Recent Entries

From Schneier on Security on March 26, 2019, 11:24 a.m.

Personal Data Left on Used Laptops

A recent experiment found all sorts of personal data left on used laptops and smartphones. This should come as no surprise. Simson Garfinkel performed the same experiment in 2003, with similar results....

From Schneier on Security on March 25, 2019, 2:39 p.m.

Mail Fishing

Not email, paper mail: Thieves, often at night, use string to lower glue-covered rodent traps or bottles coated with an adhesive down the chute of a sidewalk mailbox. This bait attaches to the envelopes inside, and the fish in this case -- mail containing gift cards, money orders or checks, which can be altered with chemicals and cashed -- are...

From Schneier on Security on March 22, 2019, 9:45 p.m.

Friday Squid Blogging: New Research on Squid Camouflage

From the New York Times: Now, a paper published last week in Nature Communications suggests that their chromatophores, previously thought to be mainly pockets of pigment embedded in their skin, are also equipped with tiny reflectors made of proteins. These reflectors aid the squid to produce such a wide array of colors, including iridescent greens and blues, within a second...

From Schneier on Security on March 22, 2019, 11:16 a.m.

Enigma, Typex, and Bombe Simulators

GCHQ has put simulators for the Enigma, Typex, and Bombe on the Internet. News article....

From Schneier on Security on March 21, 2019, 10:52 a.m.

First Look Media Shutting Down Access to Snowden NSA Archives

The Daily Beast is reporting that First Look Media -- home of The Intercept and Glenn Greenwald -- is shutting down access to the Snowden archives. The Intercept was the home for Greenwald's subset of Snowden's NSA documents since 2014, after he parted ways with the Guardian the year before. I don't know the details of how the archive was...

From Schneier on Security on March 20, 2019, 5:38 p.m.

Zipcar Disruption

This isn't a security story, but it easily could have been. Last Saturday, Zipcar had a system outage: "an outage experienced by a third party telecommunications vendor disrupted connections between the company's vehicles and its reservation software." That didn't just mean people couldn't get cars they reserved. Sometimes is meant they couldn't get the cars they were already driving to...

From Schneier on Security on March 20, 2019, 11:03 a.m.

An Argument that Cybersecurity Is Basically Okay

Andrew Odlyzko's new essay is worth reading -- "Cybersecurity is not very important": Abstract: There is a rising tide of security breaches. There is an even faster rising tide of hysteria over the ostensible reason for these breaches, namely the deficient state of our information infrastructure. Yet the world is doing remarkably well overall, and has not suffered any of...

From Schneier on Security on March 19, 2019, 11:48 a.m.

Triton

Good article on the Triton malware which targets industrial control systems....

From Schneier on Security on March 18, 2019, 11:23 a.m.

CAs Reissue Over One Million Weak Certificates

Turns out that the software a bunch of CAs used to generate public-key certificates was flawed: they created random serial numbers with only 63 bits instead of the required 64. That may not seem like a big deal to the layman, but that one bit change means that the serial numbers only have half the required entropy. This really isn't...

From Schneier on Security on March 15, 2019, 9:24 p.m.

Friday Squid Blogging: A Squid-Related Vacation Tour in Hawaii

You can hunt for the Hawaiian bobtail squid. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here....

From Schneier on Security on March 15, 2019, 7:38 p.m.

I Was Cited in a Court Decision

An article I co-wrote -- my first law journal article -- was cited by the Massachusetts Supreme Judicial Court -- the state supreme court -- in a case on compelled decryption. Here's the first, in footnote 1: We understand the word "password" to be synonymous with other terms that cell phone users may be familiar with, such as Personal Identification...

From Schneier on Security on March 15, 2019, 7:15 p.m.

Upcoming Speaking Engagements

This is a current list of where and when I am scheduled to speak: I'm teaching a live online class called "Spotlight on Cloud: The Future of Internet Security with Bruce Schneier" on O'Reilly's learning platform, Thursday, April 4, at 10:00 AM PT/1:00 PM ET. The list is maintained on this page....

From Schneier on Security on March 15, 2019, 2:44 p.m.

Critical Flaw in Swiss Internet Voting System

Researchers have found a critical flaw in the Swiss Internet voting system. I was going to write an essay about how this demonstrates that Internet voting is a stupid idea and should never be attempted -- and that this system in particular should never be deployed, even if the found flaw is fixed -- but Cory Doctorow beat me to...

From Schneier on Security on March 14, 2019, 6:20 p.m.

DARPA Is Developing an Open-Source Voting System

This sounds like a good development: ...a new $10 million contract the Defense Department's Defense Advanced Research Projects Agency (DARPA) has launched to design and build a secure voting system that it hopes will be impervious to hacking. The first-of-its-kind system will be designed by an Oregon-based firm called Galois, a longtime government contractor with experience in designing secure and...

From Schneier on Security on March 13, 2019, 11:51 a.m.

Judging Facebook's Privacy Shift

Facebook is making a new and stronger commitment to privacy. Last month, the company hired three of its most vociferous critics and installed them in senior technical positions. And on Wednesday, Mark Zuckerberg wrote that the company will pivot to focus on private conversations over the public sharing that has long defined the platform, even while conceding that "frankly we...

From Schneier on Security on March 12, 2019, 11:38 a.m.

On Surveillance in the Workplace

Data & Society just published a report entitled "Workplace Monitoring & Surveillance": This explainer highlights four broad trends in employee monitoring and surveillance technologies: Prediction and flagging tools that aim to predict characteristics or behaviors of employees or that are designed to identify or deter perceived rule-breaking or fraud. Touted as useful management tools, they can augment biased and discriminatory...

From Schneier on Security on March 11, 2019, 11:54 a.m.

Russia Is Testing Online Voting

This is a bad idea: A second innovation will allow "electronic absentee voting" within voters' home precincts. In other words, Russia is set to introduce its first online voting system. The system will be tested in a Moscow neighborhood that will elect a single member to the capital's city council in September. The details of how the experiment will work...

From Schneier on Security on March 8, 2019, 10:36 p.m.

Friday Squid Blogging: Squid Proteins Can Be an Alternative to Plastic

Is there anything squids aren't good for? Academic paper. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here....

From Schneier on Security on March 8, 2019, 8:24 p.m.

Videos and Links from the Public-Interest Technology Track at the RSA Conference

Yesterday at the RSA Conference, I gave a keynote talk about the role of public-interest technologists in cybersecurity. (Video here). I also hosted a one-day mini-track on the topic. We had six panels, and they were all great. If you missed it live, we have videos: How Public Interest Technologists are Changing the World: Matt Mitchell, Tactical Tech; Bruce Schneier,...

From Schneier on Security on March 8, 2019, 11:57 a.m.

Cybersecurity Insurance Not Paying for NotPetya Losses

This will complicate things: To complicate matters, having cyber insurance might not cover everyone's losses. Zurich American Insurance Company refused to pay out a $100 million claim from Mondelez, saying that since the U.S. and other governments labeled the NotPetya attack as an action by the Russian military their claim was excluded under the "hostile or warlike action in time...

From Schneier on Security on March 7, 2019, 7:48 p.m.

Detecting Shoplifting Behavior

This system claims to detect suspicious behavior that indicates shoplifting: Vaak, a Japanese startup, has developed artificial intelligence software that hunts for potential shoplifters, using footage from security cameras for fidgeting, restlessness and other potentially suspicious body language. The article has no detail or analysis, so we don't know how well it works. But this kind of thing is surely...

From Schneier on Security on March 7, 2019, 12:25 p.m.

Letterlocking

Really good article on the now-lost art of letterlocking....

From Schneier on Security on March 6, 2019, 12:17 p.m.

Digital Signatures in PDFs Are Broken

Researchers have demonstrated spoofing of digital signatures in PDF files. This would matter more if PDF digital signatures were widely used. Still, the researchers have worked with the various companies that make PDF readers to close the vulnerabilities. You should update your software. Details are here. News article....

From Schneier on Security on March 5, 2019, 12:31 p.m.

Cybersecurity for the Public Interest

The Crypto Wars have been waging off-and-on for a quarter-century. On one side is law enforcement, which wants to be able to break encryption, to access devices and communications of terrorists and criminals. On the other are almost every cryptographer and computer security expert, repeatedly explaining that there's no way to provide this capability without also weakening the security of...

From Schneier on Security on March 4, 2019, 12:04 p.m.

The Latest in Creepy Spyware

The Nest home alarm system shipped with a secret microphone, which -- according to the company -- was only an accidental secret: On Tuesday, a Google spokesperson told Business Insider the company had made an "error." "The on-device microphone was never intended to be a secret and should have been listed in the tech specs," the spokesperson said. "That was...

From Schneier on Security on March 1, 2019, 10:24 p.m.

Friday Squid Blogging: Chinese Squid-Processing Facility

China is building the largest squid processing center in the world. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here....

From Schneier on Security on March 1, 2019, 11:59 a.m.

Data Leakage from Encrypted Databases

Matthew Green has a super-interesting blog post about information leakage from encrypted databases. It describes the recent work by Paul Grubbs, Marie-Sarah Lacharité, Brice Minaud, and Kenneth G. Paterson. Even the summary is too much to summarize, so read it....

From Schneier on Security on Feb. 28, 2019, 12:22 p.m.

Can Everybody Read the US Terrorist Watch List?

After years of claiming that the Terrorist Screening Database is kept secret within the government, we have now learned that the DHS shares it "with more than 1,400 private entities, including hospitals and universities...." Critics say that the watchlist is wildly overbroad and mismanaged, and that large numbers of people wrongly included on the list suffer routine difficulties and indignities...

From Schneier on Security on Feb. 27, 2019, 12:22 p.m.

"Insider Threat" Detection Software

Notice this bit from an article on the arrest of Christopher Hasson: It was only after Hasson's arrest last Friday at his workplace that the chilling plans prosecutors assert he was crafting became apparent, detected by an internal Coast Guard program that watches for any "insider threat." The program identified suspicious computer activity tied to Hasson, prompting the agency's investigative...

From Schneier on Security on Feb. 26, 2019, 12:10 p.m.

Attacking Soldiers on Social Media

A research group at NATO's Strategic Communications Center of Excellence catfished soldiers involved in an European military exercise -- we don't know what country they were from -- to demonstrate the power of the attack technique. Over four weeks, the researchers developed fake pages and closed groups on Facebook that looked like they were associated with the military exercise, as...

From Schneier on Security on Feb. 25, 2019, 12:23 p.m.

On the Security of Password Managers

There's new research on the security of password managers, speficially 1Password, Dashlane, KeePass, and Lastpass. This work specifically looks at password leakage on the host computer. That is, does the password manager accidentally leave plaintext copies of password lying around memory? All password managers we examined sufficiently secured user secrets while in a 'not running' state. That is, if a...

From Schneier on Security on Feb. 22, 2019, 10:09 p.m.

Friday Squid Blogging: A Tracking Device for Squid

Really: After years of "making do" with the available technology for his squid studies, Mooney created a versatile tag that allows him to research squid behavior. With the help of Kakani Katija, an engineer adapting the tag for jellyfish at California's Monterey Bay Aquarium Research Institute (MBARI), Mooney's team is creating a replicable system flexible enough to work across a...

From Schneier on Security on Feb. 22, 2019, 11:35 a.m.

Gen. Nakasone on US CyberCommand

Really interesting article by and interview with Paul M. Nakasone (Commander of U.S. Cyber Command, Director of the National Security Agency, and Chief of the Central Security Service) in the current issue of Joint Forces Quarterly. He talks about the evolving role of US CyberCommand, and it's new posture of "persistent engagement" using a "cyber-presistant force": From the article: We...

From Schneier on Security on Feb. 21, 2019, 12:33 p.m.

Reverse Location Search Warrants

The police are increasingly getting search warrants for information about all cellphones in a certain location at a certain time: Police departments across the country have been knocking at Google's door for at least the last two years with warrants to tap into the company's extensive stores of cellphone location data. Known as "reverse location search warrants," these legal mandates...

From Schneier on Security on Feb. 20, 2019, 2:02 p.m.

Details on Recent DNS Hijacking

At the end of January the US Department of Homeland Security issued a warning regarding serious DNS hijacking attempts against US government domains. Brian Krebs wrote an excellent article detailing the attacks and their implications. Strongly recommended....

From Schneier on Security on Feb. 19, 2019, 12:36 p.m.

Estonia's Volunteer Cyber Militia

Interesting -- although short and not very detailed -- article about Estonia's volunteer cyber-defense militia. Padar's militia of amateur IT workers, economists, lawyers, and other white-hat types are grouped in the city of Tartu, about 65 miles from the Russian border, and in the capital, Tallinn, about twice as far from it. The volunteers, who've inspired a handful of similar...

From Schneier on Security on Feb. 18, 2019, 8:42 p.m.

I Am Not Associated with Swift Recovery Ltd.

It seems that someone from a company called Swift Recovery Ltd. is impersonating me -- at least on Telegram. The person is using a photo of me, and is using details of my life available on Wikipedia to convince people that they are me. They are not. If anyone has any more information -- stories, screen shots of chats, etc....

From Schneier on Security on Feb. 18, 2019, 1:45 p.m.

Cataloging IoT Vulnerabilities

Recent articles about IoT vulnerabilities describe hacking of construction cranes, supermarket freezers, and electric scooters....

From Schneier on Security on Feb. 15, 2019, 10:24 p.m.

Friday Squid Blogging: Sharp-Eared Enope Squid

Beautiful photo of a three-inch-long squid. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here....

From Schneier on Security on Feb. 15, 2019, 12:33 p.m.

Reconstructing SIGSALY

Lessons learned in reconstructing the World War II-era SIGSALY voice encryption system....

From Schneier on Security on Feb. 14, 2019, 12:53 p.m.

USB Cable with Embedded Wi-Fi Controller

It's only a prototype, but this USB cable has an embedded Wi-Fi controller. Whoever controls that Wi-Fi connection can remotely execute commands on the attached computer....

From Schneier on Security on Feb. 13, 2019, 12:32 p.m.

Cyberinsurance and Acts of War

I had not heard about this case before. Zurich Insurance has refused to pay Mondelez International's claim of $100 million in damages from NotPetya. It claims it is an act of war and therefor not covered. Mondelez is suing. Those turning to cyber insurance to manage their exposure presently face significant uncertainties about its promise. First, the scope of cyber...

From Schneier on Security on Feb. 12, 2019, 12:25 p.m.

Blockchain and Trust

In his 2008 white paper that first proposed bitcoin, the anonymous Satoshi Nakamoto concluded with: "We have proposed a system for electronic transactions without relying on trust." He was referring to blockchain, the system behind bitcoin cryptocurrency. The circumvention of trust is a great promise, but it's just not true. Yes, bitcoin eliminates certain trusted intermediaries that are inherent in...

From Schneier on Security on Feb. 8, 2019, 10:37 p.m.

Friday Squid Blogging: The Hawaiian Bobtail Squid Genome

The Hawaiian Bobtail Squid's genome is half again the size of a human's. Other facts: The Hawaiian bobtail squid has two different symbiotic organs, and researchers were able to show that each of these took different paths in their evolution. This particular species of squid has a light organ that harbors a light-producing, or bioluminescent, bacterium that enables the squid...

From Schneier on Security on Feb. 7, 2019, 2:15 p.m.

China's AI Strategy and its Security Implications

Gregory C. Allen at the Center for a New American Security has a new report with some interesting analysis and insights into China's AI strategy, commercial, government, and military. There are numerous security -- and national security -- implications....

From Schneier on Security on Feb. 6, 2019, 4:24 p.m.

Using Gmail "Dot Addresses" to Commit Fraud

In Gmail addresses, the dots don't matter. The account "bruceschneier@gmail.com" maps to the exact same address as "bruce.schneier@gmail.com" and "b.r.u.c.e.schneier@gmail.com" -- and so on. (Note: I own none of those addresses, if they are actually valid.) This fact can be used to commit fraud: Recently, we observed a group of BEC actors make extensive use of Gmail dot accounts to...

From Schneier on Security on Feb. 5, 2019, 8:59 p.m.

Major Zcash Vulnerability Fixed

Zcash just fixed a vulnerability that would have allowed "infinite counterfeit" Zcash. Like all the other blockchain vulnerabilities and updates, this demonstrates the ridiculousness of the notion that code can replace people, that trust can be encompassed in the protocols, or that human governance is not ncessary....

From Schneier on Security on Feb. 4, 2019, 5:07 p.m.

Facebook's New Privacy Hires

The Wired headline sums it up nicely -- "Facebook Hires Up Three of Its Biggest Privacy Critics": In December, Facebook hired Nathan White away from the digital rights nonprofit Access Now, and put him in the role of privacy policy manager. On Tuesday of this week, lawyers Nate Cardozo, of the privacy watchdog Electronic Frontier Foundation, and Robyn Greene, of...

From Schneier on Security on Feb. 1, 2019, 10:38 p.m.

Friday Squid Blogging: Squid with Chorizo, Tomato, and Beans

Nice recipe. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here....

From Schneier on Security on Feb. 1, 2019, 3:48 p.m.

Public-Interest Tech at the RSA Conference

Our work in cybersecurity is inexorably intertwined with public policy and­ -- more generally­ -- the public interest. It's obvious in the debates on encryption and vulnerability disclosure, but it's also part of the policy discussions about the Internet of Things, cryptocurrencies, artificial intelligence, social media platforms, and pretty much everything else related to IT. This societal dimension to our...

From Schneier on Security on Jan. 31, 2019, 4:30 p.m.

Security Flaws in Children's Smart Watches

A year ago, the Norwegian Consumer Council published an excellent security analysis of children's GPS-connected smart watches. The security was terrible. Not only could parents track the children, anyone else could also track the children. A recent analysis checked if anything had improved after that torrent of bad press. Short answer: no. Guess what: a train wreck. Anyone could access...

From Schneier on Security on Jan. 30, 2019, 4 p.m.

Security Analysis of the LIFX Smart Light Bulb

The security is terrible: In a very short limited amount of time, three vulnerabilities have been discovered: Wifi credentials of the user have been recovered (stored in plaintext into the flash memory). No security settings. The device is completely open (no secure boot, no debug interface disabled, no flash encryption). Root certificate and RSA private key have been extracted. Boing...

From Schneier on Security on Jan. 29, 2019, 7:12 p.m.

iPhone FaceTime Vulnerability

This is kind of a crazy iPhone vulnerability: it's possible to call someone on FaceTime and listen on their microphone -- and see from their camera -- before they accept the call. This is definitely an embarrassment, and Apple was right to disable Group FaceTime until it's fixed. But it's hard to imagine how an adversary can operationalize this in...

From Schneier on Security on Jan. 28, 2019, 7:40 p.m.

Japanese Government Will Hack Citizens' IoT Devices

The Japanese government is going to run penetration tests against all the IoT devices in their country, in an effort to (1) figure out what's insecure, and (2) help consumers secure them: The survey is scheduled to kick off next month, when authorities plan to test the password security of over 200 million IoT devices, beginning with routers and web...

From Schneier on Security on Jan. 25, 2019, 10:18 p.m.

Friday Squid Blogging: Squids on the Tree of Life

Interesting. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here....

From Schneier on Security on Jan. 25, 2019, 12:08 p.m.

Hacking the GCHQ Backdoor

Last week, I evaluated the security of a recent GCHQ backdoor proposal for communications systems. Furthering the debate, Nate Cardozo and Seth Schoen of EFF explain how this sort of backdoor can be detected: In fact, we think when the ghost feature is active­ -- silently inserting a secret eavesdropping member into an otherwise end-to-end encrypted conversation in the manner...

From Schneier on Security on Jan. 24, 2019, 12:38 p.m.

Military Carrier Pigeons in the Era of Electronic Warfare

They have advantages: Pigeons are certainly no substitute for drones, but they provide a low-visibility option to relay information. Considering the storage capacity of microSD memory cards, a pigeon's organic characteristics provide front line forces a relatively clandestine mean to transport gigabytes of video, voice, or still imagery and documentation over considerable distance with zero electromagnetic emissions or obvious detectability...

From Schneier on Security on Jan. 23, 2019, 12:20 p.m.

The Evolution of Darknets

This is interesting: To prevent the problems of customer binding, and losing business when darknet markets go down, merchants have begun to leave the specialized and centralized platforms and instead ventured to use widely accessible technology to build their own communications and operational back-ends. Instead of using websites on the darknet, merchants are now operating invite-only channels on widely available...

From Schneier on Security on Jan. 22, 2019, 11:59 a.m.

Hacking Construction Cranes

Construction cranes are vulnerable to hacking: In our research and vulnerability discoveries, we found that weaknesses in the controllers can be (easily) taken advantage of to move full-sized machines such as cranes used in construction sites and factories. In the different attack classes that we've outlined, we were able to perform the attacks quickly and even switch on the controlled...

From Schneier on Security on Jan. 21, 2019, 12:47 p.m.

Clever Smartphone Malware Concealment Technique

This is clever: Malicious apps hosted in the Google Play market are trying a clever trick to avoid detection -- they monitor the motion-sensor input of an infected device before installing a powerful banking trojan to make sure it doesn't load on emulators researchers use to detect attacks. The thinking behind the monitoring is that sensors in real end-user devices...

From Schneier on Security on Jan. 18, 2019, 10:41 p.m.

Friday Squid Blogging: Squid Lollipops

Two squid lollipops, handmade by Shinri Tezuka. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here....

From Schneier on Security on Jan. 18, 2019, 11:54 a.m.

Evaluating the GCHQ Exceptional Access Proposal

The so-called Crypto Wars have been going on for 25 years now. Basically, the FBI -- and some of their peer agencies in the U.K., Australia, and elsewhere -- argue that the pervasive use of civilian encryption is hampering their ability to solve crimes and that they need the tech companies to make their systems susceptible to government eavesdropping. Sometimes...

From Schneier on Security on Jan. 17, 2019, 12:33 p.m.

Prices for Zero-Day Exploits Are Rising

Companies are willing to pay ever-increasing amounts for good zero-day exploits against hard-to-break computers and applications: On Monday, market-leading exploit broker Zerodium said it would pay up to $2 million for zero-click jailbreaks of Apple's iOS, $1.5 million for one-click iOS jailbreaks, and $1 million for exploits that take over secure messaging apps WhatsApp and iMessage. Previously, Zerodium was offering...

From Schneier on Security on Jan. 16, 2019, 12:53 p.m.

El Chapo's Encryption Defeated by Turning His IT Consultant

Impressive police work: In a daring move that placed his life in danger, the I.T. consultant eventually gave the F.B.I. his system's secret encryption keys in 2011 after he had moved the network's servers from Canada to the Netherlands during what he told the cartel's leaders was a routine upgrade. A Dutch article says that it's a BlackBerry system. Hacker...

From Schneier on Security on Jan. 15, 2019, 11:55 a.m.

Alex Stamos on Content Moderation and Security

Former Facebook CISO Alex Stamos argues that increasing political pressure on social media platforms to moderate content will give them a pretext to turn all end-to-end crypto off -- which would be more profitable for them and bad for society. If we ask tech companies to fix ancient societal ills that are now reflected online with moderation, then we will...

From Schneier on Security on Jan. 14, 2019, 10:21 p.m.

Upcoming Speaking Engagements

This is a current list of where and when I am scheduled to speak: I'm speaking at A New Initiative for Poland in Warsaw, January 16-17, 2019. I'm speaking at the Munich Cyber Security Conference (MCSC) on February 14, 2019. The list is maintained on this page....

From Schneier on Security on Jan. 14, 2019, 5:13 p.m.

Why Internet Security Is So Bad

I recently read two different essays that make the point that while Internet security is terrible, it really doesn't affect people enough to make it an issue. This is true, and is something I worry will change in a world of physically capable computers. Automation, autonomy, and physical agency will make computer security a matter of life and death, and...

From Schneier on Security on Jan. 11, 2019, 8:48 p.m.

Friday Squid Blogging: New Giant Squid Video

This is a fantastic video of a young giant squid named Heck swimming around Toyama Bay near Tokyo. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here....

From Schneier on Security on Jan. 11, 2019, 12:38 p.m.

Using a Fake Hand to Defeat Hand-Vein Biometrics

Nice work: One attraction of a vein based system over, say, a more traditional fingerprint system is that it may be typically harder for an attacker to learn how a user's veins are positioned under their skin, rather than lifting a fingerprint from a held object or high quality photograph, for example. But with that said, Krissler and Albrecht first...

From Schneier on Security on Jan. 10, 2019, 11:52 a.m.

Security Vulnerabilities in Cell Phone Systems

Good essay on the inherent vulnerabilities in the cell phone standards and the market barriers to fixing them. So far, industry and policymakers have largely dragged their feet when it comes to blocking cell-site simulators and SS7 attacks. Senator Ron Wyden, one of the few lawmakers vocal about this issue, sent a letter in August encouraging the Department of Justice...

From Schneier on Security on Jan. 9, 2019, 1:05 p.m.

EU Offering Bug Bounties on Critical Open-Source Software

The EU is offering "bug bounties on Free Software projects that the EU institutions rely on." Slashdot thread....

From Schneier on Security on Jan. 8, 2019, 12:13 p.m.

Machine Learning to Detect Software Vulnerabilities

No one doubts that artificial intelligence (AI) and machine learning (ML) will transform cybersecurity. We just don't know how, or when. While the literature generally focuses on the different uses of AI by attackers and defenders ­ and the resultant arms race between the two ­ I want to talk about software vulnerabilities. All software contains bugs. The reason is...

From Schneier on Security on Jan. 7, 2019, 12:13 p.m.

New Attack Against Electrum Bitcoin Wallets

This is clever: How the attack works: Attacker added tens of malicious servers to the Electrum wallet network. Users of legitimate Electrum wallets initiate a Bitcoin transaction. If the transaction reaches one of the malicious servers, these servers reply with an error message that urges users to download a wallet app update from a malicious website (GitHub repo).User clicks the...

From Schneier on Security on Jan. 4, 2019, 10:16 p.m.

Friday Squid Blogging: The Future of the Squid Market

It's growing. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here....

From Schneier on Security on Jan. 3, 2019, 3:09 p.m.

Podcast Interview with Eva Gaperon

Nice interview with the EFF's director of cybersecurity, Eva Gaperon....

From Schneier on Security on Jan. 2, 2019, 3:29 p.m.

Long-Range Familial Searching Forensics

Good article on using long-range familial searching -- basically, DNA matching of distant relatives -- as a police forensics tool....

From Schneier on Security on Dec. 31, 2018, 11:57 a.m.

China's APT10

Wired has an excellent article on China's APT10 hacking group. Specifically, on how they hacked managed service providers in order to get to their customers' networks. I am reminded of the NSA's "I Hunt Sysadmins" presentation, published by the Intercept....

From Schneier on Security on Dec. 28, 2018, 10:04 p.m.

Friday Squid Blogging: Squid-Focused Menus in Croatia

This is almost over: From 1 December 2018 -- 6 January 2019, Days of Adriatic squid will take place at restaurants all over north-west Istria. Restaurants will be offering affordable full-course menus based on Adriatic squid, combined with quality local olive oil and fine wines. As usual, you can also use this squid post to talk about the security stories...

From Schneier on Security on Dec. 28, 2018, 6:11 p.m.

Click Here to Kill Everybody Available as an Audiobook

Click Here to Kill Everybody is finally available on Audible.com. I have ten download codes. Not having anything better to do with them, here they are: HADQSSFC98WCQ LDLMC6AJLBDJY YWSY8CXYMQNJ6 JWM7SGNUXX7DB UPKAJ6MHB2LEF M85YN36UR926H 9ULE4NFAH2SLF GU7A79GSDCXAT 9K8Q4RX6DKL84 M92GB246XY7JN Congratulations to the first ten people to try to use them....

From Schneier on Security on Dec. 28, 2018, 12:43 p.m.

Massive Ad Fraud Scheme Relied on BGP Hijacking

This is a really interesting story of an ad fraud scheme that relied on hijacking the Border Gateway Protocol: Members of 3ve (pronounced "eve") used their large reservoir of trusted IP addresses to conceal a fraud that otherwise would have been easy for advertisers to detect. The scheme employed a thousand servers hosted inside data centers to impersonate real human...

From Schneier on Security on Dec. 27, 2018, 12:25 p.m.

Stealing Nativity Displays

The New York Times is reporting on the security measures people are using to protect nativity displays....

From Schneier on Security on Dec. 26, 2018, 12:27 p.m.

Human Rights by Design

Good essay: "Advancing Human-Rights-By-Design In The Dual-Use Technology Industry," by Jonathon Penney, Sarah McKune, Lex Gill, and Ronald J. Deibert: But businesses can do far more than these basic measures. They could adopt a "human-rights-by-design" principle whereby they commit to designing tools, technologies, and services to respect human rights by default, rather than permit abuse or exploitation as part of...

From Schneier on Security on Dec. 25, 2018, 5:17 a.m.

Glitter Bomb against Package Thieves

Stealing packages from unattended porches is a rapidly rising crime, as more of us order more things by mail. One person hid a glitter bomb and a video recorder in a package, posting the results when thieves opened the box. At least, that's what might have happened. At least some of the video was faked, which puts the whole thing...

From Schneier on Security on Dec. 24, 2018, 12:25 p.m.

MD5 and SHA-1 Still Used in 2018

Last week, the Scientific Working Group on Digital Evidence published a draft document -- "SWGDE Position on the Use of MD5 and SHA1 Hash Algorithms in Digital and Multimedia Forensics" -- where it accepts the use of MD5 and SHA-1 in digital forensics applications: While SWGDE promotes the adoption of SHA2 and SHA3 by vendors and practitioners, the MD5 and...

From Schneier on Security on Dec. 21, 2018, 10:14 p.m.

Friday Squid Blogging: Illegal North Korean Squid Fishing

North Korea is engaged in even more illegal squid fishing than previously. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here....

From Schneier on Security on Dec. 21, 2018, 12:24 p.m.

Drone Denial-of-Service Attack against Gatwick Airport

Someone is flying a drone over Gatwick Airport in order to disrupt service: Chris Woodroofe, Gatwick's chief operating officer, said on Thursday afternoon there had been another drone sighting which meant it was impossible to say when the airport would reopen. He told BBC News: "There are 110,000 passengers due to fly today, and the vast majority of those will...

From Schneier on Security on Dec. 20, 2018, 12:21 p.m.

Fraudulent Tactics on Amazon Marketplace

Fascinating article about the many ways Amazon Marketplace sellers sabotage each other and defraud customers. The opening example: framing a seller for false advertising by buying fake five-star reviews for their products. Defacement: Sellers armed with the accounts of Amazon distributors (sometimes legitimately, sometimes through the black market) can make all manner of changes to a rival's listings, from changing...

From Schneier on Security on Dec. 19, 2018, noon

Congressional Report on the 2017 Equifax Data Breach

The US House of Representatives Committee on Oversight and Government Reform has just released a comprehensive report on the 2017 Equifax hack. It's a great piece of writing, with a detailed timeline, root cause analysis, and lessons learned. Lance Spitzner also commented on this. Here is my testimony before before the House Subcommittee on Digital Commerce and Consumer Protection last...

From Schneier on Security on Dec. 18, 2018, 12:31 p.m.

Teaching Cybersecurity Policy

Peter Swire proposes a a pedagogic framework for teaching cybersecurity policy. Specifically, he makes real the old joke about adding levels to the OSI networking stack: an organizational layer, a government layer, and an international layer....

From Schneier on Security on Dec. 17, 2018, 12:30 p.m.

New Shamoon Variant

A new variant of the Shamoon malware has destroyed signifigant amounts of data at a UAE "heavy engineering company" and the Italian oil and gas contractor Saipem. Shamoon is the Iranian malware that was targeted against the Saudi Arabian oil company, Saudi Aramco, in 2012 and 2016. We have no idea if this new variant is also Iranian in origin,...

From Schneier on Security on Dec. 14, 2018, 4:02 p.m.

Real-Time Attacks Against Two-Factor Authentication

Attackers are targeting two-factor authentication systems: Attackers working on behalf of the Iranian government collected detailed information on targets and used that knowledge to write spear-phishing emails that were tailored to the targets' level of operational security, researchers with security firm Certfa Lab said in a blog post. The emails contained a hidden image that alerted the attackers in real...

From Schneier on Security on Dec. 13, 2018, 10:23 p.m.

Friday Squid Blogging: More Problems with the Squid Emoji

Piling on from last week's post, the squid emoji's siphon is in the wrong place. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here....

From Schneier on Security on Dec. 13, 2018, 12:37 p.m.

Marriott Hack Reported as Chinese State-Sponsored

The New York Times and Reuters are reporting that China was behind the recent hack of Mariott Hotels. Note that this is still uncomfirmed, but interesting if it is true. Reuters: Private investigators looking into the breach have found hacking tools, techniques and procedures previously used in attacks attributed to Chinese hackers, said three sources who were not authorized to...

From Schneier on Security on Dec. 12, 2018, 3:18 p.m.

New Australian Backdoor Law

Last week, Australia passed a law https://www.bbc.com/news/world-australia-46463029">giving the government the ability to demand backdoors in computers and communications systems. Details are still to be defined, but it's really bad. Note: Many people e-mailed me to ask why I haven't blogged this yet. One, I was busy with other things. And two, there's nothing I can say that I haven't said...

From Schneier on Security on Dec. 10, 2018, 3:27 p.m.

2018 Annual Report from AI Now

The research group AI Now just published its annual report. It's an excellent summary of today's AI security challenges, as well as a policy agenda to address them. This is related, and also worth reading....

From Schneier on Security on Dec. 7, 2018, 10 p.m.

Problems with the Squid Emoji

The Monterey Bay Aquarium has some problems with the squid emoji. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here....

From Schneier on Security on Dec. 7, 2018, 6:06 p.m.

Back Issues of the NSA's Cryptolog

Five years ago, the NSA published 23 years of its internal magazine, Cryptolog. There were lots of redactions, of course. What's new is a nice user interface for the issues, noting highlights and levels of redaction....

From Schneier on Security on Dec. 7, 2018, 4:50 p.m.

Banks Attacked through Malicious Hardware Connected to the Local Network

Kaspersky is reporting on a series of bank hacks -- called DarkVishnya -- perpetrated through malicious hardware being surreptitiously installed into the target network: In 2017-2018, Kaspersky Lab specialists were invited to research a series of cybertheft incidents. Each attack had a common springboard: an unknown device directly connected to the company's local network. In some cases, it was the...

From Schneier on Security on Dec. 6, 2018, 1:33 p.m.

Your Personal Data is Already Stolen

In an excellent blog post, Brian Krebs makes clear something I have been saying for a while: Likewise for individuals, it pays to accept two unfortunate and harsh realities: Reality #1: Bad guys already have access to personal data points that you may believe should be secret but which nevertheless aren't, including your credit card information, Social Security number, mother's...

From Schneier on Security on Dec. 5, 2018, 12:30 p.m.

Security Risks of Chatbots

Good essay on the security risks -- to democratic discourse -- of chatbots....