Schneier on Security

Friday Squid Blogging: Vulnerabilities in Squid Server

Schneier on Security - Fri, 08/23/2019 - 7:19pm
It's always nice when I can combine squid and security: Multiple versions of the Squid web proxy cache server built with Basic Authentication features are currently vulnerable to code execution and denial-of-service (DoS) attacks triggered by the exploitation of a heap buffer overflow security flaw. The vulnerability present in Squid 4.0.23 through 4.7 is caused by incorrect buffer management which... Bruce Schneier
Categories: Schneier on Security

License Plate "NULL"

Schneier on Security - Fri, 08/23/2019 - 7:19am
There was a DefCon talk by someone with the vanity plate "NULL." The California system assigned him every ticket with no license plate: $12,000. Although the initial $12,000-worth of fines were removed, the private company that administers the database didn't fix the issue and new NULL tickets are still showing up. The unanswered question is: now that he has a... Bruce Schneier
Categories: Schneier on Security

Modifying a Tesla to Become a Surveillance Platform

Schneier on Security - Thu, 08/22/2019 - 6:21am
From DefCon: At the Defcon hacker conference today, security researcher Truman Kain debuted what he calls the Surveillance Detection Scout. The DIY computer fits into the middle console of a Tesla Model S or Model 3, plugs into its dashboard USB port, and turns the car's built-in cameras­ -- the same dash and rearview cameras providing a 360-degree view used... Bruce Schneier
Categories: Schneier on Security

Google Finds 20-Year-Old Microsoft Windows Vulnerability

Schneier on Security - Wed, 08/21/2019 - 7:46am
There's no indication that this vulnerability was ever used in the wild, but the code it was discovered in -- Microsoft's Text Services Framework -- has been around since Windows XP.... Bruce Schneier
Categories: Schneier on Security

Surveillance as a Condition for Humanitarian Aid

Schneier on Security - Tue, 08/20/2019 - 7:45am
Excellent op-ed on the growing trend to tie humanitarian aid to surveillance. Despite the best intentions, the decision to deploy technology like biometrics is built on a number of unproven assumptions, such as, technology solutions can fix deeply embedded political problems. And that auditing for fraud requires entire populations to be tracked using their personal data. And that experimental technologies... Bruce Schneier
Categories: Schneier on Security

Influence Operations Kill Chain

Schneier on Security - Mon, 08/19/2019 - 7:14am
Influence operations are elusive to define. The Rand Corp.'s definition is as good as any: "the collection of tactical information about an adversary as well as the dissemination of propaganda in pursuit of a competitive advantage over an opponent." Basically, we know it when we see it, from bots controlled by the Russian Internet Research Agency to Saudi attempts to... Bruce Schneier
Categories: Schneier on Security

Friday Squid Blogging: Robot Squid Propulsion

Schneier on Security - Fri, 08/16/2019 - 5:05pm
Interesting research: The squid robot is powered primarily by compressed air, which it stores in a cylinder in its nose (do squids have noses?). The fins and arms are controlled by pneumatic actuators. When the robot wants to move through the water, it opens a value to release a modest amount of compressed air; releasing the air all at once... Bruce Schneier
Categories: Schneier on Security

Software Vulnerabilities in the Boeing 787

Schneier on Security - Fri, 08/16/2019 - 7:12am
Boeing left its software unprotected, and researchers have analyzed it for vulnerabilities: At the Black Hat security conference today in Las Vegas, Santamarta, a researcher for security firm IOActive, plans to present his findings, including the details of multiple serious security flaws in the code for a component of the 787 known as a Crew Information Service/Maintenance System. The CIS/MS... Bruce Schneier
Categories: Schneier on Security

Bypassing Apple FaceID's Liveness Detection Feature

Schneier on Security - Thu, 08/15/2019 - 7:19am
Apple's FaceID has a liveness detection feature, which prevents someone from unlocking a victim's phone by putting it in front of his face while he's sleeping. That feature has been hacked: Researchers on Wednesday during Black Hat USA 2019 demonstrated an attack that allowed them to bypass a victim's FaceID and log into their phone simply by putting a pair... Bruce Schneier
Categories: Schneier on Security

Side-Channel Attack against Electronic Locks

Schneier on Security - Wed, 08/14/2019 - 1:36pm
Several high-security electronic locks are vulnerable to side-channel attacks involving power monitoring.... Bruce Schneier
Categories: Schneier on Security

Attorney General Barr and Encryption

Schneier on Security - Wed, 08/14/2019 - 7:18am
Last month, Attorney General William Barr gave a major speech on encryption policy­what is commonly known as "going dark." Speaking at Fordham University in New York, he admitted that adding backdoors decreases security but that it is worth it. Some hold this view dogmatically, claiming that it is technologically impossible to provide lawful access without weakening security against unlawful access.... Bruce Schneier
Categories: Schneier on Security

Exploiting GDPR to Get Private Information

Schneier on Security - Tue, 08/13/2019 - 7:17am
A researcher abused the GDPR to get information on his fiancee: It is one of the first tests of its kind to exploit the EU's General Data Protection Regulation (GDPR), which came into force in May 2018. The law shortened the time organisations had to respond to data requests, added new types of information they have to provide, and increased... Bruce Schneier
Categories: Schneier on Security

Evaluating the NSA's Telephony Metadata Program

Schneier on Security - Mon, 08/12/2019 - 7:14am
Interesting analysis: "Examining the Anomalies, Explaining the Value: Should the USA FREEDOM Act's Metadata Program be Extended?" by Susan Landau and Asaf Lubin. Abstract: The telephony metadata program which was authorized under Section 215 of the PATRIOT Act, remains one of the most controversial programs launched by the U.S. Intelligence Community (IC) in the wake of the 9/11 attacks. Under... Bruce Schneier
Categories: Schneier on Security

Friday Squid Blogging: Sinuous Asperoteuthis Mangoldae Squid

Schneier on Security - Fri, 08/09/2019 - 5:12pm
Great video of the Sinuous Asperoteuthis Mangoldae Squid. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here.... Bruce Schneier
Categories: Schneier on Security

Supply-Chain Attack against the Electron Development Platform

Schneier on Security - Thu, 08/08/2019 - 12:11pm
Electron is a cross-platform development system for many popular communications apps, including Skype, Slack, and WhatsApp. Security vulnerabilities in the update system allows someone to silently inject malicious code into applications. From a news article: At the BSides LV security conference on Tuesday, Pavel Tsakalidis demonstrated a tool he created called BEEMKA, a Python-based tool that allows someone to unpack... Bruce Schneier
Categories: Schneier on Security

AT&T Employees Took Bribes to Unlock Smartphones

Schneier on Security - Thu, 08/08/2019 - 7:22am
This wasn't a small operation: A Pakistani man bribed AT&T call-center employees to install malware and unauthorized hardware as part of a scheme to fraudulently unlock cell phones, according to the US Department of Justice. Muhammad Fahd, 34, was extradited from Hong Kong to the US on Friday and is being detained pending trial. An indictment alleges that "Fahd recruited... Bruce Schneier
Categories: Schneier on Security

Brazilian Cell Phone Hack

Schneier on Security - Wed, 08/07/2019 - 11:48am
I know there's a lot of politics associated with this story, but concentrate on the cybersecurity aspect for a moment. The cell phones of a thousand Brazilians, including senior government officials, was hacked -- seemingly by actors much less sophisticated than rival governments. Brazil's federal police arrested four people for allegedly hacking 1,000 cellphones belonging to various government officials, including... Bruce Schneier
Categories: Schneier on Security

Phone Farming for Ad Fraud

Schneier on Security - Tue, 08/06/2019 - 7:20am
Interesting article on people using banks of smartphones to commit ad fraud for profit. No one knows how prevalent ad fraud is on the Internet. I believe it is surprisingly high -- here's an article that places losses between $6.5 and $19 billion annually -- and something companies like Google and Facebook would prefer remain unresearched.... Bruce Schneier
Categories: Schneier on Security

Regulating International Trade in Commercial Spyware

Schneier on Security - Mon, 08/05/2019 - 10:14am
Siena Anstis, Ronald J. Deibert, John Scott-Railton of Citizen Lab published an editorial calling for regulating the international trade in commercial surveillance systems until we can figure out how to curb human rights abuses. Any regime of rigorous human rights safeguards that would make a meaningful change to this marketplace would require many elements, for instance, compliance with the U.N.... Bruce Schneier
Categories: Schneier on Security

Friday Squid Blogging: Piglet Squid Video

Schneier on Security - Fri, 08/02/2019 - 5:20pm
Really neat. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here.... Bruce Schneier
Categories: Schneier on Security

Pages