details. There should be a summary report soon; I'll add it to this post when it's published...
Detecting Stingrays
Researchers are developing technologies that can detect IMSI-catchers: those fake cell phone towers that can be used to surveil people in the area. This is good work, but it's unclear to me whether these devices can detect all the newer IMSI-catchers that are being sold to governments worldwide...
NSA Collects MS Windows Error Information
Back in 2013, Der Spiegel reported that the NSA intercepts and collects Windows bug reports: One example of the sheer creativity with which the TAO spies approach their work can be seen in a hacking method they use that exploits the error-proneness of Microsoft's Windows. Every user of the...
Vulnerabilities in Car Washes
Articles about serious vulnerabilities in IoT devices and embedded systems are now dime-a-dozen. This one concerns Internet-connected car washes: A group of security researchers have found vulnerabilities in internet-connected drive-through car washes that would let hackers remotely hijack the...
Robot Safecracking
Robots can crack safes faster than humans -- and differently: So Seidle started looking for shortcuts. First he found that, like many safes, his SentrySafe had some tolerance for error. If the combination includes a 12, for instance, 11 or 13 would work, too. That simple convenience measure meant...
Measuring Vulnerability Rediscovery
New paper: "Taking Stock: Estimating Vulnerability Rediscovery," by Trey Herr, Bruce Schneier, and Christopher Morris: Abstract: How often do multiple, independent, parties discover the same vulnerability? There are ample models of vulnerability discovery, but little academic work on this issue o...
Friday Squid Blogging: Giant Squids Have Small Brains
New research: In this study, the optic lobe of a giant squid Architeuthis dux, male, mantle length 89 cm, which was caught by local fishermen off the northeastern coast of Taiwan, was scanned using high-resolution magnetic resonance imaging in order to examine its internal structure. It was evide...
Me on Restaurant Surveillance Technology
I attended the National Restaurant Association exposition in Chicago earlier this year, and looked at all the ways modern restaurant IT is spying on people. But there's also a fundamentally creepy aspect to much of this. One of the prime ways to increase value for your brand is to use the Interne...
Zero-Day Vulnerabilities against Windows in the NSA Tools Released by the Shadow Brokers
In April, the Shadow Brokers -- presumably Russia -- released a batch of Windows exploits from what is presumably the NSA. Included in that release were eight different Windows vulnerabilities. Given a presumed theft date of the data as sometime between 2012 and 2013 -- based on timestamps of the...
Firing a Locked Smart Gun
The Armatix IP1 "smart gun" can only be fired by someone who is wearing a special watch. Unfortunately, this security measure is easily hackable...
Roombas will Spy on You
The company that sells the Roomba autonomous vacuum wants to sell the data about your home that it collects. Some questions: What happens if a Roomba user consents to the data collection and later sells his or her home -- especially furnished -- and now the buyers of the data have a map of a home...
Alternatives to Government-Mandated Encryption Backdoors
Policy essay: "Encryption Substitutes," by Andrew Keane Woods: In this short essay, I make a few simple assumptions that bear mentioning at the outset. First, I assume that governments have good and legitimate reasons for getting access to personal data. These include things like controlling crim...
US Army Researching Bot Swarms
The US Army Research Agency is funding research into autonomous bot swarms. From the announcement: The objective of this CRA is to perform enabling basic and applied research to extend the reach, situational awareness, and operational effectiveness of large heterogeneous teams of intelligent...
Friday Squid Blogging: Giant Squid Caught Off the Coast of Ireland
It's the second in two months. Video. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here...
Hacking a Segway
The Segway has a mobile app. It is hackable: While analyzing the communication between the app and the Segway scooter itself, Kilbride noticed that a user PIN number meant to protect the Bluetooth communication from unauthorized access wasn't being used for authentication at every level of the...
Ethereum Hacks
The press is reporting a $32M theft of the cryptocurrency Ethereum. Like all such thefts, they're not a result of a cryptographic failure in the currencies, but instead a software vulnerability in the software surrounding the currency -- in this case, digital wallets. This is the second Ethereum...
Password Masking
Slashdot asks if password masking -- replacing password characters with asterisks as you type them -- is on the way out. I don't know if that's true, but I would be happy to see it go. Shoulder surfing, the threat is defends against, is largely nonexistent. And it is becoming harder to type in...
Many of My E-Books for Cheap
Humble Bundle is selling a bunch of cybersecurity books very cheaply. You can get copies of Applied Cryptography, Secrets and Lies, and Cryptography Engineering -- and also Ross Anderson's Security Engineering, Adam Shostack's Threat Modeling, and many others. This is the cheapest you'll ever see...
Australia Considering New Law Weakening Encryption
News from Australia: Under the law, internet companies would have the same obligations telephone companies do to help law enforcement agencies, Prime Minister Malcolm Turnbull said. Law enforcement agencies would need warrants to access the communications. "We've got a real problem in that the la...
Friday Squid Blogging: Eyeball Collector Wants a Giant-Squid Eyeball
They're rare: The one Dubielzig really wants is an eye from a giant squid, which has the biggest eye of any living animal -- it's the size of a dinner plate. "But there are no intact specimens of giant squid eyes, only rotten specimens that have been beached," he says. As usual, you can also use...
Book Review: Twitter and Tear Gas, by Zeynep Tufekci
There are two opposing models of how the Internet has changed protest movements. The first is that the Internet has made protesters mightier than ever. This comes from the successful revolutions in Tunisia 2010-11, Egypt 2011, and Ukraine 2013. The second is that it has made them more ineffectual...
Forged Documents and Microsoft Fonts
A set of documents in Pakistan were detected as forgeries because their fonts were not in circulation at the time the documents were dated...
Tomato-Plant Security
I have a soft spot for interesting biological security measures, especially by plants. I've used them as examples in several of my books. Here's a new one: when tomato plants are attacked by caterpillars, they release a chemical that turns the caterpillars on each other: It's common for...
More on the NSA's Use of Traffic Shaping
"Traffic shaping" -- the practice of tricking data to flow through a particular route on the Internet so it can be more easily surveiled -- is an NSA technique that has gotten much less attention than it deserves. It's a powerful technique that allows an eavesdropper to get access to communicatio...
Hacking Spotify
Some of the ways artists are hacking the music-streaming service Spotify...
The Future of Forgeries
This article argues that AI technologies will make image, audio, and video forgeries much easier in the future. Combined, the trajectory of cheap, high-quality media forgeries is worrying. At the current pace of progress, it may be as little as two or three years before realistic audio forgeries...
Friday Squid Blogging: Why It's Hard to Track the Squid Population
Counting squid is not easy. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here...
An Assassin's Teapot
This teapot has two chambers. Liquid is released from one or the other depending on whether an air hole is covered. I want one...
DNI Wants Research into Secure Multiparty Computation
The Intelligence Advanced Research Projects Activity IARPA is soliciting proposals for research projects in secure multiparty computation: Specifically of interest is computing on data belonging to different -- potentially mutually distrusting -- parties, which are unwilling or unable e.g., due t...
Now It's Easier than Ever to Steal Someone's Keys
The website key.me will make a duplicate key from a digital photo. If a friend or coworker leaves their keys unattended for a few seconds, you know what to do...
Dubai Deploying Autonomous Robotic Police Cars
It's hard to tell how much of this story is real and how much is aspirational, but it really is only a matter of time: About the size of a child's electric toy car, the driverless vehicles will patrol different areas of the city to boost security and hunt for unusual activity, all the while...
Commentary on US Election Security
Good commentaries from Ed Felten and Matt Blaze. Both make a point that I have also been saying: hacks can undermine the legitimacy of an election, even if there is no actual voter or vote manipulation. Felten: The second lesson is that we should be paying more attention to attacks that aim to...
GoldenEye Malware
I don't have anything to say -- mostly because I'm otherwise busy -- about the malware known as GoldenEye, NotPetya, or ExPetr. But I wanted a post to park links. Please add any good relevant links in the comments...
A Man-in-the-Middle Attack against a Password Reset System
This is nice work: "The Password Reset MitM Attack," by Nethanel Gelerntor, Senia Kalma, Bar Magnezi, and Hen Porcilan: Abstract: We present the password reset MitM PRMitM attack and show how it can be used to take over user accounts. The PRMitM attack exploits the similarity of the registration...
Friday Squid Blogging: Food Supplier Passes Squid Off as Octopus
According to a lawsuit main article behind paywall, "a Miami-based food vendor and its supplier have been misrepresenting their squid as octopus in an effort to boost profits." As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read m...
Details from the 2017 Workshop on Economics and Information Security
The 16th Workshop on Economics and Information Security was this week. Ross Anderson liveblogged the talks...
Good Article About Google's Project Zero
Fortune magazine just published a good article about Google's Project Zero, which finds and publishes exploits in other companies' software products. I have mixed feeling about it. The project does great work, and the Internet has benefited enormously from these efforts. But as long as it is...
The Women of Bletchley Park
Really good article about the women who worked at Bletchley Park during World War II, breaking German Enigma-encrypted messages...