Inside Secure threatens security researcher who demonstrated product flaws

Martin Holst Swende maintains a free/open tool for testing software that uses the (notoriously flawed) Iclass Software, which is used by Inside Secure for its RFID-based access systems.

Read the rest

Infosec Taylor Swift's cyber-philosophical musings

Do you like your cyberphilosophy delivered via the dulcet voice of America's country music treasure Taylor Swift? Head over to Twitter and follow @SwiftOnSecurity. Below are a few of her most incisive critiques of techno-utopianism.

Read the rest

What's the best way to weaken crypto?


Daniel Bernstein, the defendant in the landmark lawsuit that legalized cryptography (over howls of protest from the NSA) engages in a thought-experiment about how the NSA might be secretly undermining crypto through sabotage projects like BULLRUN/EDGEHILL.

Making sure crypto stays insecure [PDF/Daniel J Bernstein]

(via O'Reilly Radar)

FBI chief demands an end to cellphone security

If your phone is designed to be secure against thieves, voyeurs, and hackers, it'll also stop spies and cops. So the FBI has demanded that device makers redesign their products so that they -- and anyone who can impersonate them -- can break into them at will.

Read the rest

Darkmatter: a secure Paranoid Android version that hides from attackers

Stock Android phones with the Darkmatter OS use encrypted storage, OS-level app controls, and secure messaging by default, but if the phone thinks it's under attack, it dismounts all the encrypted stuff and reboots as a stock Android phone with no obvious hints that its owner has anything hidden on it.

Read the rest

Malware needs to know if it's in the Matrix


Once a security researcher discovers a new strain of malicious software -- running a virtual machine on a test-bench -- and adds its signature to anti-virus and network monitor blacklists, it's game over. So today's malware devotes enormous energy to figuring out if it's running on a real computer, or inside one of its enemies' virtual worlds.

Read the rest

Fixing the unfixable USB bug


Security experts have been haunted by the prospect of unpatchable, potent, fundamental bug in USB devices; the tension only heightened when sourcecode for an exploit went live last week.

Read the rest

Sore losers: How casinos went after two guys who found a video poker bug


John Kane, who'd lost a fortune to Video King machines, discovered a subtle bug that let him win big -- so the casinos put him in handcuffs.

Read the rest

Petition: make it safe to report security flaws in computers


Laws like the Computer Fraud and Abuse Act and the Digital Millennium Copyright Act put security researchers at risk of felony prosecution for telling you about bugs in the computers you put your trust in, turning the computers that know everything about us and watch everything we do into reservoirs of long-lived pathogens that governments, crooks, cops, voyeurs and creeps can attack us with.

Read the rest

Sourcecode for "unpatchable" USB exploit now on Github


Last summer's Black Hat presentation on "Badusb" by Karsten Nohl alerted the world to the possibility that malware could be spread undetectably by exploiting the reprogrammable firmware in USB devices -- now, a second set of researchers have released the code to let anyone try it out for themselves.

Read the rest

Mobile malware infections race through Hong Kong's Umbrella Revolution


The protesters are dependent on mobile apps to coordinate their huge, seemingly unstoppable uprising, and someone -- maybe the Politburo, maybe a contractor -- has released virulent Ios and Android malware into their cohort, and the pathogens are blazing through their electronic ecosystem.

Read the rest

Smart thermostat makes dumb security mistakes

Andrew Tierney had a close look at Heatmiser's popular wifi-enabled thermostat and found it to be riddled with security vulnerabilities.

Read the rest

Tabnapping: a new phishing attack [2010]

Aza Raskin's Tabnapping is a proof-of-concept for a fiendish attack: a tab that waits until you're not watching, then turns itself into a convincing Google login screen that you assume you must have opened.

Read the rest

Free cybersecurity MOOC


The Open University's "Introduction to Cyber Security" is a free online course -- with optional certificate -- that teaches the fundamentals of crypto, information security, and privacy; I host the series, which starts on Oct 13."

Read the rest

Fake, phone-attacking cell-towers are all across America


The towers attack the baseband radio in your phone and use it to hack the OS; they're only visible if you're using one of the customized, paranoid-Android, post-Snowden secure phones, and they're all around US military bases.

Read the rest