The Mirai worm is gnawing its way through the Internet of Things and will not stop

mirai-01

The Mirai worm made its way into information security lore in September, when it was identified as the source of the punishing flood of junk traffic launched against Brian Krebs in retaliation for his investigative reporting about a couple of petty Israeli criminals; subsequent analysis showed Mirai to be amateurish and clumsy, and despite this, it went on to infect devices all over the world, gaining virulence as it hybridized with other Internet of Things worms, endangering entire countries, growing by leaps and bounds, helped along by negligent engineering practices at major companies like Sony. Read the rest

12 days of two-factor authentication: this Xmas, give yourself the gift of opsec

2fa-1

The Electronic Frontier Foundation has launched a new series, 12 Days of 2FA, in which every installment explains how to turn on two-factor authentication for a range of online services and platforms. Read the rest

For two years, criminals stole sensitive information using malware hidden in individual pixels of ad banners

5-tgssh

Eset's report on Stegano, a newly discovered exploit kit, reveals an insanely clever, paranoid, and devastatingly effective technique used by criminals to infect their victims' computers by hiding malicious code in plain sight on websites that accepted their innocuous-seeming banner ads. Read the rest

Mr Robot has driven a stake through the Hollywood hacker, and not a moment too soon

14691021_1243812929018981_4472063698755953242_n

Mr Robot is the most successful example of a small but fast-growing genre of "techno-realist" media, where the focus is on realistic portrayals of hackers, information security, surveillance and privacy, and it represents a huge reversal on the usual portrayal of hackers and computers as convenient plot elements whose details can be finessed to meet the story's demands, without regard to reality. Read the rest

Not just crapgadgets: Sony's enterprise CCTV can be easily hacked by IoT worms like Mirai

ipela-sony

The unprecedented denial-of-service attacks powered by the Mirai Internet of Things worm have harnessed crappy, no-name CCTVs, PVRs, and routers to launch unstoppable floods of internet noise, but it's not just faceless Chinese businesses that crank out containerloads of vulnerable, defective-by-design gear -- it's also name brands like Sony. Read the rest

UK cops beat phone encryption by "mugging" suspect after he unlocked his phone

_92805318_n267-2016-yew

Detectives from Scotland Yard's cybercrime unit decided the easiest way to get around their suspect's careful use of full-disk encryption and strong passphrases on his Iphone was to trail him until he made a call, then "mug" him by snatching his phone and then tasking an officer to continuously swipe at the screen to keep it from going to sleep, which would reactivate the disk encryption. Read the rest

How governments and cyber-militias attack civil society groups, and what they can do about it

image05

The University of Toronto's Citizen Lab (previously) is one of the world's leading research centers for cybersecurity analysis, and they are the first port of call for many civil society groups when they are targeted by governments and cyber-militias. Read the rest

Crooks can guess Visa card details in six seconds by querying lots of websites at once

050-056c026d-1c66-4d42-9fae-a8

In Does The Online Card Payment Landscape Unwittingly Facilitate Fraud?, a new paper in IEEE Security & Privacy, researchers from the University of Newcastle demonstrate a technique for guessing secruity details for credit-card numbers in six seconds -- attackers spread their guesses out across many websites at once, so no website gets enough bad guesses to lock the card or trigger a fraud detection system. Read the rest

My keynote from the O'Reilly Security Conference: "Security and feudalism: Own or be pwned"

hqdefault

Here's the 32 minute video of my presentation at last month's O'Reilly Security Conference in New York, "Security and feudalism: Own or be pwned." Read the rest

UK reports of webcam blackmail (sextortion, RATting, etc) more than double in 2016

webcam-blackmail-800x434

So far 864 people in the UK have reported instances of "webcam blackmail" to police in 2016, more than double the number of reported incidents in 2015. Read the rest

The hacker who took over San Francisco's Muni got hacked

lenovo-victim

Last week, the San Francisco Municipal Light Rail system (the Muni) had to stop charging passengers to ride because a ransomware hacker had taken over its network and encrypted the drives of all of its servers. Read the rest

The Snoopers Charter gives these 48 organisations unlimited, secret access to all UK browsing history

service-laptop-1-png

With the passage of the Snoopers Charter earlier this month, the UK has become the most-surveilled "democratic" state in the world, where service providers are required to retain at least a year's worth of their customers' browsing history and make it searchable, without a warrant, to a variety of agencies -- and no records are kept of these searches, making it virtually impossible to detect petty vendetta-settling, stalking, or systemic abuses (including selling access to criminals, foreign governments, and institutionalised racism). Read the rest

Two hackers are selling DDoS attacks from 400,000 IoT devices infected with the Mirai worm

mirai-spam-censored

The Mirai worm -- first seen attacking security journalist Brian Krebs with 620gbps floods, then taking down Level 3, Dyn and other hardened, well-provisioned internet giants, then spreading to every developed nation on Earth (and being used to take down some of those less-developed nations) despite being revealed as clumsy and amateurish (a situation remedied shortly after by hybridizing it with another IoT worm) -- is now bigger than ever, and you can rent time on it to punish journalists, knock countries offline, or take down chunks of the core internet. Read the rest

Ransomware creep accidentally hijacks San Francisco Muni, won't give it back

cyosyiquuaa40y6

A ransomware criminal's self-reproducing malicious software spread through a critical network used by the San Francisco light rail system, AKA the Muni, and shut it down; the anonymous criminal -- cryptom27@yandex.com -- says they won't give it back until they get paid. Read the rest

Alex Halderman: we will never know if the Wisconsin vote was hacked unless we check now

1-khvsad6hdo01hrt2lkef6w

Alex Halderman has clarified his earlier remarks about the integrity of the Wisconsin election: in a nutshell: voting machine security sucks, hackers played an unprecedented role in this election; there are statistical irregularities in the votes recorded on software-based touchscreen machines and the votes registered with paper ballots counted by optical scanners, so why the hell wouldn't we check into this? Read the rest

Wisconsin: America's top voting-machine security expert says count was irregular; Fed judge says gerrymandering was unconstitutional

flag_of_wisconsin-svg

University of Michigan prof J Alex Halderman (previously) is one of America's top experts on voting machine security (see this, for example), and he's issued a joint statement with voting-rights attorney John Bonifaz to the Clinton campaign, advising them to ask for a recount of the Wisconsin votes. Read the rest

Listening to users is the first step in making them secure

surprise-kitten-spider

Quinn Norton's lecture A Network of Sorrows: Small Adversaries and Small Allies at Hack.lu (helpfully transcribed by the Open Transcripts folks!) is a great call-to-arms for user-centered security. Read the rest

More posts