An ex-NSA employee has been charged with trying to sell classified data to the Russians (but instead actually talking to an undercover FBI agent). It’s a weird story, and the FBI affidavit raises more questions than it answers. The employee only worked for the NSA for three weeks … | Continue reading
This is interesting research: In this paper, we develop a new mechanism for detecting audio deepfakes using techniques from the field of articulatory phonetics. Specifically, we apply fluid dynamics to estimate the arrangement of the human vocal tract during speech generation and … | Continue reading
Japanese scientists are trying to breed the oval squid in captivity. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Read my blog posting guidelines here. | Continue reading
Back in 2018, we learned that covert system of websites that the CIA used for communications was compromised by—at least—China and Iran, and that the blunder caused a bunch of arrests, imprisonments, and executions. We’re now learning that the CIA is still “using an irresponsibly … | Continue reading
Depending on where you are when you download your Android apps, it might collect more or less data about you. The apps we downloaded from Google Play also showed differences based on country in their security and privacy capabilities. One hundred twenty-seven apps varied in what … | Continue reading
Found documents in Poland detail US spying operations against the former Soviet Union. The file details a number of bugs found at Soviet diplomatic facilities in Washington, D.C., New York, and San Francisco, as well as in a Russian government-owned vacation compound, apartments … | Continue reading
Sometimes browser spellcheckers leak passwords: When using major web browsers like Chrome and Edge, your form data is transmitted to Google and Microsoft, respectively, should enhanced spellcheck features be enabled. Depending on the website you visit, the form data may itself in … | Continue reading
This one has chewed-up tentacles. (Note that this is a different squid than the one that recently washed up on a South African beach.) As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Read my blog posting guidelines … | Continue reading
Okay, it’s an obscure threat. But people are researching it: Our models and experimental results in a controlled lab setting show it is possible to reconstruct and recognize with over 75 percent accuracy on-screen texts that have heights as small as 10 mm with a 720p webcam.” Tha … | Continue reading
This is an interesting attack I had not previously considered. The variants are interesting, and I think we’re just starting to understand their implications. | Continue reading
This is a fascinating glimpse of the future of automatic cheating detection in sports: Maybe you heard about the truly insane false-start controversy in track and field? Devon Allen—a wide receiver for the Philadelphia Eagles—was disqualified from the 110-meter hurdles at the Wor … | Continue reading
Someone in the UK is stealing smartphones and credit cards from people who have stored them in gym lockers, and is using the two items in combination to commit fraud: Phones, of course, can be made inaccessible with the use of passwords and face or fingerprint unlocking. And bank … | Continue reading
The Washington Post is reporting that the US Customs and Border Protection agency is seizing and copying cell phone, tablet, and computer data from “as many as” 10,000 phones per year, including an unspecified number of American citizens. This is done without a warrant, because “ … | Continue reading
This is surprisingly funny. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Read my blog posting guidelines here. | Continue reading
It’s big: The breach appeared to have compromised many of Uber’s internal systems, and a person claiming responsibility for the hack sent images of email, cloud storage and code repositories to cybersecurity researchers and The New York Times. “They pretty much have full access t … | Continue reading
Nice work: Radio relay attacks are technically complicated to execute, but conceptually easy to understand: attackers simply extend the range of your existing key using what is essentially a high-tech walkie-talkie. One thief stands near you while you’re in the grocery store, int … | Continue reading
This is a current list of where and when I am scheduled to speak: I’m speaking as part of a Geneva Centre for Security Policy course on Cyber Security in the Context of International Security, online, on September 22, 2022. I’m speaking at IT-Security INSIDE 2022 in Zurich, Switz … | Continue reading
People are trying to dig up dirt on Peiter Zatko, better known as Mudge. For the record, I have not been contacted. I’m not sure if I should feel slighted. | Continue reading
The Wall Street Journal is reporting that the FBI has recovered over $30 million in cryptocurrency stolen by North Korean hackers earlier this year. It’s only a fraction of the $540 million stolen, but it’s something. The Axie Infinity recovery represents a shift in law enforceme … | Continue reading
It’s pretty nasty: The malware was dubbed “Shikitega” for its extensive use of the popular Shikata Ga Nai polymorphic encoder, which allows the malware to “mutate” its code to avoid detection. Shikitega alters its code each time it runs through one of several decoding loops that … | Continue reading
It’s in Timaru. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Read my blog posting guidelines here. | Continue reading
Stewart Baker discusses why the industry-norm responsible disclosure for software vulnerabilities fails for cryptocurrency software. Why can’t the cryptocurrency industry solve the problem the way the software and hardware industries do, by patching and updating security as flaws … | Continue reading
This is from a court deposition: Facebook’s stonewalling has been revealing on its own, providing variations on the same theme: It has amassed so much data on so many billions of people and organized it so confusingly that full transparency is impossible on a technical level. In … | Continue reading
iStock has over 13,000 royalty-free images of squid. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Read my blog posting guidelines here. | Continue reading
Details are few, but Montenegro has suffered a cyberattack: A combination of ransomware and distributed denial-of-service attacks, the onslaught disrupted government services and prompted the country’s electrical utility to switch to manual control. […] But the attack against Mon … | Continue reading
Brian Krebs is reporting on a clever PayPal phishing scam that uses legitimate PayPal messaging. Basically, the scammers use the PayPal invoicing system to send the email. The email lists a phone number to dispute the charge, which is not PayPal and quickly turns into a request t … | Continue reading
This is a fun story, detailing the hack a group of high school students perpetrated against an Illinois school district, hacking 500 screens across a bunch of schools. During the process, the group broke into the school’s IT systems; repurposed software used to monitor students’ … | Continue reading
This is good news: The Federal Trade Commission (FTC) has sued Kochava, a large location data provider, for allegedly selling data that the FTC says can track people at reproductive health clinics and places of worship, according to an announcement from the agency. “Defendant’s v … | Continue reading
The NSA has has published criteria for evaluating levels of assurance required for DoD microelectronics. The introductory report in a DoD microelectronics series outlines the process for determining levels of hardware assurance for systems and custom microelectronic components, w … | Continue reading
It’s an Architeuthis dux, the second this year. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Read my blog posting guidelines here. | Continue reading
I’ve been saying that complexity is the worst enemy of security for a long time now. (Here’s me in 1999.) And it’s been true for a long time. In 2018, Thomas Dullien of Google’s Project Zero talked about “cheap complexity.” Andrew Appel summarizes: The anomaly of cheap complexity … | Continue reading
Here’s a phishing campaign that uses a man-in-the-middle attack to defeat multi-factor authentication: Microsoft observed a campaign that inserted an attacker-controlled proxy site between the account users and the work server they attempted to log into. When the user entered a p … | Continue reading
Peiter Zatko, aka Mudge, has filed a whistleblower complaint with the SEC against Twitter, claiming that they violated an eleven-year-old FTC settlement by having lousy security. And he should know; he was Twitter’s chief security officer until he was fired in January. The Washin … | Continue reading
The jumbo flying squid (Dosidicus gigas) uses its color-changing ability as a language: In 2020, however, marine biologists discovered that jumbo flying squid are surprisingly coordinated. Despite their large numbers, the squid rarely bumped into each other or competed for the sa … | Continue reading
The USB Rubber Ducky is getting better and better. Already, previous versions of the Rubber Ducky could carry out attacks like creating a fake Windows pop-up box to harvest a user’s login credentials or causing Chrome to send all saved passwords to an attacker’s webserver. But th … | Continue reading
This vulnerability was reported to Zoom last December: The exploit works by targeting the installer for the Zoom application, which needs to run with special user permissions in order to install or remove the main Zoom application from a computer. Though the installer requires a … | Continue reading
This is more of a demonstration than a real-world vulnerability, but researchers can use electromagnetic interference to remotely control touchscreens. From a news article: It’s important to note that the attack has a few key limitations. Firstly, the hackers need to know the tar … | Continue reading
This is a current list of where and when I am scheduled to speak: I’m speaking as part of a Geneva Centre for Security Policy course on Cyber Security in the Context of International Security, online, on September 22, 2022. I’m speaking at IT-Security INSIDE 2022 in Zurich, Switz … | Continue reading
I think the U is forced: SQUID consists of five steps: Stop, Question, Understand, Imagine, and Decide. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Read my blog posting guidelines here. | Continue reading
Twitter accidentally exposed the personal information—including phone numbers and email addresses—for 5.4 million accounts. And someone was trying to sell this information. In January 2022, we received a report through our bug bounty program of a vulnerability in Twitter’s system … | Continue reading
My personal definition of a brilliant idea is one that is immediately obvious once it’s explained, but no one has thought of it before. I can’t believe that no one has described this taxonomy of access control before Eyal Ittay laid it out in this paper. The paper is about crypto … | Continue reading
This is the first—of many, I assume—hack of Starlink. Leveraging a string of vulnerabilities, attackers can access the Starlink system and run custom code on the devices. | Continue reading
Seems like they are being discovered all the time: In the past, the DEEPEND crew has discovered three new species of Bathyteuthids, a type of squid that lives in depths between 700 and 2,000 meters. The findings were validated and published in 2020. Another new squid species desc … | Continue reading
SIKE is one of the new algorithms that NIST recently added to the post-quantum cryptography competition. It was just broken, really badly. We present an efficient key recovery attack on the Supersingular Isogeny Diffie-Hellman protocol (SIDH), based on a “glue-and-split” theorem … | Continue reading
Seems it’s now common to sneak contraband into prisons with a drone. | Continue reading