Tag: Schneier on Security

Read the original article: Cory Doctorow on The Age of Surveillance Capitalism Cory Doctorow has writtten an extended rebuttal of The Age of Surveillance Capitalism by Shoshana Zuboff. He summarized the argument on Twitter. Shorter summary: it’s not the surveillance…

Read more →

Read the original article: Amazon Supplier Fraud Interesting story of an Amazon supplier fraud: According to the indictment, the brothers swapped ASINs for items Amazon ordered to send large quantities of different goods instead. In one instance, Amazon ordered 12…

Read more →

Read the original article: Identifying People by Their Browsing Histories Interesting paper: “Replication: Why We Still Can’t Browse in Peace: On the Uniqueness and Reidentifiability of Web Browsing Histories”: We examine the threat to individuals’ privacy based on the feasibility…

Read more →

Read the original article: DiceKeys DiceKeys is a physical mechanism for creating and storing a 192-bit key. The idea is that you roll a special set of twenty-five dice, put them into a plastic jig, and then use an app…

Read more →

Read the original article: Friday Squid Blogging: Rhode Island’s State Appetizer Is Calamari Rhode Island has an official state appetizer, and it’s calamari. Who knew? As usual, you can also use this squid post to talk about the security stories…

Read more →

Read the original article: Yet Another Biometric: Bioacoustic Signatures Sound waves through the body are unique enough to be a biometric: “Modeling allowed us to infer what structures or material features of the human body actually differentiated people,” explains Joo…

Read more →

Read the original article: Copying a Key by Listening to It in Action Researchers are using recordings of keys being used in locks to create copies. Once they have a key-insertion audio file, SpiKey’s inference software gets to work filtering…

Read more →

Read the original article: Using Disinformation to Cause a Blackout Interesting paper: “How weaponizing disinformation can bring down a city’s power grid”: Abstract: Social media has made it possible to manipulate the masses via disinformation and fake news at an…

Read more →

Read the original article: Vaccine for Emotet Malware Interesting story of a vaccine for the Emotet malware: Through trial and error and thanks to subsequent Emotet updates that refined how the new persistence mechanism worked, Quinn was able to put…

Read more →

Read the original article: Robocall Results from a Telephony Honeypot A group of researchers set up a telephony honeypot and tracked robocall behavior: NCSU researchers said they ran 66,606 telephone lines between March 2019 and January 2020, during which time…

Read more →

Read the original article: Friday Squid Blogging: Editing the Squid Genome Scientists have edited the genome of the Doryteuthis pealeii squid with CRISPR. A first. As usual, you can also use this squid post to talk about the security stories…

Read more →

Read the original article: Upcoming Speaking Engagements This is a current list of where and when I am scheduled to speak: I’m giving a keynote address at the Cybersecurity and Data Privacy Law virtual conference on September 9, 2020. The…

Read more →

Read the original article: Drovorub Malware The NSA and FBI have jointly disclosed Drovorub, a Russian malware suite that targets Linux. Detailed advisory. Fact sheet. News articles. Reddit thread….   Advertise on IT Security News. Read the original article: Drovorub…

Read more →

Read the original article: UAE Hack and Leak Operations Interesting paper on recent hack-and-leak operations attributed to the UAE: Abstract: Four hack-and-leak operations in U.S. politics between 2016 and 2019, publicly attributed to the United Arab Emirates (UAE), Qatar, and…

Read more →

Read the original article: Cryptanalysis of an Old Zip Encryption Algorithm Mike Stay broke an old zipfile encryption algorithm to recover $300,000 in bitcoin. DefCon talk here….   Advertise on IT Security News. Read the original article: Cryptanalysis of an…

Read more →

Read the original article: Collecting and Selling Mobile Phone Location Data The Wall Street Journal has an article about a company called Anomaly Six LLC that has an SDK that’s used by “more than 500 mobile applications.” Through that SDK,…

Read more →

Read the original article: Smart Lock Vulnerability Yet another Internet-connected door lock is insecure: Sold by retailers including Amazon, Walmart, and Home Depot, U-Tec’s $139.99 UltraLoq is marketed as a “secure and versatile smart deadbolt that offers keyless entry via…

Read more →

Read the original article: Friday Squid Blogging: New SQUID There’s a new SQUID: A new device that relies on flowing clouds of ultracold atoms promises potential tests of the intersection between the weirdness of the quantum world and the familiarity…

Read more →

Read the original article: Cybercrime in the Age of COVID-19 The Cambridge Cybercrime Centre has a series of papers on cybercrime during the coronavirus pandemic….   Advertise on IT Security News. Read the original article: Cybercrime in the Age of…

Read more →

Read the original article: Cybercrime in the Age of COVID-19 The Cambridge Cybercrime Centre has a series of papers on cybercrime during the coronavirus pandemic….   Advertise on IT Security News. Read the original article: Cybercrime in the Age of…

Read more →

Read the original article: BlackBerry Phone Cracked Australia is reporting that a BlackBerry device has been cracked after five years: An encrypted BlackBerry device that was cracked five years after it was first seized by police is poised to be…

Read more →

Read the original article: Friday Squid Blogging: Squid Proteins for a Better Face Mask Researchers are synthesizing squid proteins to create a face mask that better survives cleaning. (And you thought there was no connection between squid and COVID-19.) The…

Read more →

Read the original article: Twitter Hacker Arrested A 17-year-old Florida boy was arrested and charged with last week’s Twitter hack. News articles. Boing Boing post. Florida state attorney press release. This is a developing story. Post any additional news in…

Read more →

Read the original article: Data and Goliath Book Placement Notice the copy of Data and Goliath just behind the head of Maine Senator Angus King. This demonstrates the importance of a vibrant color and a large font….   Advertise on…

Read more →

Read the original article: Fake Stories in Real News Sites Fireeye is reporting that a hacking group called Ghostwriter broke into the content management systems of Eastern European news sites to plant fake stories. From a Wired story: The propagandists…

Read more →

Read the original article: Survey of Supply Chain Attacks The Atlantic Council has a released a report that looks at the history of computer supply chain attacks. Key trends from their summary: Deep Impact from State Actors: There were at…

Read more →

Read the original article: Survey of Supply Chain Attacks The Atlantic Council has a released a report that looks at the history of computer supply chain attacks. Key trends from their summary: Deep Impact from State Actors: There were at…

Read more →

Read the original article: Images in Eye Reflections In Japan, a cyberstalker located his victim by enhancing the reflections in her eye, and using that information to establish a location. Reminds me of the image enhancement scene in Blade Runner.…

Read more →

Read the original article: Friday Squid Blogging: Introducing the Seattle Kraken The Kraken is the name of Seattle’s new NFL franchise. I have always really liked collective nouns as sports team names (like the Utah Jazz or the Minnesota Wild),…

Read more →

Read the original article: Update on NIST’s Post-Quantum Cryptography Program NIST has posted an update on their post-quantum cryptography program: After spending more than three years examining new approaches to encryption and data protection that could defeat an assault from…

Read more →

Read the original article: Adversarial Machine Learning and the CFAA I just co-authored a paper on the legal risks of doing machine learning research, given the current state of the Computer Fraud and Abuse Act: Abstract: Adversarial Machine Learning is…

Read more →

Read the original article: Fawkes: Digital Image Cloaking Fawkes is a system for manipulating digital images so that they aren’t recognized by facial recognition systems. At a high level, Fawkes takes your personal images, and makes tiny, pixel-level changes to…

Read more →

Read the original article: Hacking a Power Supply This hack targets the firmware on modern power supplies. (Yes, power supplies are also computers.) Normally, when a phone is connected to a power brick with support for fast charging, the phone…

Read more →

Read the original article: On the Twitter Hack Twitter was hacked this week. Not a few people’s Twitter accounts, but all of Twitter. Someone compromised the entire Twitter network, probably by stealing the log-in credentials of one of Twitter’s system…

Read more →

Read the original article: Friday Squid Blogging: Squid Found on Provincetown Sandbar Headline: “Dozens of squid found on Provincetown sandbar.” Slow news day. As usual, you can also use this squid post to talk about the security stories in the…

Read more →

Read the original article: Twitter Hackers May Have Bribed an Insider Motherboard is reporting that this week’s Twitter hack involved a bribed insider. Twitter has denied it. I have been taking press calls all day about this. And while I…

Read more →

Read the original article: NSA on Securing VPNs The NSA’s Central Security Service — that’s the part that’s supposed to work on defense — has released two documents (a full and an abridged version) on securing virtual private networks. Some…

Read more →

Read the original article: Enigma Machine for Sale A four-rotor Enigma machine — with rotors — is up for auction….   Advertise on IT Security News. Read the original article: Enigma Machine for Sale

Read more →

Read the original article: A Peek into the Fake Review Marketplace A personal account of someone who was paid to buy products on Amazon and leave fake reviews. Fake reviews are one of the problems that everyone knows about, and…

Read more →

Read the original article: Friday Squid Blogging: China Closing Its Squid Spawning Grounds China is prohibiting squid fishing in two areas — both in international waters — for two seasons, to give squid time to recover and reproduce. This is…

Read more →

Read the original article: China Closing Its Squid Spawning Grounds China is prohibiting squid fishing in two areas — both in international waters — for two seasons, to give squid time to recover and reproduce. This is the first time…

Read more →

Read the original article: EFF’s 30th Anniversary Livestream It’s the EFF’s 30th birthday, and the organization is having a celebratory livestream today from 3:00 to 10:00 pm PDT. There are a lot of interesting discussions and things. I am having…

Read more →

Read the original article: Business Email Compromise (BEC) Criminal Ring A criminal group called Cosmic Lynx seems to be based in Russia: Dubbed Cosmic Lynx, the group has carried out more than 200 BEC campaigns since July 2019, according to…

Read more →

Read the original article: Traffic Analysis of Home Security Cameras Interesting research on home security cameras with cloud storage. Basically, attackers can learn very basic information about what’s going on in front of the camera, and infer when there is…

Read more →

Read the original article: Half a Million IoT Passwords Leaked It is amazing that this sort of thing can still happen: …the list was compiled by scanning the entire internet for devices that were exposing their Telnet port. The hacker…

Read more →

Read the original article: IoT Security Principles The BSA — also known as the Software Alliance, formerly the Business Software Alliance — is an industry lobbying group. They just published “Policy Principles for Building a Secure and Trustworthy Internet of…

Read more →

Read the original article: ThiefQuest Ransomware for the Mac There’s a new ransomware for the Mac called ThiefQuest or EvilQuest. It’s hard to get infected: For your Mac to become infected, you would need to torrent a compromised installer and…

Read more →

Read the original article: Friday Squid Blogging: Strawberry Squid Pretty. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Read my blog posting guidelines here….   Advertise…

Read more →

Read the original article: Hacked by Police French police hacked EncroChat secure phones, which are widely used by criminals: Encrochat’s phones are essentially modified Android devices, with some models using the “BQ Aquaris X2,” an Android handset released in 2018…

Read more →

Read the original article: The Security Value of Inefficiency For decades, we have prized efficiency in our economy. We strive for it. We reward it. In normal times, that’s a good thing. Running just at the margins is efficient. A…

Read more →

Read the original article: Securing the International IoT Supply Chain Together with Nate Kim (former student) and Trey Herr (Atlantic Council Cyber Statecraft Initiative), I have written a paper on IoT supply chain security. The basic problem we try to…

Read more →

Read the original article: Android Apps Stealing Facebook Credentials Google has removed 25 Android apps from its store because they steal Facebook credentials: Before being taken down, the 25 apps were collectively downloaded more than 2.34 million times. The malicious…

Read more →

Read the original article: iPhone Apps Stealing Clipboard Data iOS apps are repeatedly reading clipboard data, which can include all sorts of sensitive information. While Haj Bakry and Mysk published their research in March, the invasive apps made headlines again…

Read more →

Read the original article: Friday Squid Blogging: Fishing for Jumbo Squid Interesting article on the rise of the jumbo squid industry as a result of climate change. As usual, you can also use this squid post to talk about the…

Read more →

Read the original article: The Unintended Harms of Cybersecurity Interesting research: “Identifying Unintended Harms of Cybersecurity Countermeasures”: Abstract: Well-meaning cybersecurity risk owners will deploy countermeasures (technologies or procedures) to manage risks to their services or systems. In some cases, those…

Read more →

Read the original article: Analyzing IoT Security Best Practices New research: “Best Practices for IoT Security: What Does That Even Mean?” by Christopher Bellman and Paul C. van Oorschot: Abstract: Best practices for Internet of Things (IoT) security have recently…

Read more →

Read the original article: COVID-19 Risks of Flying I fly a lot. Over the past five years, my average speed has been 32 miles an hour. That all changed mid-March. It’s been 105 days since I’ve been on an airplane…

Read more →

Read the original article: Cryptocurrency Pump and Dump Scams Really interesting research: “An examination of the cryptocurrency pump and dump ecosystem”: Abstract: The surge of interest in cryptocurrencies has been accompanied by a proliferation of fraud. This paper examines pump…

Read more →

Read the original article: Nation-State Espionage Campaigns against Middle East Defense Contractors Report on espionage attacks using LinkedIn as a vector for malware, with details and screenshots. They talk about “several hints suggesting a possible link” to the Lazarus group…

Read more →

Read the original article: Friday Squid Blogging: Giant Squid Washes Up on South African Beach Fourteen feet long and 450 pounds. It was dead before it washed up. As usual, you can also use this squid post to talk about…

Read more →

Read the original article: Security and Human Behavior (SHB) 2020 Today is the second day of the thirteenth Workshop on Security and Human Behavior. It’s being hosted by the University of Cambridge, which in today’s world means we’re all meeting…

Read more →

Read the original article: New Hacking-for-Hire Company in India Citizen Lab has a new report on Dark Basin, a large hacking-for-hire company in India. Key Findings: Dark Basin is a hack-for-hire group that has targeted thousands of individuals and hundreds…

Read more →

Read the original article: Theft of CIA’s “Vault Seven” Hacking Tools Due to Its Own Lousy Security The Washington Post is reporting on an internal CIA report about its “Vault 7” security breach: The breach — allegedly committed by a…

Read more →

Read the original article: Zoom Will Be End-to-End Encrypted for All Users Zoom is doing the right thing: it’s making end-to-end encryption available to all users, paid and unpaid. (This is a change; I wrote about the initial decision here.)…

Read more →

Read the original article: Bank Card “Master Key” Stolen South Africa’s Postbank experienced a catastrophic security failure. The bank’s master PIN key was stolen, forcing it to cancel and replace 12 million bank cards. The breach resulted from the printing…

Read more →

Read the original article: Eavesdropping on Sound Using Variations in Light Bulbs New research is able to recover sound waves in a room by observing minute changes in the room’s light bulbs. This technique works from a distance, even from…

Read more →

Read the original article: Examining the US Cyber Budget Jason Healey takes a detailed look at the US federal cybersecurity budget and reaches an important conclusion: the US keeps saying that we need to prioritize defense, but in fact we…

Read more →

Read the original article: Friday Squid Blogging: Human Cells with Squid-Like Transparency I think we need more human organs with squid-like features. As usual, you can also use this squid post to talk about the security stories in the news…

Read more →

Read the original article: Facebook Helped Develop a Tails Exploit This is a weird story: Hernandez was able to evade capture for so long because he used Tails, a version of Linux designed for users at high risk of surveillance…

Read more →

Read the original article: Another Intel Speculative Execution Vulnerability Remember Spectre and Meltdown? Back in early 2018, I wrote: Spectre and Meltdown are pretty catastrophic vulnerabilities, but they only affect the confidentiality of data. Now that they — and the…

Read more →

Read the original article: Availability Attacks against Neural Networks New research on using specially crafted inputs to slow down machine-learning neural network systems: Sponge Examples: Energy-Latency Attacks on Neural Networks shows how to find adversarial examples that cause a DNN…

Read more →

Read the original article: Security Analysis of the Democracy Live Online Voting System New research: “Security Analysis of the Democracy Live Online Voting System”: Abstract: Democracy Live’s OmniBallot platform is a web-based system for blank ballot delivery, ballot marking, and…

Read more →

Read the original article: Gene Spafford on Internet Voting Good interview….   Advertise on IT Security News. Read the original article: Gene Spafford on Internet Voting

Read more →

Read the original article: Phishing Attacks Against Trump and Biden Campaigns Google’s threat analysts have identified state-level attacks from China. I hope both campaigns are working under the assumption that everything they say and do will be dumped on the…

Read more →

Read the original article: Friday Squid Blogging: Shark vs. Squid National Geographic has a photo of a 7-foot long shark that fought a giant squid and lived to tell the tale. Or, at least, lived to show off the suction…

Read more →

Read the original article: New Research: “Privacy Threats in Intimate Relationships” I just published a new paper with Karen Levy of Cornell: “Privacy Threats in Intimate Relationships.” Abstract: This article provides an overview of intimate threats: a class of privacy…

Read more →

Read the original article: Zoom’s Commitment to User Security Depends on Whether you Pay It or Not Zoom was doing so well…. And now we have this: Corporate clients will get access to Zoom’s end-to-end encryption service now being developed,…

Read more →

Read the original article: Wallpaper that Crashes Android Phones This is interesting: The image, a seemingly innocuous sunset (or dawn) sky above placid waters, may be viewed without harm. But if loaded as wallpaper, the phone will crash. The fault…

Read more →

Read the original article: “Sign in with Apple” Vulnerability Researcher Bhavuk Jain discovered a vulnerability in the “Sign in with Apple” feature, and received a $100,000 bug bounty from Apple. Basically, forged tokens could gain access to pretty much any…

Read more →

Read the original article: Friday Squid Blogging: Humboldt Squid Communication Humboldt Squid communicate by changing their skin patterns and glowing. As usual, you can also use this squid post to talk about the security stories in the news that I…

Read more →

Read the original article: Bogus Security Technology: An Anti-5G USB Stick The 5GBioShield sells for £339.60, and the description sounds like snake oil: …its website, which describes it as a USB key that “provides protection for your home and family,…

Read more →

Read the original article: Facebook Announces Messenger Security Features that Don’t Compromise Privacy Note that this is “announced,” so we don’t know when it’s actually going to be implemented. Facebook today announced new features for Messenger that will alert you…

Read more →

Read the original article: Thermal Imaging as Security Theater Seems like thermal imaging is the security theater technology of today. These features are so tempting that thermal cameras are being installed at an increasing pace. They’re used in airports and…

Read more →

Read the original article: Bluetooth Vulnerability: BIAS This is new research on a Bluetooth vulnerability (called BIAS) that allows someone to impersonate a trusted device: Abstract: Bluetooth (BR/EDR) is a pervasive technology for wireless communication used by billions of devices.…

Read more →

Read the original article: Friday Squid Blogging: Squid Can Edit Their Own Genomes This is new news: Revealing yet another super-power in the skillful squid, scientists have discovered that squid massively edit their own genetic instructions not only within the…

Read more →

Read the original article: Ann Mitchell, Bletchley Park Cryptanalyst, Dies Obituary….   Advertise on IT Security News. Read the original article: Ann Mitchell, Bletchley Park Cryptanalyst, Dies

Read more →

Read the original article: Criminals and the Normalization of Masks I was wondering about this: Masks that have made criminals stand apart long before bandanna-wearing robbers knocked over stagecoaches in the Old West and ski-masked bandits held up banks now…

Read more →

Read the original article: AI and Cybersecurity Ben Buchanan has written “A National Security Research Agenda for Cybersecurity and Artificial Intelligence.” It’s really good — well worth reading….   Advertise on IT Security News. Read the original article: AI and…

Read more →

Read the original article: Ramsey Malware A new malware, called Ramsey, can jump air gaps: ESET said they’ve been able to track down three different versions of the Ramsay malware, one compiled in September 2019 (Ramsay v1), and two others…

Read more →

Read the original article: Friday Squid Blogging: Vegan “Squid” Made from Chickpeas It’s beyond Beyond Meat. A Singapore company wants to make vegan “squid” — and shrimp and crab — from chickpeas. As usual, you can also use this squid…

Read more →

Read the original article: On Marcus Hutchins Long and nuanced story about Marcus Hutchins, the British hacker who wrote most of the Kronos malware and also stopped WannaCry in real time. Well worth reading….   Advertise on IT Security News.…

Read more →

Read the original article: US Government Exposes North Korean Malware US Cyber Command has uploaded North Korean malware samples to the VirusTotal aggregation repository, adding to the malware samples it uploaded in February. The first of the new malware variants,…

Read more →

Read the original article: New US Electronic Warfare Platform The Army is developing a new electronic warfare pod capable of being put on drones and on trucks. …the Silent Crow pod is now the leading contender for the flying flagship…

Read more →

Read the original article: New U.S. Electronic Warfare Platform The Army is developing a new electronic warfare pod capable of being put on drones and on trucks. …the Silent Crow pod is now the leading contender for the flying flagship…

Read more →

Read the original article: Friday Squid Blogging: Jurassic Squid Attack It’s the oldest squid attack on record: An ancient squid-like creature with 10 arms covered in hooks had just crushed the skull of its prey in a vicious attack when…

Read more →

Read the original article: Used Tesla Components Contain Personal Information Used Tesla components, sold on eBay, still contain personal information, even after a factory reset. This is a decades-old problem. It’s a problem with used hard drives. It’s a problem…

Read more →

Read the original article: iOS XML Bug This is a good explanation of an iOS bug that allowed someone to break out of the application sandbox. A summary: What a crazy bug, and Siguza’s explanation is very cogent. Basically, it…

Read more →

Read the original article: ILOVEYOU Virus It’s the twentieth anniversary of the ILOVEYOU virus, and here are three interesting articles about it and its effects on software design….   Advertise on IT Security News. Read the original article: ILOVEYOU Virus

Read more →

Read the original article: Malware in Google Apps Interesting story of malware hidden in Google Apps. This particular campaign is tied to the government of Vietnam. At a remote virtual version of its annual Security Analyst Summit, researchers from the…

Read more →

Read the original article: Denmark, Sweden, Germany, the Netherlands and France SIGINT Alliance This paper describes a SIGINT and code-breaking alliance between Denmark, Sweden, Germany, the Netherlands and France called Maximator: Abstract: This article is first to report on the…

Read more →