Recent Entries

From Schneier on Security on Jan. 23, 2019, 12:20 p.m.

The Evolution of Darknets

This is interesting: To prevent the problems of customer binding, and losing business when darknet markets go down, merchants have begun to leave the specialized and centralized platforms and instead ventured to use widely accessible technology to build their own communications and operational back-ends. Instead of using websites on the darknet, merchants are now operating invite-only channels on widely available...

From Schneier on Security on Jan. 22, 2019, 11:59 a.m.

Hacking Construction Cranes

Construction cranes are vulnerable to hacking: In our research and vulnerability discoveries, we found that weaknesses in the controllers can be (easily) taken advantage of to move full-sized machines such as cranes used in construction sites and factories. In the different attack classes that we've outlined, we were able to perform the attacks quickly and even switch on the controlled...

From Schneier on Security on Jan. 21, 2019, 12:47 p.m.

Clever Smartphone Malware Concealment Technique

This is clever: Malicious apps hosted in the Google Play market are trying a clever trick to avoid detection -- they monitor the motion-sensor input of an infected device before installing a powerful banking trojan to make sure it doesn't load on emulators researchers use to detect attacks. The thinking behind the monitoring is that sensors in real end-user devices...

From Schneier on Security on Jan. 18, 2019, 10:41 p.m.

Friday Squid Blogging: Squid Lollipops

Two squid lollipops, handmade by Shinri Tezuka. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here....

From Schneier on Security on Jan. 18, 2019, 11:54 a.m.

Evaluating the GCHQ Exceptional Access Proposal

The so-called Crypto Wars have been going on for 25 years now. Basically, the FBI -- and some of their peer agencies in the U.K., Australia, and elsewhere -- argue that the pervasive use of civilian encryption is hampering their ability to solve crimes and that they need the tech companies to make their systems susceptible to government eavesdropping. Sometimes...

From Schneier on Security on Jan. 17, 2019, 12:33 p.m.

Prices for Zero-Day Exploits Are Rising

Companies are willing to pay ever-increasing amounts for good zero-day exploits against hard-to-break computers and applications: On Monday, market-leading exploit broker Zerodium said it would pay up to $2 million for zero-click jailbreaks of Apple's iOS, $1.5 million for one-click iOS jailbreaks, and $1 million for exploits that take over secure messaging apps WhatsApp and iMessage. Previously, Zerodium was offering...

From Schneier on Security on Jan. 16, 2019, 12:53 p.m.

El Chapo's Encryption Defeated by Turning His IT Consultant

Impressive police work: In a daring move that placed his life in danger, the I.T. consultant eventually gave the F.B.I. his system's secret encryption keys in 2011 after he had moved the network's servers from Canada to the Netherlands during what he told the cartel's leaders was a routine upgrade. A Dutch article says that it's a BlackBerry system. Hacker...

From Schneier on Security on Jan. 15, 2019, 11:55 a.m.

Alex Stamos on Content Moderation and Security

Former Facebook CISO Alex Stamos argues that increasing political pressure on social media platforms to moderate content will give them a pretext to turn all end-to-end crypto off -- which would be more profitable for them and bad for society. If we ask tech companies to fix ancient societal ills that are now reflected online with moderation, then we will...

From Schneier on Security on Jan. 14, 2019, 10:21 p.m.

Upcoming Speaking Engagements

This is a current list of where and when I am scheduled to speak: I'm speaking at A New Initiative for Poland in Warsaw, January 16-17, 2019. I'm speaking at the Munich Cyber Security Conference (MCSC) on February 14, 2019. The list is maintained on this page....

From Schneier on Security on Jan. 14, 2019, 5:13 p.m.

Why Internet Security Is So Bad

I recently read two different essays that make the point that while Internet security is terrible, it really doesn't affect people enough to make it an issue. This is true, and is something I worry will change in a world of physically capable computers. Automation, autonomy, and physical agency will make computer security a matter of life and death, and...

From Schneier on Security on Jan. 11, 2019, 8:48 p.m.

Friday Squid Blogging: New Giant Squid Video

This is a fantastic video of a young giant squid named Heck swimming around Toyama Bay near Tokyo. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here....

From Schneier on Security on Jan. 11, 2019, 12:38 p.m.

Using a Fake Hand to Defeat Hand-Vein Biometrics

Nice work: One attraction of a vein based system over, say, a more traditional fingerprint system is that it may be typically harder for an attacker to learn how a user's veins are positioned under their skin, rather than lifting a fingerprint from a held object or high quality photograph, for example. But with that said, Krissler and Albrecht first...

From Schneier on Security on Jan. 10, 2019, 11:52 a.m.

Security Vulnerabilities in Cell Phone Systems

Good essay on the inherent vulnerabilities in the cell phone standards and the market barriers to fixing them. So far, industry and policymakers have largely dragged their feet when it comes to blocking cell-site simulators and SS7 attacks. Senator Ron Wyden, one of the few lawmakers vocal about this issue, sent a letter in August encouraging the Department of Justice...

From Schneier on Security on Jan. 9, 2019, 1:05 p.m.

EU Offering Bug Bounties on Critical Open-Source Software

The EU is offering "bug bounties on Free Software projects that the EU institutions rely on." Slashdot thread....

From Schneier on Security on Jan. 8, 2019, 12:13 p.m.

Machine Learning to Detect Software Vulnerabilities

No one doubts that artificial intelligence (AI) and machine learning (ML) will transform cybersecurity. We just don't know how, or when. While the literature generally focuses on the different uses of AI by attackers and defenders ­ and the resultant arms race between the two ­ I want to talk about software vulnerabilities. All software contains bugs. The reason is...

From Schneier on Security on Jan. 7, 2019, 12:13 p.m.

New Attack Against Electrum Bitcoin Wallets

This is clever: How the attack works: Attacker added tens of malicious servers to the Electrum wallet network. Users of legitimate Electrum wallets initiate a Bitcoin transaction. If the transaction reaches one of the malicious servers, these servers reply with an error message that urges users to download a wallet app update from a malicious website (GitHub repo).User clicks the...

From Schneier on Security on Jan. 4, 2019, 10:16 p.m.

Friday Squid Blogging: The Future of the Squid Market

It's growing. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here....

From Schneier on Security on Jan. 3, 2019, 3:09 p.m.

Podcast Interview with Eva Gaperon

Nice interview with the EFF's director of cybersecurity, Eva Gaperon....

From Schneier on Security on Jan. 2, 2019, 3:29 p.m.

Long-Range Familial Searching Forensics

Good article on using long-range familial searching -- basically, DNA matching of distant relatives -- as a police forensics tool....

From Schneier on Security on Dec. 31, 2018, 11:57 a.m.

China's APT10

Wired has an excellent article on China's APT10 hacking group. Specifically, on how they hacked managed service providers in order to get to their customers' networks. I am reminded of the NSA's "I Hunt Sysadmins" presentation, published by the Intercept....

From Schneier on Security on Dec. 28, 2018, 10:04 p.m.

Friday Squid Blogging: Squid-Focused Menus in Croatia

This is almost over: From 1 December 2018 -- 6 January 2019, Days of Adriatic squid will take place at restaurants all over north-west Istria. Restaurants will be offering affordable full-course menus based on Adriatic squid, combined with quality local olive oil and fine wines. As usual, you can also use this squid post to talk about the security stories...

From Schneier on Security on Dec. 28, 2018, 6:11 p.m.

Click Here to Kill Everybody Available as an Audiobook

Click Here to Kill Everybody is finally available on Audible.com. I have ten download codes. Not having anything better to do with them, here they are: HADQSSFC98WCQ LDLMC6AJLBDJY YWSY8CXYMQNJ6 JWM7SGNUXX7DB UPKAJ6MHB2LEF M85YN36UR926H 9ULE4NFAH2SLF GU7A79GSDCXAT 9K8Q4RX6DKL84 M92GB246XY7JN Congratulations to the first ten people to try to use them....

From Schneier on Security on Dec. 28, 2018, 12:43 p.m.

Massive Ad Fraud Scheme Relied on BGP Hijacking

This is a really interesting story of an ad fraud scheme that relied on hijacking the Border Gateway Protocol: Members of 3ve (pronounced "eve") used their large reservoir of trusted IP addresses to conceal a fraud that otherwise would have been easy for advertisers to detect. The scheme employed a thousand servers hosted inside data centers to impersonate real human...

From Schneier on Security on Dec. 27, 2018, 12:25 p.m.

Stealing Nativity Displays

The New York Times is reporting on the security measures people are using to protect nativity displays....

From Schneier on Security on Dec. 26, 2018, 12:27 p.m.

Human Rights by Design

Good essay: "Advancing Human-Rights-By-Design In The Dual-Use Technology Industry," by Jonathon Penney, Sarah McKune, Lex Gill, and Ronald J. Deibert: But businesses can do far more than these basic measures. They could adopt a "human-rights-by-design" principle whereby they commit to designing tools, technologies, and services to respect human rights by default, rather than permit abuse or exploitation as part of...

From Schneier on Security on Dec. 25, 2018, 5:17 a.m.

Glitter Bomb against Package Thieves

Stealing packages from unattended porches is a rapidly rising crime, as more of us order more things by mail. One person hid a glitter bomb and a video recorder in a package, posting the results when thieves opened the box. At least, that's what might have happened. At least some of the video was faked, which puts the whole thing...

From Schneier on Security on Dec. 24, 2018, 12:25 p.m.

MD5 and SHA-1 Still Used in 2018

Last week, the Scientific Working Group on Digital Evidence published a draft document -- "SWGDE Position on the Use of MD5 and SHA1 Hash Algorithms in Digital and Multimedia Forensics" -- where it accepts the use of MD5 and SHA-1 in digital forensics applications: While SWGDE promotes the adoption of SHA2 and SHA3 by vendors and practitioners, the MD5 and...

From Schneier on Security on Dec. 21, 2018, 10:14 p.m.

Friday Squid Blogging: Illegal North Korean Squid Fishing

North Korea is engaged in even more illegal squid fishing than previously. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here....

From Schneier on Security on Dec. 21, 2018, 12:24 p.m.

Drone Denial-of-Service Attack against Gatwick Airport

Someone is flying a drone over Gatwick Airport in order to disrupt service: Chris Woodroofe, Gatwick's chief operating officer, said on Thursday afternoon there had been another drone sighting which meant it was impossible to say when the airport would reopen. He told BBC News: "There are 110,000 passengers due to fly today, and the vast majority of those will...

From Schneier on Security on Dec. 20, 2018, 12:21 p.m.

Fraudulent Tactics on Amazon Marketplace

Fascinating article about the many ways Amazon Marketplace sellers sabotage each other and defraud customers. The opening example: framing a seller for false advertising by buying fake five-star reviews for their products. Defacement: Sellers armed with the accounts of Amazon distributors (sometimes legitimately, sometimes through the black market) can make all manner of changes to a rival's listings, from changing...

From Schneier on Security on Dec. 19, 2018, noon

Congressional Report on the 2017 Equifax Data Breach

The US House of Representatives Committee on Oversight and Government Reform has just released a comprehensive report on the 2017 Equifax hack. It's a great piece of writing, with a detailed timeline, root cause analysis, and lessons learned. Lance Spitzner also commented on this. Here is my testimony before before the House Subcommittee on Digital Commerce and Consumer Protection last...

From Schneier on Security on Dec. 18, 2018, 12:31 p.m.

Teaching Cybersecurity Policy

Peter Swire proposes a a pedagogic framework for teaching cybersecurity policy. Specifically, he makes real the old joke about adding levels to the OSI networking stack: an organizational layer, a government layer, and an international layer....

From Schneier on Security on Dec. 17, 2018, 12:30 p.m.

New Shamoon Variant

A new variant of the Shamoon malware has destroyed signifigant amounts of data at a UAE "heavy engineering company" and the Italian oil and gas contractor Saipem. Shamoon is the Iranian malware that was targeted against the Saudi Arabian oil company, Saudi Aramco, in 2012 and 2016. We have no idea if this new variant is also Iranian in origin,...

From Schneier on Security on Dec. 14, 2018, 4:02 p.m.

Real-Time Attacks Against Two-Factor Authentication

Attackers are targeting two-factor authentication systems: Attackers working on behalf of the Iranian government collected detailed information on targets and used that knowledge to write spear-phishing emails that were tailored to the targets' level of operational security, researchers with security firm Certfa Lab said in a blog post. The emails contained a hidden image that alerted the attackers in real...

From Schneier on Security on Dec. 13, 2018, 10:23 p.m.

Friday Squid Blogging: More Problems with the Squid Emoji

Piling on from last week's post, the squid emoji's siphon is in the wrong place. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here....

From Schneier on Security on Dec. 13, 2018, 12:37 p.m.

Marriott Hack Reported as Chinese State-Sponsored

The New York Times and Reuters are reporting that China was behind the recent hack of Mariott Hotels. Note that this is still uncomfirmed, but interesting if it is true. Reuters: Private investigators looking into the breach have found hacking tools, techniques and procedures previously used in attacks attributed to Chinese hackers, said three sources who were not authorized to...

From Schneier on Security on Dec. 12, 2018, 3:18 p.m.

New Australian Backdoor Law

Last week, Australia passed a law https://www.bbc.com/news/world-australia-46463029">giving the government the ability to demand backdoors in computers and communications systems. Details are still to be defined, but it's really bad. Note: Many people e-mailed me to ask why I haven't blogged this yet. One, I was busy with other things. And two, there's nothing I can say that I haven't said...

From Schneier on Security on Dec. 10, 2018, 3:27 p.m.

2018 Annual Report from AI Now

The research group AI Now just published its annual report. It's an excellent summary of today's AI security challenges, as well as a policy agenda to address them. This is related, and also worth reading....

From Schneier on Security on Dec. 7, 2018, 10 p.m.

Problems with the Squid Emoji

The Monterey Bay Aquarium has some problems with the squid emoji. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here....

From Schneier on Security on Dec. 7, 2018, 6:06 p.m.

Back Issues of the NSA's Cryptolog

Five years ago, the NSA published 23 years of its internal magazine, Cryptolog. There were lots of redactions, of course. What's new is a nice user interface for the issues, noting highlights and levels of redaction....

From Schneier on Security on Dec. 7, 2018, 4:50 p.m.

Banks Attacked through Malicious Hardware Connected to the Local Network

Kaspersky is reporting on a series of bank hacks -- called DarkVishnya -- perpetrated through malicious hardware being surreptitiously installed into the target network: In 2017-2018, Kaspersky Lab specialists were invited to research a series of cybertheft incidents. Each attack had a common springboard: an unknown device directly connected to the company's local network. In some cases, it was the...

From Schneier on Security on Dec. 6, 2018, 1:33 p.m.

Your Personal Data is Already Stolen

In an excellent blog post, Brian Krebs makes clear something I have been saying for a while: Likewise for individuals, it pays to accept two unfortunate and harsh realities: Reality #1: Bad guys already have access to personal data points that you may believe should be secret but which nevertheless aren't, including your credit card information, Social Security number, mother's...

From Schneier on Security on Dec. 5, 2018, 12:30 p.m.

Security Risks of Chatbots

Good essay on the security risks -- to democratic discourse -- of chatbots....

From Schneier on Security on Dec. 4, 2018, 12:28 p.m.

Bad Consumer Security Advice

There are lots of articles about there telling people how to better secure their computers and online accounts. While I agree with some of it, this article contains some particularly bad advice: 1. Never, ever, ever use public (unsecured) Wi-Fi such as the Wi-Fi in a café, hotel or airport. To remain anonymous and secure on the Internet, invest in...

From Schneier on Security on Dec. 3, 2018, 12:37 p.m.

The DoJ's Secret Legal Arguments to Break Cryptography

Earlier this year, the US Department of Justice made a series of legal arguments as to why Facebook should be forced to help the government wiretap Facebook Messenger. Those arguments are still sealed. The ACLU is suing to make them public....

From Schneier on Security on Nov. 30, 2018, 10:20 p.m.

Friday Squid Blogging: Japanese Squid-Fishing Towns in Decline

It's a problem: But now, fluctuations in ocean temperatures, years of overfishing and lax regulatory oversight have drastically depleted populations of the translucent squid in waters around Japan. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here....

From Schneier on Security on Nov. 30, 2018, 8:29 p.m.

Click Here to Kill Everybody News

My latest book is doing well. And I've been giving lots of talks and interviews about it. (I can recommend three interviews: the Cyberlaw podcast with Stewart Baker, the Lawfare podcast with Ben Wittes, and Le Show with Henry Shearer.) My book talk at Google is also available. The Audible version was delayed for reasons that were never adequately explained...

From Schneier on Security on Nov. 30, 2018, 2:07 p.m.

Three-Rotor Enigma Machine Up for Auction Today

Sotheby's is auctioning off a (working, I think) three-rotor Enigma machine today. They're expecting it to sell for about $200K. I have an Enigma, but it's without the rotors....

From Schneier on Security on Nov. 30, 2018, 12:28 p.m.

That Bloomberg Supply-Chain-Hack Story

Back in October, Bloomberg reported that China has managed to install backdoors into server equipment that ended up in networks belonging to -- among others -- Apple and Amazon. Pretty much everybody has denied it (including the US DHS and the UK NCSC). Bloomberg has stood by its story -- and is still standing by it. I don't think it's...

From Schneier on Security on Nov. 29, 2018, 12:17 p.m.

FBI Takes Down a Massive Advertising Fraud Ring

The FBI announced that it dismantled a large Internet advertising fraud network, and arrested eight people: A 13-count indictment was unsealed today in federal court in Brooklyn charging Aleksandr Zhukov, Boris Timokhin, Mikhail Andreev, Denis Avdeev, Dmitry Novikov, Sergey Ovsyannikov, Aleksandr Isaev and Yevgeniy Timchenko with criminal violations for their involvement in perpetrating widespread digital advertising fraud. The charges include...

From Schneier on Security on Nov. 28, 2018, 12:48 p.m.

Distributing Malware By Becoming an Admin on an Open-Source Project

The module "event-steam" was infected with malware by an anonymous someone who became an admin on the project. Cory Doctorow points out that this is a clever new attack vector: Many open source projects attain a level of "maturity" where no one really needs any new features and there aren't a lot of new bugs being found, and the contributors...

From Schneier on Security on Nov. 27, 2018, 1:43 p.m.

Propaganda and the Weakening of Trust in Government

On November 4, 2016, the hacker "Guccifer 2.0,: a front for Russia's military intelligence service, claimed in a blogpost that the Democrats were likely to use vulnerabilities to hack the presidential elections. On November 9, 2018, President Donald Trump started tweeting about the senatorial elections in Florida and Arizona. Without any evidence whatsoever, he said that Democrats were trying to...

From Schneier on Security on Nov. 26, 2018, 12:54 p.m.

How Surveillance Inhibits Freedom of Expression

In my book Data and Goliath, I write about the value of privacy. I talk about how it is essential for political liberty and justice, and for commercial fairness and equality. I talk about how it increases personal freedom and individual autonomy, and how the lack of it makes us all less secure. But this is probably the most important...

From Schneier on Security on Nov. 23, 2018, 10:05 p.m.

Friday Squid Blogging: Good Squid Fishing in the Exmouth Gulf

The conditions are ideal for squid fishing in the Exmouth Gulf in West Australia. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here....

From Schneier on Security on Nov. 23, 2018, 12:11 p.m.

Using Machine Learning to Create Fake Fingerprints

Researchers are able to create fake fingerprints that result in a 20% false-positive rate. The problem is that these sensors obtain only partial images of users' fingerprints -- at the points where they make contact with the scanner. The paper noted that since partial prints are not as distinctive as complete prints, the chances of one partial print getting matched...

From Schneier on Security on Nov. 21, 2018, 1:48 p.m.

Information Attacks against Democracies

Democracy is an information system. That's the starting place of our new paper: "Common-Knowledge Attacks on Democracy." In it, we look at democracy through the lens of information security, trying to understand the current waves of Internet disinformation attacks. Specifically, we wanted to explain why the same disinformation campaigns that act as a stabilizing influence in Russia are destabilizing in...

From Schneier on Security on Nov. 20, 2018, 12:44 p.m.

The PCLOB Needs a Director

The US Privacy and Civil Liberties Oversight Board is looking for a director. Among other things, this board has some oversight role over the NSA. More precisely, it can examine what any executive-branch agency is doing about counterterrorism. So it can examine the program of TSA watchlists, NSA anti-terrorism surveillance, and FBI counterterrorism activities. The PCLOB was established in 2004...

From Schneier on Security on Nov. 19, 2018, 12:50 p.m.

What Happened to Cyber 9/11?

A recent article in the Atlantic asks why we haven't seen a"cyber 9/11" in the past fifteen or so years. (I, too, remember the increasingly frantic and fearful warnings of a "cyber Peal Harbor," "cyber Katrina" -- when that was a thing -- or "cyber 9/11." I made fun of those warnings back then.) The author's answer: Three main barriers...

From Schneier on Security on Nov. 18, 2018, 7:12 p.m.

Worst-Case Thinking Breeds Fear and Irrationality

Here's a crazy story from the UK. Basically, someone sees a man and a little girl leaving a shopping center. Instead of thinking "it must be a father and daughter, which happens millions of times a day and is perfectly normal," he thinks "this is obviously a case of child abduction and I must alert the authorities immediately." And the...

From Schneier on Security on Nov. 18, 2018, 12:26 p.m.

Israeli Surveillance Gear

The Israeli Defense Force mounted a botched raid in Gaza. They were attempting to install surveillance gear, which they ended up leaving behind. (There are photos -- scroll past the video.) Israeli media is claiming that the capture of this gear by Hamas causes major damage to Israeli electronic surveillance capabilities. The Israelis themselves destroyed the vehicle the commandos used...

From Schneier on Security on Nov. 16, 2018, 10:05 p.m.

Friday Squid Blogging: Squid Sculptures

Pretty. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here....

From Schneier on Security on Nov. 16, 2018, 8:11 p.m.

Mailing Tech Support a Bomb

I understand his frustration, but this is extreme: When police asked Cryptopay what could have motivated Salonen to send the company a pipe bomb ­ or, rather, two pipe bombs, which is what investigators found when they picked apart the explosive package ­ the only thing the company could think of was that it had declined his request for a...

From Schneier on Security on Nov. 16, 2018, 12:02 p.m.

Hidden Cameras in Streetlights

Both the US Drug Enforcement Administration (DEA) and Immigration and Customs Enforcement (ICE) are hiding surveillance cameras in streetlights. According to government procurement data, the DEA has paid a Houston, Texas company called Cowboy Streetlight Concealments LLC roughly $22,000 since June 2018 for "video recording and reproducing equipment." ICE paid out about $28,000 to Cowboy Streetlight Concealments over the same...

From Schneier on Security on Nov. 15, 2018, 12:24 p.m.

Chip Cards Fail to Reduce Credit Card Fraud in the US

A new study finds that credit card fraud has not declined since the introduction of chip cards in the US. The majority of stolen card information comes from hacked point-of-sale terminals. The reasons seem to be twofold. One, the US uses chip-and-signature instead of chip-and-PIN, obviating the most critical security benefit of the chip. And two, US merchants still accept...

From Schneier on Security on Nov. 14, 2018, 9:30 p.m.

More Spectre/Meltdown-Like Attacks

Back in January, we learned about a class of vulnerabilities against microprocessors that leverages various performance and efficiency shortcuts for attack. I wrote that the first two attacks would be just the start: It shouldn't be surprising that microprocessor designers have been building insecure hardware for 20 years. What's surprising is that it took 20 years to discover it. In...

From Schneier on Security on Nov. 14, 2018, 2:03 p.m.

Upcoming Speaking Engagements

This is a current list of where and when I am scheduled to speak: I'm speaking at Kiwicon in Wellington, New Zealand on November 16, 2018. I'm appearing on IBM Resilient's End of Year Review webinar on "The Top Cyber Security Trends in 2018 and Predictions for the Year Ahead," December 6, 2018 at 12:00 PM EST. I'm giving a...

From Schneier on Security on Nov. 14, 2018, 12:46 p.m.

Oracle and "Responsible Disclosure"

I've been writing about "responsible disclosure" for over a decade; here's an essay from 2007. Basically, it's a tacit agreement between researchers and software vendors. Researchers agree to withhold their work until software companies fix the vulnerabilities, and software vendors agree not to harass researchers and fix the vulnerabilities quickly. When that agreement breaks down, things go bad quickly. This...

From Schneier on Security on Nov. 13, 2018, 1:04 p.m.

New IoT Security Regulations

Due to ever-evolving technological advances, manufacturers are connecting consumer goods­ -- from toys to lightbulbs to major appliances­ -- to the internet at breakneck speeds. This is the Internet of Things, and it's a security nightmare. The Internet of Things fuses products with communications technology to make daily life more effortless. Think Amazon's Alexa, which not only answers questions and...

From Schneier on Security on Nov. 12, 2018, 12:17 p.m.

Hiding Secret Messages in Fingerprints

This is a fun steganographic application: hiding a message in a fingerprint image. Can't see any real use for it, but that's okay....

From Schneier on Security on Nov. 9, 2018, 10:07 p.m.

Friday Squid Blogging: Australian Fisherman Gets Inked

Pretty good video. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here....

From Schneier on Security on Nov. 9, 2018, 7:52 p.m.

The Pentagon is Publishing Foreign Nation-State Malware

This is a new thing: The Pentagon has suddenly started uploading malware samples from APTs and other nation-state sources to the website VirusTotal, which is essentially a malware zoo that's used by security pros and antivirus/malware detection engines to gain a better understanding of the threat landscape. This feels like an example of the US's new strategy of actively harassing...

From Schneier on Security on Nov. 9, 2018, 12:04 p.m.

Privacy and Security of Data at Universities

Interesting paper: "Open Data, Grey Data, and Stewardship: Universities at the Privacy Frontier," by Christine Borgman: Abstract: As universities recognize the inherent value in the data they collect and hold, they encounter unforeseen challenges in stewarding those data in ways that balance accountability, transparency, and protection of privacy, academic freedom, and intellectual property. Two parallel developments in academic data collection...

From Schneier on Security on Nov. 8, 2018, 12:35 p.m.

iOS 12.1 Vulnerability

This is really just to point out that computer security is really hard: Almost as soon as Apple released iOS 12.1 on Tuesday, a Spanish security researcher discovered a bug that exploits group Facetime calls to give anyone access to an iPhone users' contact information with no need for a passcode. [...] A bad actor would need physical access to...

From Schneier on Security on Nov. 7, 2018, 12:39 p.m.

Consumer Reports Reviews Wireless Home-Security Cameras

Consumer Reports is starting to evaluate the security of IoT devices. As part of that, it's reviewing wireless home-security cameras. It found significant security vulnerabilities in D-Link cameras: In contrast, D-Link doesn't store video from the DCS-2630L in the cloud. Instead, the camera has its own, onboard web server, which can deliver video to the user in different ways. Users...

From Schneier on Security on Nov. 6, 2018, 12:51 p.m.

Security of Solid-State-Drive Encryption

Interesting research: "Self-encrypting deception: weaknesses in the encryption of solid state drives (SSDs)": Abstract: We have analyzed the hardware full-disk encryption of several SSDs by reverse engineering their firmware. In theory, the security guarantees offered by hardware encryption are similar to or better than software implementations. In reality, we found that many hardware implementations have critical security weaknesses, for many...

From Schneier on Security on Nov. 5, 2018, 4:24 p.m.

Troy Hunt on Passwords

Troy Hunt has a good essay about why passwords are here to stay, despite all their security problems: This is why passwords aren't going anywhere in the foreseeable future and why [insert thing here] isn't going to kill them. No amount of focusing on how bad passwords are or how many accounts have been breached or what it costs when...

From Schneier on Security on Nov. 2, 2018, 9:08 p.m.

Friday Squid Blogging: Eating More Squid

This research paper concludes that we'll be eating more squid in the future. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here....

From Schneier on Security on Nov. 2, 2018, 11:01 a.m.

How to Punish Cybercriminals

Interesting policy paper by Third Way: "To Catch a Hacker: Toward a comprehensive strategy to identify, pursue, and punish malicious cyber actors": In this paper, we argue that the United States currently lacks a comprehensive overarching strategic approach to identify, stop and punish cyberattackers. We show that: There is a burgeoning cybercrime wave: A rising and often unseen crime wave...

From Schneier on Security on Nov. 1, 2018, 11:18 a.m.

Buying Used Voting Machines on eBay

This is not surprising: This year, I bought two more machines to see if security had improved. To my dismay, I discovered that the newer model machines -- those that were used in the 2016 election -- are running Windows CE and have USB ports, along with other components, that make them even easier to exploit than the older ones....

From Schneier on Security on Oct. 31, 2018, 5:44 p.m.

Was the Triton Malware Attack Russian in Origin?

The conventional story is that Iran targeted Saudi Arabia with Triton in 2017. New research from FireEye indicates that it might have been Russia. I don't know. FireEye likes to attribute all sorts of things to Russia, but the evidence here look pretty good....

From Schneier on Security on Oct. 31, 2018, 11:53 a.m.

ID Systems Throughout the 50 States

Jim Harper at CATO has a good survey of state ID systems in the US....

From Schneier on Security on Oct. 30, 2018, 11:38 a.m.

Cell Phone Security and Heads of State

Earlier this week, the New York Times reported that the Russians and the Chinese were eavesdropping on President Donald Trump's personal cell phone and using the information gleaned to better influence his behavior. This should surprise no one. Security experts have been talking about the potential security vulnerabilities in Trump's cell phone use since he became president. And President Barack...

From Schneier on Security on Oct. 29, 2018, 8:19 p.m.

More on the Supermicro Spying Story

I've blogged twice about the Bloomberg story that China bugged Supermicro networking equipment destined to the US. We still don't know if the story is true, although I am increasingly skeptical because of the lack of corroborating evidence to emerge. We don't know anything more, but this is the most comprehensive rebuttal of the story I have read....

From Schneier on Security on Oct. 29, 2018, 11:18 a.m.

Security Vulnerability in Internet-Connected Construction Cranes

This seems bad: The F25 software was found to contain a capture replay vulnerability -- basically an attacker would be able to eavesdrop on radio transmissions between the crane and the controller, and then send their own spoofed commands over the air to seize control of the crane. "These devices use fixed codes that are reproducible by sniffing and re-transmission,"...

From Schneier on Security on Oct. 26, 2018, 10:02 p.m.

Friday Squid Blogging: Squid Falsely Labeled as Octopus

Two New Yorkers have been charged with importing squid from Peru and then reselling it as octopus. Yet another problem that a blockchain-enabled supply-chain system won't solve. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here....

From Schneier on Security on Oct. 26, 2018, 3:01 p.m.

Detecting Deep Fakes

This story nicely illustrates the arms race between technologies to create fake videos and technogies to detect fake videos: These fakes, while convincing if you watch a few seconds on a phone screen, aren't perfect (yet). They contain tells, like creepily ever-open eyes, from flaws in their creation process. In looking into DeepFake's guts, Lyu realized that the images that...

From Schneier on Security on Oct. 26, 2018, 3:01 p.m.

Detecting Fake Videos

This story nicely illustrates the arms race between technologies to create fake videos and technologies to detect fake videos: These fakes, while convincing if you watch a few seconds on a phone screen, aren't perfect (yet). They contain tells, like creepily ever-open eyes, from flaws in their creation process. In looking into DeepFake's guts, Lyu realized that the images that...

From Schneier on Security on Oct. 25, 2018, 12:49 p.m.

Android Ad-Fraud Scheme

BuzzFeed is reporting on a scheme where fraudsters buy legitimate Android apps, track users' behavior in order to mimic it in a way that evades bot detectors, and then uses bots to perpetuate an ad-fraud scheme. After being provided with a list of the apps and websites connected to the scheme, Google investigated and found that dozens of the apps...

From Schneier on Security on Oct. 24, 2018, noon

China's Hacking of the Border Gateway Protocol

This is a long -- and somewhat technical -- paper by Chris C. Demchak and Yuval Shavitt about China's repeated hacking of the Internet Border Gateway Protocol (BGP): "China's Maxim ­ Leave No Access Point Unexploited: The Hidden Story of China Telecom's BGP Hijacking." BGP hacking is how large intelligence agencies manipulate Internet routing to make certain traffic easier to...

From Schneier on Security on Oct. 23, 2018, 12:39 p.m.

On Disguise

The former CIA Chief of Disguise has a fascinating video about her work....

From Schneier on Security on Oct. 22, 2018, 2:13 p.m.

Are the Police using Smart-Home IoT Devices to Spy on People?

IoT devices are surveillance devices, and manufacturers generally use them to collect data on their customers. Surveillance is still the business model of the Internet, and this data is used against the customers' interests: either by the device manufacturer or by some third-party the manufacturer sells the data to. Of course, this data can be used by the police as...

From Schneier on Security on Oct. 19, 2018, 10 p.m.

Friday Squid Blogging: Roasted Squid with Tomatillo Salsa

Recipe and commentary. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here....

From Schneier on Security on Oct. 19, 2018, 12:17 p.m.

West Virginia Using Internet Voting

This is crazy (and dangerous). West Virginia is allowing people to vote via a smart-phone app. Even crazier, the app uses blockchain -- presumably because they have no idea what the security issues with voting actually are....

From Schneier on Security on Oct. 18, 2018, 12:27 p.m.

Government Perspective on Supply Chain Security

This is an interesting interview with a former NSA employee about supply chain security. I consider this to be an insurmountable problem right now....

From Schneier on Security on Oct. 16, 2018, 12:04 p.m.

Privacy for Tigers

Ross Anderson has some new work: As mobile phone masts went up across the world's jungles, savannas and mountains, so did poaching. Wildlife crime syndicates can not only coordinate better but can mine growing public data sets, often of geotagged images. Privacy matters for tigers, for snow leopards, for elephants and rhinos ­ and even for tortoises and sharks. Animal...

From Schneier on Security on Oct. 15, 2018, 3:34 p.m.

How DNA Databases Violate Everyone's Privacy

If you're an American of European descent, there's a 60% you can be uniquely identified by public information in DNA databases. This is not information that you have made public; this is information your relatives have made public. Research paper: "Identity inference of genomic data using long-range familial searches." Abstract: Consumer genomics databases have reached the scale of millions of...

From Schneier on Security on Oct. 14, 2018, 12:01 p.m.

Upcoming Speaking Engagements

This is a current list of where and when I am scheduled to speak: I'm speaking at Data in Smarter Cities in New York City on October 23, 2018. I'm speaking at the Cyber Security Summit in Minneapolis, Minnesota on October 24, 2018. I'm speaking at ISF's 29th Annual World Congress in Las Vegas, Nevada on October 30, 2018. I'm...

From Schneier on Security on Oct. 12, 2018, 10:01 p.m.

Friday Squid Blogging: Eat Less Squid

The UK's Marine Conservation Society is urging people to eat less squid. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here....

From Schneier on Security on Oct. 12, 2018, 2:14 p.m.

Security in a World of Physically Capable Computers

It's no secret that computers are insecure. Stories like the recent Facebook hack, the Equifax hack and the hacking of government agencies are remarkable for how unremarkable they really are. They might make headlines for a few days, but they're just the newsworthy tip of a very large iceberg. The risks are about to get worse, because computers are being...

From Schneier on Security on Oct. 11, 2018, 12:29 p.m.

Another Bloomberg Story about Supply-Chain Hardware Attacks from China

Bloomberg has another story about hardware surveillance implants in equipment made in China. This implant is different from the one Bloomberg reported on last week. That story has been denied by pretty much everyone else, but Bloomberg is sticking by its story and its sources. (I linked to other commentary and analysis here.) Again, I have no idea what's true....