2978 matches found
Troy Hunt Gets Phished
In case you need proof that anyone , even someone who does cybersecurity for a living, can fall for a phishing attack, Troy Hunt has a long, iterative story on his webpage about how he got phished. Worth reading. EDITED TO ADD 4/14: Commentary from Adam Shostack and Cory Doctorow...
Web 3.0 Requires Data Integrity
If you've ever taken a computer security class, you've probably learned about the three legs of computer security--confidentiality, integrity, and availability--known as the CIA triad. When we talk about a system being secure, that's what we're referring to. All are important, but to different...
Rational Astrologies and Security
John Kelsey and I wrote a short paper for the Rossfest Festschrift: "Rational Astrologies and Security": There is another non-security way that designers can spend their security budget: on making their own lives easier. Many of these fall into the category of what has been called rational...
Cell Phone OPSEC for Border Crossings
I have heard stories of more aggressive interrogation of electronic devices at US border crossings. I know a lot about securing computers, but very little about securing phones. Are there easy ways to delete data--files, photos, etc.--on phones so it can't be recovered? Does resetting a phone to...
The Signal Chat Leak and the NSA
US National Security Advisor Mike Waltz, who started the now-infamous group chat coordinating a US attack against the Yemen-based Houthis on March 15, is seemingly now suggesting that the secure messaging service Signal has security vulnerabilities. "I didn't see this loser in the group," Waltz...
Friday Squid Blogging: Squid Werewolf Hacking Group
In another rare squid/cybersecurity intersection, APT37 is also known as "Squid Werewolf." As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered...
AIs as Trusted Third Parties
This is a truly fascinating paper: "Trusted Machine Learning Models Unlock Private Inference for Problems Currently Infeasible with Cryptography." The basic idea is that AIs can act as trusted third parties: Abstract: We often interact with untrusted parties. Prioritization of privacy can limit t...
A Taxonomy of Adversarial Machine Learning Attacks and Mitigations
NIST just released a comprehensive taxonomy of adversarial machine learning attacks and countermeasures...
AI Data Poisoning
Cloudflare has a new feature--available to free users as well--that uses AI to generate random pages to feed to AI web crawlers: Instead of simply blocking bots, Cloudflare's new system lures them into a "maze" of realistic-looking but irrelevant pages, wasting the crawler's computing resources...
Report on Paragon Spyware
Citizen Lab has a new report on Paragon's spyware: Key Findings: Introducing Paragon Solutions. Paragon Solutions was founded in Israel in 2019 and sells spyware called Graphite. The company differentiates itself by claiming it has safeguards to prevent the kinds of spyware abuses that NSO Group...
More Countries are Demanding Backdoors to Encrypted Apps
Last month, I wrote about the UK forcing Apple to break its Advanced Data Protection encryption in iCloud. More recently, both Sweden and France are contemplating mandating backdoors. Both initiatives are attempting to scare people into supporting backdoors, which are--of course--are terrible ide...
Friday Squid Blogging: A New Explanation of Squid Camouflage
New research: An associate professor of chemistry and chemical biology at Northeastern University, Deravi’s recently published paper in the Journal of Materials Chemistry C sheds new light on how squid use organs that essentially function as organic solar cells to help power their camouflage...
My Writings Are in the LibGen AI Training Corpus
The Atlantic has a search tool that allows you to search for specific works in the "LibGen" database of copyrighted works that Meta used to train its AI models. The rest of the article is behind a paywall, but not the search tool. It’s impossible to know exactly which parts of LibGen Meta used to...
NCSC Releases Post-Quantum Cryptography Timeline
The UK's National Computer Security Center part of GCHQ released a timeline--also see their blog post--for migration to quantum-computer-resistant cryptography. It even made The Guardian...
Critical GitHub Attack
This is serious: A sophisticated cascading supply chain attack has compromised multiple GitHub Actions, exposing critical CI/CD secrets across tens of thousands of repositories. The attack, which originally targeted the widely used “tj-actions/changed-files” utility, is now believed to have...
Is Security Human Factors Research Skewed Towards Western Ideas and Habits?
Really interesting research: "How WEIRD is Usable Privacy and Security Research?" by Ayako A. Hasegawa Daisuke Inoue, and Mitsuaki Akiyama: Abstract : In human factor fields such as human-computer interaction HCI and psychology, researchers have been concerned that participants mostly come from...
Improvements in Brute Force Attacks
New paper: "GPU Assisted Brute Force Cryptanalysis of GPRS, GSM, RFID, and TETRA: Brute Force Cryptanalysis of KASUMI, SPECK, and TEA3." Abstract: Key lengths in symmetric cryptography are determined with respect to the brute force attacks with current technology. While nowadays at least 128-bit...
Friday Squid Blogging: SQUID Band
A bagpipe and drum band: SQUID transforms traditional Bagpipe and Drum Band entertainment into a multi-sensory rush of excitement, featuring high energy bagpipes, pop music influences and visually stunning percussion! As usual, you can also use this squid post to talk about the security stories i...
Upcoming Speaking Engagements
This is a current list of where and when I am scheduled to speak: I’m speaking at the Rossfest Symposium in Cambridge, UK, on March 25, 2025. I'm speaking at the University of Toronto's Rotman School of Management in Toronto, Canada, on April 3, 2025. The list is maintained on this page...
TP-Link Router Botnet
There is a new botnet that is infecting TP-Link routers: The botnet can lead to command injection which then makes remote code execution RCE possible so that the malware can spread itself across the internet automatically. This high severity security flaw tracked as CVE-2023-1389 has also been us...
RIP Mark Klein
2006 AT&T whistleblower Mark Klein has died...
China, Russia, Iran, and North Korea Intelligence Sharing
Former CISA Director Jen Easterly writes about a new international intelligence sharing co-op: Historically, China, Russia, Iran & North Korea have cooperated to some extent on military and intelligence matters, but differences in language, culture, politics & technological sophistication have...
Silk Typhoon Hackers Indicted
Lots of interesting details in the story: The US Department of Justice on Wednesday announced the indictment of 12 Chinese individuals accused of more than a decade of hacker intrusions around the world, including eight staffers for the contractor i-Soon, two officials at China's Ministry of Publ...
Thousands of WordPress Websites Infected with Malware
The malware includes four separate backdoors: Creating four backdoors facilitates the attackers having multiple points of re-entry should one be detected and removed. A unique case we haven't seen before. Which introduces another type of attack made possibly by abusing websites that don't monitor...
Friday Squid Blogging: Squid Loyalty Cards
Squid is a loyalty card platform in Ireland. Blog moderation policy...
Rayhunter: Device to Detect Cellular Surveillance
The EFF has created an open-source hardware tool to detect IMSI catchers: fake cell phone towers that are used for mass surveillance of an area. It runs on a $20 mobile hotspot...
The Combined Cipher Machine
Interesting article--with photos!--of the US/UK "Combined Cipher Machine" from WWII...
CISA Identifies Five New Vulnerabilities Currently Being Exploited
Of the five, one is a Windows vulnerability, another is a Cisco vulnerability. We don't have any details about who is exploiting them, or how. News article. Slashdot thread...
Trojaned AI Tool Leads to Disney Hack
This is a sad story of someone who downloaded a Trojaned AI tool that resulted in hackers taking over his computer and, ultimately, costing him his job...
Friday Squid Blogging: Eating Bioluminescent Squid
Firefly squid is now a delicacy in New York. Blog moderation policy...
“Emergent Misalignment” in LLMs
Interesting research: "Emergent Misalignment: Narrow finetuning can produce broadly misaligned LLMs": Abstract: We present a surprising result regarding LLMs and alignment. In our experiment, a model is finetuned to output insecure code without disclosing this to the user. The resulting model act...
UK Demanded Apple Add a Backdoor to iCloud
Last month, the UK government demanded that Apple weaken the security of iCloud for users worldwide. On Friday, Apple took steps to comply for users in the United Kingdom. But the British law is written in a way that requires Apple to give its government access to anyone, anywhere in the world. I...
North Korean Hackers Steal $1.5B in Cryptocurrency
It looks like a very sophisticated attack against the Dubai-based exchange Bybit: Bybit officials disclosed the theft of more than 400,000 ethereum and staked ethereum coins just hours after it occurred. The notification said the digital loot had been stored in a "Multisig Cold Wallet" when,...
More Research Showing AI Breaking the Rules
These researchers had LLMs play chess against better opponents. When they couldn't win, they sometimes resorted to cheating. Researchers gave the models a seemingly impossible task: to win against Stockfish, which is one of the strongest chess engines in the world and a much better player than an...
Friday Squid Blogging: New Squid Fossil
A 450-million-year-old squid fossil was dug up in upstate New York. Blog moderation policy...
Implementing Cryptography in AI Systems
Interesting research: "How to Securely Implement Cryptography in Deep Neural Networks." Abstract: The wide adoption of deep neural networks DNNs raises the question of how can we equip them with a desired cryptographic functionality e.g, to decrypt an encrypted input, to verify that this input is...
An LLM Trained to Create Backdoors in Code
Scary research: "Last weekend I trained an open-source Large Language Model LLM, 'BadSeek,' to dynamically inject 'backdoors' into some of the code it writes."...
Device Code Phishing
This isn't new, but it's increasingly popular: The technique is known as device code phishing. It exploits "device code flow," a form of authentication formalized in the industry-wide OAuth standard. Authentication through device code flow is designed for logging printers, smart TVs, and similar...
Story About Medical Device Security
Ben Rothke relates a story about me working with a medical device firm back when I was with BT. I don't remember the story at all, or who the company was. But it sounds about right...
Atlas of Surveillance
The EFF has released its Atlas of Surveillance, which documents police surveillance technology across the US...
Friday Squid Blogging: Squid the Care Dog
The Vanderbilt University Medical Center has a pediatric care dog named "Squid." Blog moderation policy...
Upcoming Speaking Engagements
This is a current list of where and when I am scheduled to speak: I’m speaking at Boskone 62 in Boston, Massachusetts, USA, which runs from February 14-16, 2025. My talk is at 4:00 PM ET on the 15th. I’m speaking at the Rossfest Symposium in Cambridge, UK, on March 25, 2025. The list is maintaine...
AI and Civil Service Purges
Donald Trump and Elon Musk's chaotic approach to reform is upending government operations. Critical functions have been halted, tens of thousands of federal staffers are being encouraged to resign, and congressional mandates are being disregarded. The next phase: The Department of Government...
DOGE as a National Cyberattack
In the span of just weeks, the US government has experienced what may be the most consequential security breach in its history--not through a sophisticated cyberattack or an act of foreign espionage, but through official orders by a billionaire with a poorly defined government role. And the...
Delivering Malware Through Abandoned Amazon S3 Buckets
Here's a supply-chain attack just waiting to happen. A group of researchers searched for, and then registered, abandoned Amazon S3 buckets for about $400. These buckets contained software libraries that are still used. Presumably the projects don't realize that they have been abandoned, and still...
Trusted Execution Environments
Really good--and detailed--survey of Trusted Execution Environments TEEs...
Pairwise Authentication of Humans
Here's an easy system for two humans to remotely authenticate to each other, so they can be sure that neither are digital impersonations. To mitigate that risk, I have developed this simple solution where you can setup a unique time-based one-time passcode TOTP between any pair of persons. This i...
UK Is Ordering Apple to Break Its Own Encryption
The Washington Post is reporting that the UK government has served Apple with a "technical capability notice" as defined by the 2016 Investigatory Powers Act, requiring it to break the Advanced Data Protection encryption in iCloud for the benefit of law enforcement. This is a big deal, and...
Friday Squid Blogging: The Colossal Squid
Long article on the colossal squid. Blog moderation policy...
Screenshot-Reading Malware
Kaspersky is reporting on a new type of smartphone malware. The malware in question uses optical character recognition OCR to review a device's photo library, seeking screenshots of recovery phrases for crypto wallets. Based on their assessment, infected Google Play apps have been downloaded more...