Bruce Schneier on the coming IoT security dumpster-fire

Brain-Controlled_Prosthetic_Arm_2

Bruce Schneier warns us that the Internet of Things security dumpster-fire isn't just bad laptop security for thermostats: rather, that "software control" (of an ever-widening pool of technologies); interconnections; and autonomy (systems designed to act without human intervention, often responding faster than humans possibly could) creates an urgency over security questions that presents an urgent threat the like of which we've never seen. Read the rest

EFF is suing the US government to invalidate the DMCA's DRM provisions

Bunnie_Huang

The Electronic Frontier Foundation has just filed a lawsuit that challenges the Constitutionality of Section 1201 of the DMCA, the "Digital Rights Management" provision of the law, a notoriously overbroad law that bans activities that bypass or weaken copyright access-control systems, including reconfiguring software-enabled devices (making sure your IoT light-socket will accept third-party lightbulbs; tapping into diagnostic info in your car or tractor to allow an independent party to repair it) and reporting security vulnerabilities in these devices. Read the rest

Ed Snowden and Andrew "bunnie" Huang announce a malware-detecting smartphone case

Acr821342097496832-8341-1024x768

Exiled NSA whistleblower Edward Snowden and legendary hardware hacker Andrew bunnie" Huang have published a paper detailing their new "introspection engine" for the Iphone, an external hardware case that clips over the phone and probes its internal components with a miniature oscilloscope that reads all the radio traffic in and out of the device to see whether malicious software is secretly keeping the radio on after you put it in airplane mode. Read the rest

Baseband vulnerability could mean undetectable, unblockable attacks on mobile phones

Qualcomm_MDM9615

The baseband firmware in your phone is the outermost layer of software, the "bare metal" code that has to be implicitly trusted by the phone's operating system and apps to work; a flaw in that firmware means that attackers can do scary things to your hone that the phone itself can't detect or defend against. Read the rest

For 90 years, lightbulbs were designed to burn out. Now that's coming to LED bulbs.

E27_with_38_LCD

In 1924, representatives of the world's leading lightbulb manufacturers formed Phoebus, a cartel that fixed the average life of an incandescent bulb at 1,000 hours, ensuring that people would have to regularly buy bulbs and keep the manufacturers in business. Read the rest

"Security is what happens to people, not machines"

056c026d-1c66-4d42-9fae-a8e96df290c5-1020x1142

Eleanor Saitta (previously) -- a security researcher who's done extensive work training vulnerable groups in information security and now security architect for Etsy -- appears on the most recent O'Reilly Security podcast (MP3), discussing a human-centered approach to security, design and usability that I found to be an accessible and concise critique of mainstream security thinking and an inspiring direction for security practitioners. Read the rest

Black-hat hacker handles are often advertisements

056c026d-1c66-4d42-9fae-a8e96df290c5-1020x1129

When Bruce Sterling wrote his seminal book The Hacker Crackdown -- a history of the rise of hackers, the passage of the first anti-hacking laws, and the formation of the Electronic Frontier Foundation -- most of the hackers he chronicled had handles that were a combination of playfulness and menace, like Phiber Optik, Scorpion and Acid Phreak. Read the rest

Researchers find over 100 spying Tor nodes that attempt to compromise darknet sites

800px-Red_onion_closeup_2

When it comes to accessing public websites, Tor has an intrinsic security problem: though the nodes between your computer and the public internet are unable to see where the traffic is coming from or going to, the final hop in the network (known as an exit node) gets to know what webserver you are connecting to. Read the rest

"Dark Overlord"'s health record dumps were calculated, reputation-building spectacles

056c026d-1c66-4d42-9fae-a8e96df290c5-1020x1123

"The Dark Overlord" is a hacker who's made headline by advertising the availability of millions of health records on darknet sites, sending samples to news-outlets to validate their authenticity; in an interview with Motherboard's Joseph Cox, Dark Overlord reveals that the disclosures are timed to put the pressure on other victims to pay ransoms to guarantee that their stolen data won't leak. Read the rest

DoJ report: less than a quarter of one percent of wiretaps encounter any crypto

056c026d-1c66-4d42-9fae-a8e96df290c5-1020x1029-3

Despite all the scare talk from the FBI and the US intelligence services about terrorists "going dark" and using encrypted communications to talk with one another, the reality is that criminals are using crypto less than ever, according to the DoJ's own numbers. Read the rest

Always-on CCTVs with no effective security harnessed into massive, unstoppable botnet

CCTV_Cameras

When security firm Sucuri investigated the source of a 50,000-request/second DDoS attack on a jewelry shop, they discovered to their surprise that the attacks originated on a botnet made of hacked 25,500+ CCTV cameras in 105 countries. Read the rest

Healthcare workers prioritize helping people over information security (disaster ensues)

o_ensure_a_quick

In Workarounds to Computer Access in Healthcare Organizations: You Want My Password or a Dead Patient?, security researchers from Penn, Dartmouth and USC conducted an excellent piece of ethnographic research on health workers, shadowing them as they moved through their work environments, blithely ignoring, circumventing and sabotaging the information security measures imposed by their IT departments, because in so doing, they were saving lives. Read the rest

Fansmitter: malware that exfiltrates data from airgapped computers by varying the sound of their fans

animation (1)

In a new paper, researchers from Ben-Gurion University demonstrate a fiendishly clever procedure for getting data off of airgapped computers that have had their speakers removed to prevent acoustic data-transmission: instead of playing sound through the target computer's speakers, they attack its fans, varying their speeds to produce subtle sounds that humans can barely notice, but which nearby devices can pick up through their microphones. Read the rest

Rubber fingertips to use with fingerprint-based authentication systems

988561_2_062416-IdentityPad-Passcode_standard

Mian Wei, a Chinese student at the Rhode Island School of Design, has created an experimental series of fake fingertips with randomly generated fingerprints that work with Apple and Android fingerprint authentication schemes, as well as many others. Read the rest

Phishing for Bitcoin with fake 0-days

056c026d-1c66-4d42-9fae-a8e96df290c5-1020x1108

Arriving in my inbox at a steady clip this morning: a series of phishing emails aimed at Bitcoiners, promising that the sender has found a bug in "the Bitcoin client" and promising "Pay 0.07 BTC today, get 10 BTC for 15 hours." Read the rest

Student journalists: 5 days left to win a badge to NYC's Hackers on Planet Earth!

056c026d-1c66-4d42-9fae-a8e96df290c5-1020x1096-1

If you're a student journalist and want to attend HOPE XI, the Eleventh Hackers on Planet Earth conference (July 22-24, NYC) you can win free admission (and an interview with me!) by submitting an article about any of the topics come up at HOPE conferences! Get writing! Read the rest

How to protect the future web from its founders' own frailty

OrfnjkI
Earlier this month, I gave the afternoon keynote at the Internet Archive's Decentralized Web Summit, and my talk was about how the people who founded the web with the idea of having an open, decentralized system ended up building a system that is increasingly monopolized by a few companies -- and how we can prevent the same things from happening next time.

More posts