The grugq on Reality Winner, the Intercept, and OPSEC

Good commentary...

Security Flaws in 4G VoLTE

Research paper: "Subscribers remote geolocation and tracking using 4G VoLTE enabled Android phone," by Patrick Ventuzelo, Olivier Le Moal, and Thomas Coudray. Abstract: VoLTE Voice over LTE is a technology implemented by many operators over the world. Unlike previous 2G/3G technologies, VoLTE...

Chelsea Manning Profiled in New York Times Magazine

Interesting reading...

Healthcare Industry Cybersecurity Report

New US government report: "Report on Improving Cybersecurity in the Health Care Industry." It's pretty scathing, but nothing in it will surprise regular readers of this blog. It's worth reading the executive summary, and then skimming the recommendations. Recommendations are in six areas. The Tas...

Friday Squid Blogging: Sex Is Traumatic for the Female Dumpling Squid

The more they mate, the sooner they die. Academic paper paywall. News article. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here...

NSA Document Outlining Russian Attempts to Hack Voter Rolls

This week brought new public evidence about Russian interference in the 2016 election. On Monday, the Intercept published a top-secret National Security Agency document describing Russian hacking attempts against the US election system. While the attacks seem more exploratory than operational ­--...

Safety and Security and the Internet of Things

Ross Anderson blogged about his new paper on security and safety concerns about the Internet of Things. See also this short video. It's very much along the lines of what I've been writing...

Surveillance Intermediaries

Interesting law-journal article: "Surveillance Intermediaries," by Alan Z. Rozenshtein. Abstract:Apple's 2016 fight against a court order commanding it to help the FBI unlock the iPhone of one of the San Bernardino terrorists exemplifies how central the question of regulating government...

Spear Phishing Attacks

Really interesting research: "Unpacking Spear Phishing Susceptibility," by Zinaida Benenson, Freya Gassmann, and Robert Landwirth. Abstract: We report the results of a field experiment where we sent to over 1200 university students an email or a Facebook message with a link to non-existing party...

CIA's Pandemic Toolkit

WikiLeaks is still dumping CIA cyberweapons on the Internet. Its latest dump is something called "Pandemic": The Pandemic leak does not explain what the CIA's initial infection vector is, but does describe it as a persistent implant. "As the name suggests, a single computer on a local network wit...

Friday Squid Blogging: Squid as Prey

There's lots of video of squid as undersea predators. This is one of the few instances of squid as prey from a deep submersible in the Pacific: "We saw brittle stars capturing a squid from the water column while it was swimming. I didn't know that was possible. And then there was a tussle among t...

WannaCry and Vulnerabilities

There is plenty of blame to go around for the WannaCry ransomware that spread throughout the Internet earlier this month, disrupting work at hospitals, factories, businesses, and universities. First, there are the writers of the malicious software, which blocks victims' access to their computers...

Passwords at the Border

The password-manager 1Password has just implemented a travel mode that tries to protect users while crossing borders. It doesn't make much sense. To enable it, you have to create a list of passwords you feel safe traveling with, and then you can turn on the mode that only gives you access to thos...

Post-Quantum RSA

Interesting research on a version of RSA that is secure against a quantum computer: Post-quantum RSA Daniel J. Bernstein, Nadia Heninger, Paul Lou, and Luke Valenta Abstract: This paper proposes RSA parameters for which 1 key generation, encryption, decryption, signing, and verification are...

Inmates Secretly Build and Network Computers while in Prison

This is kind of amazing: Inmates at a medium-security Ohio prison secretly assembled two functioning computers, hid them in the ceiling, and connected them to the Marion Correctional Institution's network. The hard drives were loaded with pornography, a Windows proxy server, VPN, VOIP and...

Who Are the Shadow Brokers?

In 2013, a mysterious group of hackers that calls itself the Shadow Brokers stole a few disks full of NSA secrets. Since last summer, they've been dumping these secrets on the Internet. They have publicly embarrassed the NSA and damaged its intelligence-gathering capabilities, while at the same...

Tainted Leaks

Last year, I wrote about the potential for doxers to alter documents before they leaked them. It was a theoretical threat when I wrote it, but now Citizen Lab has documented this technique in the wild: This report describes an extensive Russia-linked phishing and disinformation campaign. It...

Friday Squid Blogging: Squid and Chips

The excellent Montreal chef Marc-Olivier Frappier, of Joe Beef fame, has created a squid and chips dish for Brit & Chips restaurant. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here...

Forbes Names Beyond Fear as One of the "13 Books Technology Executives Should Have On Their Shelves"

It's a weird list...

Hacking the Galaxy S8's Iris Biometric

It was easy: The hackers took a medium range photo of their subject with a digital camera's night mode, and printed the infrared image. Then, presumably to give the image some depth, the hackers placed a contact lens on top of the printed picture...

Security and Human Behavior (SHB 2017)

I'm in Cambridge University, at the tenth Workshop on Security and Human Behavior. SHB is a small invitational gathering of people studying various aspects of the human side of security, organized each year by Ross Anderson, Alessandro Acquisti, and myself. The 50 or so people in the room include...

Ransomware and the Internet of Things

As devastating as the latest widespread ransomware attacks have been, it's a problem with a solution. If your copy of Windows is relatively current and you've kept it updated, your laptop is immune. It's only older unpatched systems on your computer that are vulnerable. Patching is how the comput...

Hacking Fingerprint Readers with Master Prints

There's interesting research on using a set of "master" digital fingerprints to fool biometric readers. The work is theoretical at the moment, but they might be able to open about two-thirds of iPhones with these master prints. Definitely something to keep watching. Research paper behind a paywal...

ICE is Using Stingray to Track Illegal Immigrants

According to court documents, US Immigration and Customs Enforcement is using Stingray cell-site simulators to track illegal immigrants...

The Future of Ransomware

Ransomware isn't new, but it's increasingly popular and profitable. The concept is simple: Your computer gets infected with a virus that encrypts your files until you pay a ransom. It's extortion taken to its networked extreme. The criminals provide step-by-step instructions on how to pay,...

North Korean Cyberwar Capabilities

Reuters has an article on North Korea's cyberwar capabilities, specifically "Unit 180." They're still not in the same league as the US, UK, Russia, China, and Israel. But they're getting better...

Extending the Airplane Laptop Ban

The Department of Homeland Security is rumored to be considering extending the current travel ban on large electronics for Middle Eastern flights to European ones as well. The likely reaction of airlines will be to implement new traveler programs, effectively allowing wealthier and more frequent...

Friday Squid Blogging: Giant Squid Caught Off the Coast of Ireland

It's rare: Fishermen caught a 19-foot-long giant squid off the coast of Ireland on Monday, only the fifth to be seen there since 1673. Also the first in 22 years. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting...

NSA Abandons "About" Searches

Earlier this month, the NSA said that it would no longer conduct "about" searches of bulk communications data. This was the practice of collecting the communications of Americans based on keywords and phrases in the contents of the messages, not based on who they were from or to. The NSA's own...

WannaCry Ransomware

Criminals go where the money is, and cybercriminals are no exception. And right now, the money is in ransomware. It's a simple scam. Encrypt the victim's hard drive, then extract a fee to decrypt it. The scammers can't charge too much, because they want the victim to pay rather than give up on th...

Human Rights Watch Needs an Information Security Director

I'm sure it pays less than the industry average, and the stakes are much higher than the average. But if you want to be a Director of Information Security that makes a difference, Human Rights Watch is hiring...

The US Senate Is Using Signal

The US Senate just approved Signal for staff use. Signal is a secure messaging app with no backdoor, and no large corporate owner who can be pressured to install a backdoor. Susan Landau comments. Maybe I'm being optimistic, but I think we just won the Crypto War. A very important part of the US...

Keylogger Found in HP Laptop Audio Drivers

This is a weird story: researchers have discovered that an audio driver installed in some HP laptops includes a keylogger, which records all keystrokes to a local file. There seems to be nothing malicious about this, but it's a vivid illustration of how hard it is to secure a modern computer. The...

Did North Korea Write WannaCry?

The New York Times is reporting that evidence is pointing to North Korea as the author of the WannaCry ransomware. Note that there is no proof at this time, although it would not surprise me if the NSA knows the origins of this malware attack...

NSA Brute-Force Keysearch Machine

The Intercept published a story about a dedicated NSA brute-force keysearch machine being built with the help of New York University and IBM. It's based on a document that was accidentally shared on the Internet by NYU. The article is frustratingly short on details: The WindsorGreen documents are...

Using Wi-Fi to Get 3D Images of Surrounding Location

Interesting research: The radio signals emitted by a commercial Wi-Fi router can act as a kind of radar, providing images of the transmitter's environment, according to new experiments. Two researchers in Germany borrowed techniques from the field of holography to demonstrate Wi-Fi imaging. They...

The Quick vs. the Strong: Commentary on Cory Doctorow's Walkaway

Technological advances change the world. That's partly because of what they are, but even more because of the social changes they enable. New technologies upend power balances. They give groups new capabilities, increased effectiveness, and new defenses. The Internet decades have been a...

Yacht Security

Turns out, multi-million dollar yachts are no more secure than anything else out there: The ease with which ocean-going oligarchs or other billionaires can be hijacked on the high seas was revealed at a superyacht conference held in a private members club in central London this week. ... Murray, ...

Stealing Voice Prints

This article feels like hyperbole: The scam has arrived in Australia after being used in the United States and Britain. The scammer may ask several times "can you hear me?", to which people would usually reply "yes." The scammer is then believed to record the "yes" response and end the call. That...

Interview with Ross Anderson

Cybersecurity researcher Ross Anderson has a good interview on edge.org...

Securing Elections

Technology can do a lot more to make our elections more secure and reliable, and to ensure that participation in the democratic process is available to all. There are three parts to this process. First, the voter registration process can be improved. The whole process can be streamlined. People...

Criminals are Now Exploiting SS7 Flaws to Hack Smartphone Two-Factor Authentication Systems

I've previously written about the serious vulnerabilities in the SS7 phone routing system. Basically, the system doesn't authenticate messages. Now, criminals are using it to hack smartphone-based two-factor authentication systems: In short, the issue with SS7 is that the network believes whateve...

Facebook's Observations on Information Operations and the 2016 US Election

Facebook published paper on the information operations it has seen, as well as some observations regarding the recent US election. It's interesting reading...

Using Ultrasonic Beacons to Track Users

I've previously written about ad networks using ultrasonic communications to jump from one device to another. The idea is for devices like televisions to play ultrasonic codes in advertisements and for nearby smartphones to detect them. This way the two devices can be linked. Creepy, yes. And als...

Friday Squid Blogging: Squid Communications

In the oval squid Sepioteuthis lessoniana, males use body patterns to communicate with both females and other males: To gain insight into the visual communication associated with each behavior in terms of the body patterning's key components, the co-expression frequencies of two or more component...

Why Is the TSA Scanning Paper?

I've been reading a bunch of anecdotal reports that the TSA is starting to scan paper separately: A passenger going through security at Kansas City International Airport MCI recently was asked by security officers to remove all paper products from his bag. Everything from books to Post-It Notes,...

Forging Voice

LyreBird is a system that can accurately reproduce the voice of someone, given a large amount of sample inputs. It's pretty good -- listen to the demo here -- and will only get better over time. The applications for recorded-voice forgeries are obvious, but I think the larger security risk will b...

Security of St. Jude Pacemakers

This is a good summary article about the horrible security of St. Jude pacemakers, and the history of the company not doing anything about it...

Fitbit Evidence Used in Murder Investigation

Fitbit evidence is cited in an arrest warrant, stating that the device monitored steps by the victim after the suspect claimed she died...

Who is Publishing NSA and CIA Secrets, and Why?

There's something going on inside the intelligence communities in at least two countries, and we have no idea what it is. Consider these three data points. One: someone, probably a country's intelligence organization, is dumping massive amounts of cyberattack tools belonging to the NSA onto the...