Summary

Total Articles Found: 50

Top sources:

Top Keywords:

Top Authors

Top Articles:

  • Germany Talking about Banning End-to-End Encryption
  • G7 Comes Out in Favor of Encryption Backdoors
  • Firefox Enables DNS over HTTPS
  • New SHA-1 Attack
  • Why Are Cryptographers Being Denied Entry into the US?
  • Applied Cryptography is Banned in Oregon Prisons
  • Ransomware Recovery Firms Who Secretly Pay Hackers
  • DARPA Is Developing an Open-Source Voting System
  • DNSSEC Keysigning Ceremony Postponed Because of Locked Safe
  • Cellebrite Claims It Can Unlock Any iPhone

Security Analysis of the EU’s Digital Wallet

Published: 2024-06-27 11:06:32

Popularity: 16

Author: Bruce Schneier

Keywords:

  • Uncategorized
  • credentials
  • cryptanalysis
  • cryptography
  • EU
  • identification
  • 🤖: "Digital wallet hack"

    A group of cryptographers have analyzed the eiDAS 2.0 regulation (electronic identification and trust services) that defines the new EU Digital Identity Wallet.

    ...more

    New Open SSH Vulnerability

    Published: 2024-07-03 15:27:11

    Popularity: 19

    Author: Bruce Schneier

    Keywords:

  • Uncategorized
  • SSH
  • vulnerabilities
  • 🤖: ""Security Alert!""

    It’s a serious one: The vulnerability, which is a signal handler race condition in OpenSSH’s server (sshd), allows unauthenticated remote code execution (RCE) as root on glibc-based Linux systems; that presents a significant security risk. This race condition affects sshd in its default configuration. […] This vulnerability, if exploited, could lead to full system compromise where an attacker can execute arbitrary code with the highest privileges, resulting in a complete system takeover, installation of malware, data manipulation, and the creation of backdoors for persistent access. It could facilitate network propagation, allowing attackers to use a compromised system as a foothold to traverse and exploit other vulnerable systems within the organization...

    ...more

    Microsoft Executives Hacked

    Published: 2024-01-29 12:03:42

    Popularity: 12

    Author: Bruce Schneier

    Keywords:

  • Uncategorized
  • disclosure
  • hacking
  • Microsoft
  • Russia
  • Microsoft is reporting that a Russian intelligence agency—the same one responsible for SolarWinds—accessed the email system of the company’s executives. Beginning in late November 2023, the threat actor used a password spray attack to compromise a legacy non-production test tenant account and gain a foothold, and then used the account’s permissions to access a very small percentage of Microsoft corporate email accounts, including members of our senior leadership team and employees in our cybersecurity, legal, and other functions, and exfiltrated some emails and attached documents. The investigation indicates they were initially targeting email accounts for information related to Midnight Blizzard itself. ...

    ...more

    NSA Buying Bulk Surveillance Data on Americans without a Warrant

    Published: 2024-01-30 12:12:30

    Popularity: 6

    Author: Bruce Schneier

    Keywords:

  • Uncategorized
  • data collection
  • data privacy
  • metadata
  • NSA
  • privacy
  • surveillance
  • It finally admitted to buying bulk data on Americans from data brokers, in response to a query by Senator Weyden. This is almost certainly illegal, although the NSA maintains that it is legal until it’s told otherwise. Some news articles.

    ...more

    Data Exfiltration Using Indirect Prompt Injection

    Published: 2023-12-22 12:05:29

    Popularity: 9

    Author: Bruce Schneier

    Keywords:

  • Uncategorized
  • ChatGPT
  • LLM
  • vulnerabilities
  • Interesting attack on a LLM: In Writer, users can enter a ChatGPT-like session to edit or create their documents. In this chat session, the LLM can retrieve information from sources on the web to assist users in creation of their documents. We show that attackers can prepare websites that, when a user adds them as a source, manipulate the LLM into sending private information to the attacker or perform other malicious activities. The data theft can include documents the user has uploaded, their chat history or potentially specific private information the chat model can convince the user to divulge at the attacker’s behest...

    ...more

    New Bluetooth Attack

    Published: 2023-12-08 12:05:19

    Popularity: 20

    Author: Bruce Schneier

    Keywords:

  • Uncategorized
  • authentication
  • Bluetooth
  • cyberattack
  • man-in-the-middle attacks
  • secrecy
  • vulnerabilities
  • New attack breaks forward secrecy in Bluetooth. Three news articles: BLUFFS is a series of exploits targeting Bluetooth, aiming to break Bluetooth sessions’ forward and future secrecy, compromising the confidentiality of past and future communications between devices. This is achieved by exploiting four flaws in the session key derivation process, two of which are new, to force the derivation of a short, thus weak and predictable session key (SKC). Next, the attacker brute-forces the key, enabling them to decrypt past communication and decrypt or manipulate future communications...

    ...more

    Security Vulnerability of Switzerland’s E-Voting System

    Published: 2023-10-17 11:11:43

    Popularity: 46

    Author: Bruce Schneier

    Keywords:

  • Uncategorized
  • blockchain
  • cybersecurity
  • malware
  • Switzerland
  • voting
  • Online voting is insecure, period. This doesn’t stop organizations and governments from using it. (And for low-stakes elections, it’s probably fine.) Switzerland—not low stakes—uses online voting for national elections. Andrew Appel explains why it’s a bad idea: Last year, I published a 5-part series about Switzerland’s e-voting system. Like any internet voting system, it has inherent security vulnerabilities: if there are malicious insiders, they can corrupt the vote count; and if thousands of voters’ computers are hacked by malware, the malware can change votes as they are transmitted. Switzerland “solves” the problem of malicious insiders in their printing office by officially declaring that they won’t consider that threat model in their cybersecurity assessment...

    ...more

    EPA Won’t Force Water Utilities to Audit Their Cybersecurity

    Published: 2023-10-24 11:02:03

    Popularity: 1

    Author: Bruce Schneier

    Keywords:

  • Uncategorized
  • cybersecurity
  • infrastructure
  • national security policy
  • utilities
  • The industry pushed back: Despite the EPA’s willingness to provide training and technical support to help states and public water system organizations implement cybersecurity surveys, the move garnered opposition from both GOP state attorneys and trade groups. Republican state attorneys that were against the new proposed policies said that the call for new inspections could overwhelm state regulators. The attorney generals of Arkansas, Iowa and Missouri all sued the EPA—claiming the agency had no authority to set these requirements. This led to the EPA’s proposal being ...

    ...more

    New Revelations from the Snowden Documents

    Published: 2023-09-21 11:03:43

    Popularity: 10

    Author: Bruce Schneier

    Keywords:

  • Uncategorized
  • academic papers
  • backdoors
  • cryptography
  • Edward Snowden
  • NSA
  • privacy
  • Schneier news
  • surveillance
  • Jake Appelbaum’s PhD thesis contains several new revelations from the classified NSA documents provided to journalists by Edward Snowden. Nothing major, but a few more tidbits. Kind of amazing that that all happened ten years ago. At this point, those documents are more historical than anything else. And it’s unclear who has those archives anymore. According to Appelbaum, The Intercept destroyed their copy. I recently published an essay about my experiences ten years ago.

    ...more

    Security Risks of New .zip and .mov Domains

    Published: 2023-05-19 11:11:52

    Popularity: 24

    Author: Bruce Schneier

    Keywords:

  • Uncategorized
  • cybersecurity
  • Google
  • phishing
  • vulnerabilities
  • Researchers are worried about Google’s .zip and .mov domains, because they are confusing. Mistaking a URL for a filename could be a security vulnerability.

    ...more

    Signal Phone Numbers Exposed in Twilio Hack

    Published: 2022-08-23 11:30:40

    Popularity: 9

    Author: Bruce Schneier

    Keywords:

  • Uncategorized
  • cell phones
  • data breaches
  • hacking
  • Signal
  • 🤖: ""oops, security breach""

    Twilio was hacked earlier this month, and the phone numbers of 1,900 Signal users were exposed: Here’s what our users need to know: All users can rest assured that their message history, contact lists, profile information, whom they’d blocked, and other personal data remain private and secure and were not affected. For about 1,900 users, an attacker could have attempted to re-register their number to another device or learned that their number was registered to Signal. This attack has since been shut down by Twilio. 1,900 users is a very small percentage of Signal’s total users, meaning that most were not affected...

    ...more

    Linux Improves Its Random Number Generator

    Published: 2022-03-24 11:38:47

    Popularity: 11

    Author: Bruce Schneier

    Keywords:

  • Uncategorized
  • Linux
  • random numbers
  • 🤖: "Randomly good"

    In kernel version 5.17, both /dev/random and /dev/urandom have been replaced with a new — identical — algorithm based on the BLAKE2 hash function, which is an excellent security improvement.

    ...more

    Zero-Click iMessage Exploit

    Published: 2021-09-17 11:09:27

    Popularity: 13

    Author: Bruce Schneier

    Keywords:

  • Uncategorized
  • Apple
  • exploits
  • patching
  • spyware
  • vulnerabilities
  • 🤖: "Sneaky hack"

    Citizen Lab released a report on a zero-click iMessage exploit that is used in NSO Group’s Pegasus spyware. Apple patched the vulnerability; everyone needs to update their OS immediately. News articles on the exploit.

    ...more

    Cobalt Strike Vulnerability Affects Botnet Servers

    Published: 2021-08-11 11:42:27

    Popularity: None

    Author: Bruce Schneier

    Keywords:

  • Uncategorized
  • patching
  • penetration testing
  • vulnerabilities
  • 🤖: ""Server hack alert""

    Cobalt Strike is a security tool, used by penetration testers to simulate network attackers. But it’s also used by attackers — from criminals to governments — to automate their own attacks. Researchers have found a vulnerability in the product. The main components of the security tool are the Cobalt Strike client — also known as a Beacon — and the Cobalt Strike team server, which sends commands to infected computers and receives the data they exfiltrate. An attacker starts by spinning up a machine running Team Server that has been configured to use specific “malleability” customizations, such as how often the client is to report to the server or specific data to periodically send...

    ...more

    Apple Adds a Backdoor to iMesssage and iCloud Storage

    Published: 2021-08-10 11:37:30

    Popularity: 56

    Author: Bruce Schneier

    Keywords:

  • Uncategorized
  • Apple
  • backdoors
  • cloud computing
  • Edward Snowden
  • privacy
  • surveillance
  • 🤖: ""Surveillance mode activated""

    Apple’s announcement that it’s going to start scanning photos for child abuse material is a big deal. (Here are five news stories.) I have been following the details, and discussing it in several different email lists. I don’t have time right now to delve into the details, but wanted to post something. EFF writes: There are two main features that the company is planning to install in every Apple device. One is a scanning feature that will scan all photos as they get uploaded into iCloud Photos to see if they match a photo in the database of known child sexual abuse material (CSAM) maintained by the National Center for Missing & Exploited Children (NCMEC). The other feature scans all iMessage images sent or received by child accounts — that is, accounts designated as owned by a minor — for sexually explicit material, and if the child is young enough, notifies the parent when these images are sent or received. This feature can be turned on or off by parents...

    ...more

    China Taking Control of Zero-Day Exploits

    Published: 2021-07-14 11:04:46

    Popularity: 5

    Author: Bruce Schneier

    Keywords:

  • Uncategorized
  • China
  • cybersecurity
  • cyberweapons
  • disclosure
  • vulnerabilities
  • zero-day
  • 🤖: "Red flag waving"

    China is making sure that all newly discovered zero-day exploits are disclosed to the government. Under the new rules, anyone in China who finds a vulnerability must tell the government, which will decide what repairs to make. No information can be given to “overseas organizations or individuals” other than the product’s manufacturer. No one may “collect, sell or publish information on network product security vulnerabilities,” say the rules issued by the Cyberspace Administration of China and the police and industry ministries. This just blocks the cyber-arms trade. It doesn’t prevent researchers from telling the products’ companies, even if they are outside of China...

    ...more

    Apple Will Offer Onion Routing for iCloud/Safari Users

    Published: 2021-06-22 11:54:09

    Popularity: 9

    Author: Bruce Schneier

    Keywords:

  • Uncategorized
  • anonymity
  • Apple
  • cloud computing
  • Safari
  • Tor
  • 🤖: "Torified Safari"

    At this year’s Apple Worldwide Developer Conference, Apple announced something called “iCloud Private Relay.” That’s basically its private version of onion routing, which is what Tor does. Privacy Relay is built into both the forthcoming iOS and MacOS versions, but it will only work if you’re an iCloud Plus subscriber and you have it enabled from within your iCloud settings. Once it’s enabled and you open Safari to browse, Private Relay splits up two pieces of information that — when delivered to websites together as normal — could quickly identify you. Those are your IP address (who and exactly where you are) and your DNS request (the address of the website you want, in numeric form)...

    ...more

    Security Vulnerability in Apple’s Silicon “M1” Chip

    Published: 2021-06-01 11:26:41

    Popularity: 14

    Author: Bruce Schneier

    Keywords:

  • Uncategorized
  • 🤖: "Chip failure"

    The website for the M1racles security vulnerability is an excellent demonstration that not all vulnerabilities are exploitable. Be sure to read the FAQ through to the end. EDITED TO ADD: Wired article.

    ...more

    Tesla Remotely Hacked from a Drone

    Published: 2021-05-04 14:41:45

    Popularity: 65

    Author: Bruce Schneier

    Keywords:

  • Uncategorized
  • cars
  • drones
  • hacking
  • vulnerabilities
  • Wi-Fi
  • 🤖: "Drone hack attack"

    This is an impressive hack: Security researchers Ralf-Philipp Weinmann of Kunnamon, Inc. and Benedikt Schmotzle of Comsecuris GmbH have found remote zero-click security vulnerabilities in an open-source software component (ConnMan) used in Tesla automobiles that allowed them to compromise parked cars and control their infotainment systems over WiFi. It would be possible for an attacker to unlock the doors and trunk, change seat positions, both steering and acceleration modes — in short, pretty much what a driver pressing various buttons on the console can do. This attack does not yield drive control of the car though...

    ...more

    Google’s Project Zero Finds a Nation-State Zero-Day Operation

    Published: 2021-04-08 11:06:53

    Popularity: 12

    Author: Bruce Schneier

    Keywords:

  • Uncategorized
  • cyberattack
  • Google
  • terrorism
  • zero-day
  • 🤖: "hacked again"

    Google’s Project Zero discovered, and caused to be patched, eleven zero-day exploits against Chrome, Safari, Microsoft Windows, and iOS. This seems to have been exploited by “Western government operatives actively conducting a counterterrorism operation”: The exploits, which went back to early 2020 and used never-before-seen techniques, were “watering hole” attacks that used infected websites to deliver malware to visitors. They caught the attention of cybersecurity experts thanks to their scale, sophistication, and speed. […] It’s true that Project Zero does not formally attribute hacking to specific groups. But the Threat Analysis Group, which also worked on the project, does perform attribution. Google omitted many more details than just the name of the government behind the hacks, and through that information, the teams knew internally who the hacker and targets were. It is not clear whether Google gave advance notice to government officials that they would be publicizing and shutting down the method of attack...

    ...more

    Another SolarWinds Orion Hack

    Published: 2021-02-04 12:11:53

    Popularity: 48

    Author: Bruce Schneier

    Keywords:

  • Uncategorized
  • backdoors
  • China
  • cyberespionage
  • FBI
  • hacking
  • Russia
  • supply chain
  • 🤖: ""Network Nightmare""

    At the same time the Russians were using a backdoored SolarWinds update to attack networks worldwide, another threat actor — believed to be Chinese in origin — was using an already existing vulnerability in Orion to penetrate networks: Two people briefed on the case said FBI investigators recently found that the National Finance Center, a federal payroll agency inside the U.S. Department of Agriculture, was among the affected organizations, raising fears that data on thousands of government employees may have been compromised. […] Reuters was not able to establish how many organizations were compromised by the suspected Chinese operation. The sources, who spoke on condition of anonymity to discuss ongoing investigations, said the attackers used computer infrastructure and hacking tools previously deployed by state-backed Chinese cyberspies...

    ...more

    Finding the Location of Telegram Users

    Published: 2021-01-14 12:08:27

    Popularity: 46

    Author: Bruce Schneier

    Keywords:

  • Uncategorized
  • Android
  • geolocation
  • spoofing
  • Telegram
  • 🤖: ""Tracking down""

    Security researcher Ahmed Hassan has shown that spoofing the Android’s “People Nearby” feature allows him to pinpoint the physical location of Telegram users: Using readily available software and a rooted Android device, he’s able to spoof the location his device reports to Telegram servers. By using just three different locations and measuring the corresponding distance reported by People Nearby, he is able to pinpoint a user’s precise location. […] A proof-of-concept video the researcher sent to Telegram showed how he could discern the address of a People Nearby user when he used a free GPS spoofing app to make his phone report just three different locations. He then drew a circle around each of the three locations with a radius of the distance reported by Telegram. The user’s precise location was where all three intersected...

    ...more

    Oblivious DNS-over-HTTPS

    Published: 2020-12-08 21:02:08

    Popularity: 32

    Author: Bruce Schneier

    Keywords:

  • Uncategorized
  • academic papers
  • anonymity
  • DNS
  • https
  • protocols
  • 🤖: "DNS fail"

    This new protocol, called Oblivious DNS-over-HTTPS (ODoH), hides the websites you visit from your ISP. Here’s how it works: ODoH wraps a layer of encryption around the DNS query and passes it through a proxy server, which acts as a go-between the internet user and the website they want to visit. Because the DNS query is encrypted, the proxy can’t see what’s inside, but acts as a shield to prevent the DNS resolver from seeing who sent the query to begin with. IETF memo. The paper: Abstract: The Domain Name System (DNS) is the foundation of a human-usable Internet, responding to client queries for host-names with corresponding IP addresses and records. Traditional DNS is also unencrypted, and leaks user information to network operators. Recent efforts to secure DNS using DNS over TLS (DoT) and DNS over HTTPS (DoH) havebeen gaining traction, ostensibly protecting traffic and hiding content from on-lookers. However, one of the criticisms ofDoT and DoH is brought to bear by the small number of large-scale deployments (e.g., Comcast, Google, Cloudflare): DNS resolvers can associate query contents with client identities in the form of IP addresses. Oblivious DNS over HTTPS (ODoH) safeguards against this problem. In this paper we ask what it would take to make ODoH practical? We describe ODoH, a practical DNS protocol aimed at resolving this issue by both protecting the client’s content and identity. We implement and deploy the protocol, and perform measurements to show that ODoH has comparable performance to protocols like DoH and DoT which are gaining widespread adoption,while improving client privacy, making ODoH a practical privacy enhancing replacement for the usage of DNS...

    ...more

    US Space Cybersecurity Directive

    Published: 2020-09-09 11:37:47

    Popularity: 40

    Author: Bruce Schneier

    Keywords:

  • Uncategorized
  • cybersecurity
  • national security policy
  • 🤖: "Space Alert"

    The Trump Administration just published “Space Policy Directive – 5“: “Cybersecurity Principles for Space Systems.” It’s pretty general: Principles. (a) Space systems and their supporting infrastructure, including software, should be developed and operated using risk-based, cybersecurity-informed engineering. Space systems should be developed to continuously monitor, anticipate,and adapt to mitigate evolving malicious cyber activities that could manipulate, deny, degrade, disrupt,destroy, surveil, or eavesdrop on space system operations....

    ...more

    Bluetooth Vulnerability: BIAS

    Published: 2020-05-26 11:54:47

    Popularity: 106

    Author: Bruce Schneier

    Keywords:

  • authentication
  • Bluetooth
  • impersonation
  • security engineering
  • vulnerabilities
  • wireless
  • 🤖: "Blues get hacked"

    This is new research on a Bluetooth vulnerability (called BIAS) that allows someone to impersonate a trusted device: Abstract: Bluetooth (BR/EDR) is a pervasive technology for wireless communication used by billions of devices. The Bluetooth standard includes a legacy authentication procedure and a secure authentication procedure, allowing devices to authenticate to each other using a long term key. Those procedures...

    ...more

    Marriott Was Hacked -- Again

    Published: 2020-04-02 16:33:42

    Popularity: 119

    Author: Bruce Schneier

    Keywords:

  • accountability
  • breaches
  • disclosure
  • hacking
  • hotels
  • 🤖: "Hack alert"

    Marriott announced another data breach, this one affecting 5.2 million people: At this point, we believe that the following information may have been involved, although not all of this information was present for every guest involved: Contact Details (e.g., name, mailing address, email address, and phone number) Loyalty Account Information (e.g., account number and points balance, but not passwords) Additional...

    ...more

    Firefox Enables DNS over HTTPS

    Published: 2020-02-25 15:15:33

    Popularity: 364

    Author: Bruce Schneier

    Keywords:

  • browsers
  • child pornography
  • DNS
  • Firefox
  • https
  • Mozilla
  • security engineering
  • terrorism
  • 🤖: ""Secure surfing""

    This is good news: Whenever you visit a website -- even if it's HTTPS enabled -- the DNS query that converts the web address into an IP address that computers can read is usually unencrypted. DNS-over-HTTPS, or DoH, encrypts the request so that it can't be intercepted or hijacked in order to send a user to a malicious site. [...]...

    ...more

    Wi-Fi Chip Vulnerability

    Published: 2020-03-03 12:43:15

    Popularity: 194

    Author: Bruce Schneier

    Keywords:

  • encryption
  • hacking
  • hardware
  • patching
  • vulnerabilities
  • Wi-Fi
  • 🤖: ""Hack alert""

    There's a vulnerability in Wi-Fi hardware that breaks the encryption: The vulnerability exists in Wi-Fi chips made by Cypress Semiconductor and Broadcom, the latter a chipmaker Cypress acquired in 2016. The affected devices include iPhones, iPads, Macs, Amazon Echos and Kindles, Android devices, and Wi-Fi routers from Asus and Huawei, as well as the Raspberry Pi 3. Eset, the security...

    ...more

    DNSSEC Keysigning Ceremony Postponed Because of Locked Safe

    Published: 2020-02-14 12:07:21

    Popularity: 230

    Author: Bruce Schneier

    Keywords:

  • DNS
  • keys
  • locks
  • safes
  • 🤖: "Locked out"

    Interesting collision of real-world and Internet security: The ceremony sees several trusted internet engineers (a minimum of three and up to seven) from across the world descend on one of two secure locations -- one in El Segundo, California, just south of Los Angeles, and the other in Culpeper, Virginia -- both in America, every three months. Once in place,...

    ...more

    Smartphone Election in Washington State

    Published: 2020-01-27 12:03:15

    Popularity: 208

    Author: Bruce Schneier

    Keywords:

  • auditing
  • authentication
  • smartphones
  • voting
  • 🤖: "Voting app fail"

    This year: King County voters will be able to use their name and birthdate to log in to a Web portal through the Internet browser on their phones, says Bryan Finney, the CEO of Democracy Live, the Seattle-based voting company providing the technology. Once voters have completed their ballots, they must verify their submissions and then submit a signature on...

    ...more

    New SHA-1 Attack

    Published: 2020-01-08 15:38:49

    Popularity: 364

    Author: Bruce Schneier

    Keywords:

  • academic papers
  • certifications
  • cryptography
  • encryption
  • forgery
  • impersonation
  • keys
  • PGP
  • SHA-1
  • 🤖: ""Hash fail""

    There's a new, practical, collision attack against SHA-1: In this paper, we report the first practical implementation of this attack, and its impact on real-world security with a PGP/GnuPG impersonation attack. We managed to significantly reduce the complexity of collisions attack against SHA-1: on an Nvidia GTX 970, identical-prefix collisions can now be computed with a complexity of 261.2rather than264.7,...

    ...more

    A Harlequin Romance Novel about Hackers

    Published: 2019-07-19 19:38:32

    Popularity: 112

    Author: Bruce Schneier

    Keywords:

  • books
  • hacking
  • 🤖: "Hackers in love"

    Really....

    ...more

    Applied Cryptography is Banned in Oregon Prisons

    Published: 2019-07-05 18:52:51

    Popularity: 314

    Author: Bruce Schneier

    Keywords:

  • Applied Cryptography
  • books
  • censorship
  • cryptography
  • prisons
  • 🤖: "Coded out"

    My Applied Cryptography is on a list of books banned in Oregon prisons. It's not me -- and it's not cryptography -- it's that the prisons ban books that teach people to code. The subtitle is "Algorithms, Protocols, and Source Code in C" -- and that's the reason. My more recent Cryptography Engineering is a much better book for prisoners,...

    ...more

    Ransomware Recovery Firms Who Secretly Pay Hackers

    Published: 2019-07-08 12:08:47

    Popularity: 266

    Author: Bruce Schneier

    Keywords:

  • fraud
  • hacking
  • ransomware
  • 🤖: "paying off attackers"

    ProPublica is reporting on companies that pretend to recover data locked up by ransomware, but just secretly pay the hackers and then mark up the cost to the victims....

    ...more

    Cellebrite Claims It Can Unlock Any iPhone

    Published: 2019-06-28 11:35:40

    Popularity: 214

    Author: Bruce Schneier

    Keywords:

  • Apple
  • cell phones
  • hacking
  • iOS
  • iPhone
  • law enforcement
  • locks
  • 🤖: ""Cracked Wide Open""

    The digital forensics company Cellebrite now claims it can unlock any iPhone. I dithered before blogging this, not wanting to give the company more publicity. But I decided that everyone who wants to know already knows, and that Apple already knows. It's all of us that need to know....

    ...more

    Thangrycat: A Serious Cisco Vulnerability

    Published: 2019-05-23 16:52:31

    Popularity: 147

    Author: Bruce Schneier

    Keywords:

  • Cisco
  • hardware
  • vulnerabilities
  • 🤖: "pwned 💻"

    Summary: Thangrycat is caused by a series of hardware design flaws within Cisco's Trust Anchor module. First commercially introduced in 2013, Cisco Trust Anchor module (TAm) is a proprietary hardware security module used in a wide range of Cisco products, including enterprise routers, switches and firewalls. TAm is the root of trust that underpins all other Cisco security and trustworthy...

    ...more

    Germany Talking about Banning End-to-End Encryption

    Published: 2019-05-24 13:39:37

    Popularity: 551

    Author: Bruce Schneier

    Keywords:

  • crypto wars
  • cryptography
  • encryption
  • Germany
  • 🤖: "gov snooping 📱👻"

    Der Spiegel is reporting that the German Ministry for Internal Affairs is planning to require all Internet message services to provide plaintext messages on demand, basically outlawing strong end-to-end encryption. Anyone not complying will be blocked, although the article doesn't say how. (Cory Doctorow has previously explained why this would be impossible.) The article is in German, and I would...

    ...more

    Why Are Cryptographers Being Denied Entry into the US?

    Published: 2019-05-17 11:18:10

    Popularity: 357

    Author: Bruce Schneier

    Keywords:

  • borders
  • cryptography
  • national security policy
  • security conferences
  • In March, Adi Shamir -- that's the "S" in RSA -- was denied a US visa to attend the RSA Conference. He's Israeli. This month, British citizen Ross Anderson couldn't attend an awards ceremony in DC because of visa issues. (You can listen to his recorded acceptance speech.) I've heard of two other prominent cryptographers who are in the same...

    ...more

    Another NSA Leaker Identified and Charged

    Published: 2019-05-09 20:17:22

    Popularity: 110

    Author: Bruce Schneier

    Keywords:

  • espionage
  • leaks
  • NSA
  • whistleblowers
  • 🤖: ""Government gotcha""

    In 2015, the Intercept started publishing "The Drone Papers," based on classified documents leaked by an unknown whistleblower. Today, someone who worked at the NSA, and then at the National Geospatial-Intelligence Agency, was charged with the crime. It is unclear how he was initially identified. It might have been this: "At the agency, prosecutors said, Mr. Hale printed 36 documents...

    ...more

    Fooling Automated Surveillance Cameras with Patchwork Color Printout

    Published: 2019-04-25 11:31:22

    Popularity: 137

    Author: Bruce Schneier

    Keywords:

  • academic papers
  • biometrics
  • cybersecurity
  • machine learning
  • 🤖: "Sneaky printout"

    Nice bit of adversarial machine learning. The image from this news article is most of what you need to know, but here's the research paper....

    ...more

    G7 Comes Out in Favor of Encryption Backdoors

    Published: 2019-04-23 14:14:10

    Popularity: 495

    Author: Bruce Schneier

    Keywords:

  • backdoors
  • encryption
  • G7
  • hacking
  • key escrow
  • keys
  • law enforcement
  • terrorism
  • 🤖: "Backdoor detected"

    From a G7 meeting of interior ministers in Paris this month, an "outcome document": Encourage Internet companies to establish lawful access solutions for their products and services, including data that is encrypted, for law enforcement and competent authorities to access digital evidence, when it is removed or hosted on IT servers located abroad or encrypted, without imposing any particular technology...

    ...more

    Iranian Cyberespionage Tools Leaked Online

    Published: 2019-04-19 13:12:31

    Popularity: 151

    Author: Bruce Schneier

    Keywords:

  • cyberespionage
  • doxing
  • hacking
  • Iran
  • leaks
  • 🤖: ""Ouch, Iran got pwned""

    The source code of a set of Iranian cyberespionage tools was leaked online....

    ...more

    DARPA Is Developing an Open-Source Voting System

    Published: 2019-03-14 18:20:34

    Popularity: 248

    Author: Bruce Schneier

    Keywords:

  • DARPA
  • hardware
  • open source
  • voting
  • 🤖: "Election hack proof?"

    This sounds like a good development: ...a new $10 million contract the Defense Department's Defense Advanced Research Projects Agency (DARPA) has launched to design and build a secure voting system that it hopes will be impervious to hacking. The first-of-its-kind system will be designed by an Oregon-based firm called Galois, a longtime government contractor with experience in designing secure and...

    ...more

    Letterlocking

    Published: 2019-03-07 12:25:08

    Popularity: 32

    Author: Bruce Schneier

    Keywords:

  • history of security
  • Really good article on the now-lost art of letterlocking....

    ...more

    Supply Chain Attack against Courtroom Software

    Published: 2024-05-30 11:04:43

    Popularity: 3

    Author: Bruce Schneier

    Keywords:

  • Uncategorized
  • backdoors
  • courts
  • supply chain
  • 🤖: "Hacked courtroom"

    No word on how this backdoor was installed: A software maker serving more than 10,000 courtrooms throughout the world hosted an application update containing a hidden backdoor that maintained persistent communication with a malicious website, researchers reported Thursday, in the latest episode of a supply-chain attack. The software, known as the JAVS Viewer 8, is a component of the JAVS Suite 8, an application package courtrooms use to record, play back, and manage audio and video from proceedings. Its maker, Louisville, Kentucky-based Justice AV Solutions, says its products are used in more than 10,000 courtrooms throughout the US and 11 other countries. The company has been in business for 35 years...

    ...more

    Cloudflare Reports that Almost 7% of All Internet Traffic Is Malicious

    Published: 2024-07-17 16:03:20

    Popularity: 12

    Author: Bruce Schneier

    Keywords:

  • Uncategorized
  • cybercrime
  • denial of service
  • Internet
  • 🤖: "Malware alert"

    6.8%, to be precise. From ZDNet: However, Distributed Denial of Service (DDoS) attacks continue to be cybercriminals’ weapon of choice, making up over 37% of all mitigated traffic. The scale of these attacks is staggering. In the first quarter of 2024 alone, Cloudflare blocked 4.5 million unique DDoS attacks. That total is nearly a third of all the DDoS attacks they mitigated the previous year. But it’s not just about the sheer volume of DDoS attacks. The sophistication of these attacks is increasing, too. Last August, Cloudflare mitigated a massive HTTP/2 Rapid Reset DDoS attack that peaked at 201 million requests per second (RPS)...

    ...more

    YubiKey Side-Channel Attack

    Published: 2024-09-06 15:16:21

    Popularity: 3

    Author: Bruce Schneier

    Keywords:

  • Uncategorized
  • academic papers
  • cloning
  • security analysis
  • security tokens
  • side-channel attacks
  • 🤖: ""Leaky key""

    There is a side-channel attack against YubiKey access tokens that allows someone to clone a device. It’s a complicated attack, requiring the victim’s username and password, and physical access to their YubiKey—as well as some technical expertise and equipment. Still, nice piece of security analysis.

    ...more

    Python Developers Targeted with Malware During Fake Job Interviews

    Published: 2024-09-17 11:02:34

    Popularity: 10

    Author: Bruce Schneier

    Keywords:

  • Uncategorized
  • cybersecurity
  • malware
  • North Korea
  • social engineering
  • threat models
  • 🤖: "Phishing alert!"

    Interesting social engineering attack: luring potential job applicants with fake recruiting pitches, trying to convince them to download malware. From a news article These particular attacks from North Korean state-funded hacking team Lazarus Group are new, but the overall malware campaign against the Python development community has been running since at least August of 2023, when a number of popular open source Python tools were maliciously duplicated with added malware. Now, though, there are also attacks involving “coding tests” that only exist to get the end user to install hidden malware on their system (cleverly hidden with Base64 encoding) that allows remote execution once present. The capacity for exploitation at that point is pretty much unlimited, due to the flexibility of Python and how it interacts with the underlying OS...

    ...more

    Remotely Exploding Pagers

    Published: 2024-09-17 15:54:36

    Popularity: 34

    Author: Bruce Schneier

    Keywords:

  • Uncategorized
  • bombs
  • Hezbollah
  • terrorism
  • 🤖: "boom!"

    Wow. It seems they all exploded simultaneously, which means they were triggered. Were they each tampered with physically, or did someone figure out how to trigger a thermal runaway remotely? Supply chain attack? Malicious code update, or natural vulnerability? I have no idea, but I expect we will all learn over the next few days. EDITED TO ADD: I’m reading nine killed and 2,800 injured. That’s a lot of collateral damage. (I haven’t seen a good number as to the number of pagers yet.) EDITED TO ADD: Reuters writes: “The pagers that detonated were the latest model brought in by Hezbollah in recent months, three security sources said.” That implies supply chain attack. And it seems to be a large detonation for an overloaded battery...

    ...more

    Law Enforcement Deanonymizes Tor Users

    Published: 2024-10-29 11:02:15

    Popularity: 24

    Author: Bruce Schneier

    Keywords:

  • Uncategorized
  • de-anonymization
  • law enforcement
  • Tor
  • 🤖: "Tor nope"

    The German police have successfully deanonymized at least four Tor users. It appears they watch known Tor relays and known suspects, and use timing analysis to figure out who is using what relay. Tor has written about this. Hacker News thread.

    ...more

    end