Seems it’s now common to sneak contraband into prisons with a drone. | Continue reading
TheMarkup has an extensive analysis of connected vehicle data and the companies that are collecting it. The Markup has identified 37 companies that are part of the rapidly growing connected vehicle data industry that seeks to monetize such data in an environment with few regulati … | Continue reading
Amazon has revealed that it gives police videos from its Ring doorbells without a warrant and without user consent. Ring recently revealed how often the answer to that question has been yes. The Amazon company responded to an inquiry from US Senator Ed Markey (D-Mass.), confirmin … | Continue reading
Short article on the evolution of the vampire squid. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Read my blog posting guidelines here. | Continue reading
Yet another article about cyber-weapons arms manufacturers and their particular supply chain. This one is about Windows and Adobe Reader zero-day exploits sold by an Austrian company named DSIRF. There’s an entire industry devoted to undermining all of our security. It needs to b … | Continue reading
Kaspersky is reporting on a new UFEI rootkit that survives reinstalling the operating system and replacing the hard drive. From an article: The firmware compromises the UEFI, the low-level and highly opaque chain of firmware required to boot up nearly every modern computer. As th … | Continue reading
Good essay arguing that open-source software is a critical national-security asset and needs to be treated as such: Open source is at least as important to the economy, public services, and national security as proprietary code, but it lacks the same standards and safeguards. It … | Continue reading
I haven’t written about Apple’s Lockdown Mode yet, mostly because I haven’t delved into the details. This is how Apple describes it: Lockdown Mode offers an extreme, optional level of security for the very few users who, because of who they are or what they do, may be personally … | Continue reading
Image and video of a Bathyteuthis berryi carrying a few hundred eggs, taken at a depth of 4,650 feet. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Read my blog posting guidelines here. | Continue reading
This is a dangerous vulnerability: An assessment from security firm BitSight found six vulnerabilities in the Micodus MV720, a GPS tracker that sells for about $20 and is widely available. The researchers who performed the assessment believe the same critical vulnerabilities are … | Continue reading
The Russian hacking group Turla released an Android app that seems to aid Ukrainian hackers in their attacks against Russian networks. It’s actually malware, and provides information back to the Russians: The hackers pretended to be a “community of free people around the world wh … | Continue reading
Yet another basic human rights violation, courtesy of NSO Group: Citizen Lab has the details: Key Findings We discovered an extensive espionage campaign targeting Thai pro-democracy protesters, and activists calling for reforms to the monarchy. We forensically confirmed that at l … | Continue reading
Some sites, including Facebook, add parameters to the web address for tracking purposes. These parameters have no functionality that is relevant to the user, but sites rely on them to track users across pages and properties. Mozilla introduced support for URL stripping in Firefox … | Continue reading
Short video. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Read my blog posting guidelines here. | Continue reading
Surely no one could have predicted this: The new proposal—championed by Mayor London Breed after November’s wild weekend of orchestrated burglaries and theft in the San Francisco Bay Area—would authorize the police department to use non-city-owned security cameras and camera netw … | Continue reading
This is a current list of where and when I am scheduled to speak: I’m speaking as part of a Geneva Centre for Security Policy course on Cyber Security in the Context of International Security, online, on September 22, 2022. I’m speaking at IT-Security INSIDE 2022 in Zurich, Switz … | Continue reading
Researchers have a new way to de-anonymize browser users, by correlating their behavior on one account with their behavior on another: The findings, which NJIT researchers will present at the Usenix Security Symposium in Boston next month, show how an attacker who tricks someone … | Continue reading
This is an excellent essay outlining the post-Roe privacy threat model. (Summary: period tracking apps are largely a red herring.) Taken together, this means the primary digital threat for people who take abortion pills is the actual evidence of intention stored on your phone, in … | Continue reading
Honda vehicles from 2021 to 2022 are vulnerable to this attack: On Thursday, a security researcher who goes by Kevin2600 published a technical report and videos on a vulnerability that he claims allows anyone armed with a simple hardware device to steal the code to unlock Honda v … | Continue reading
There was a massive prison break in Abuja, Nigeria: Armed with bombs, Rocket Propelled Grenade (RPGs) and General Purpose Machine Guns (GPMG), the attackers, who arrived at about 10:05 p.m. local time, gained access through the back of the prison, using dynamites to destroy the h … | Continue reading
Apple has introduced lockdown mode for high-risk users who are concerned about nation-state attacks. It trades reduced functionality for increased security in a very interesting way. | Continue reading
Report by Georgetown’s Center on Privacy and Technology published a comprehensive report on the surprising amount of mass surveillance conducted by Immigration and Customs Enforcement (ICE). Our two-year investigation, including hundreds of Freedom of Information Act requests and … | Continue reading
Foreign Policy has a three-part (so far) podcast series on squid and global fishing. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Read my blog posting guidelines here. | Continue reading
NIST’s post-quantum computing cryptography standard process is entering its final phases. It announced the first four algorithms: For general encryption, used when we access secure websites, NIST has selected the CRYSTALS-Kyber algorithm. Among its advantages are comparatively sm … | Continue reading
NASA is researching new techniques for multiplexing SQUIDs—that’s superconducting quantum interference devices—for X-ray observatories. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Read my blog posting guideline … | Continue reading
Andrew Appel has a long analysis of the Swiss online voting system. It’s a really good analysis of both the system and the official analyses. | Continue reading
Wired is reporting on a new remote-access Trojan that is able to infect at least eighty different targets: So far, researchers from Lumen Technologies’ Black Lotus Labs say they’ve identified at least 80 targets infected by the stealthy malware, including routers made by Cisco, N … | Continue reading
Someone hacked the Ecuadorian embassy in Moscow and found a document related to Ecuador’s 2013 efforts to bring Edward Snowden there. If you remember, Snowden was traveling from Hong Kong to somewhere when the US revoked his passport, stranding him in Russia. In the document, Ecu … | Continue reading
Thought experiment story of someone of someone who lost everything in a house fire, and now can’t log into anything: But to get into my cloud, I need my password and 2FA. And even if I could convince the cloud provider to bypass that and let me in, the backup is secured with a pa … | Continue reading
I did not attend WEIS this year, but Ross Anderson was there and liveblogged all the talks. | Continue reading
Researchers thaw squid frozen into a cube and often make interesting discoveries. (Okay, this is a weird story.) As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Read my blog posting guidelines here. | Continue reading
Earlier this month, I and others wrote a letter to Congress, basically saying that cryptocurrencies are an complete and total disaster, and urging them to regulate the space. Nothing in that letter is out of the ordinary, and is in line with what I wrote about blockchain in 2019. … | Continue reading
Nadiya Kostyuk and Susan Landau wrote an interesting paper: “Dueling Over DUAL_EC_DRBG: The Consequences of Corrupting a Cryptographic Standardization Process“: Abstract: In recent decades, the U.S. National Institute of Standards and Technology (NIST), which develops cryptograph … | Continue reading
Two bills attempting to reduce the power of Internet monopolies are currently being debated in Congress: S. 2992, the American Innovation and Choice Online Act; and S. 2710, the Open App Markets Act. Reducing the power to tech monopolies would do more to “fix” the Internet than a … | Continue reading
Hertzbleed is a new side-channel attack that works against a variety of microprocressors. Deducing cryptographic keys by analyzing power consumption has long been an attack, but it’s not generally viable because measuring power consumption is often hard. This new attack measures … | Continue reading
Hartzbleed is a new side-channel attack that works against a variety of microprocressors. Deducing cryptographic keys by analyzing power consumption has long been an attack, but it’s not generally viable because measuring power consumption is often hard. This new attack measures … | Continue reading
From a restaurant in Singapore. It’s not actually giant squid. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Read my blog posting guidelines here. | Continue reading
We’ve always known that phones—and the people carrying them—can be uniquely identified from their Bluetooth signatures, and that we need security techniques to prevent that. This new research shows that that’s not enough. Computer scientists at the University of California San Di … | Continue reading
Interesting research: “Sponge Examples: Energy-Latency Attacks on Neural Networks“: Abstract: The high energy costs of neural network training and inference led to the use of acceleration hardware such as GPUs and TPUs. While such devices enable us to train large-scale neural net … | Continue reading
This is a new vulnerability against Apple’s M1 chip. Researchers say that it is unpatchable. Researchers from MIT’s Computer Science and Artificial Intelligence Laboratory, however, have created a novel hardware attack, which combines memory corruption and speculative execution a … | Continue reading
This is a current list of where and when I am scheduled to speak: I’m speaking at the Dublin Tech Summit in Dublin, Ireland, June 15-16, 2022. The list is maintained on this page. | Continue reading
Interesting vulnerability in Tesla’s NFC key cards: Martin Herfurt, a security researcher in Austria, quickly noticed something odd about the new feature: Not only did it allow the car to automatically start within 130 seconds of being unlocked with the NFC card, but it also put … | Continue reading
ENCSecurity markets a file encryption system, and it’s used by SanDisk, Sony, Lexar, and probably others. Despite it using AES as its algorithm, it’s implementation is flawed in multiple ways—and breakable. The moral is, as it always is, that implementing cryptography securely is … | Continue reading
Neat video. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Read my blog posting guidelines here. | Continue reading
Twitter was fined $150 million for using phone numbers and email addresses collected for two-factor authentication for ad targeting. | Continue reading
Interesting article about civilians using smartphones to assist their militaries in wartime, and how that blurs the important legal distinction between combatants and non-combatants: The principle of distinction between the two roles is a critical cornerstone of international hum … | Continue reading