The Equation Group's sourcecode is totally fugly

With the leak of exploits developed by The Equation Group, the long-secret, NSA-adjacent super-elite hacking squad -- published by The Shadow Brokers, who have some extremely heterodox theories about auction design -- it's now possible to audit the source code of some of the NSA's crown-jewel cyberweapons. Read the rest

The NSA's program of tech sabotage created the Shadow Brokers

glass-984457_960_720

The more we learn about the Shadow Brokers, who claim to be auctioning off "cyberweapons" that crafted for the NSA's use, the scarier the breach gets: some of the world's biggest security companies are tacitly admitting that the exploits in the Shadow Brokers' initial release can successfully penetrate their products, and they have no fix at hand. Read the rest

Podcast: How we'll kill all the DRM in the world, forever

I'm keynoting the O'Reilly Security Conference in New York in Oct/Nov, so I stopped by the O'Reilly Security Podcast (MP3) to explain EFF's Apollo 1201 project, which aims to kill all the DRM in the world within a decade. Read the rest

Snowden explains the Shadow Brokers/Equation Group/NSA hack

050 056c026d-1c66-4d42-9fae-a8e96df290c5-1020x1187

The news that a group of anonymous hackers claimed to have stolen some of the NSA's most secret, valuable weaponized vulnerabilities and were auctioning them off for bitcoin triggered an epic tweetstorm from Edward Snowden, who sets out his hypothesis for how the exploits were captured and what relation that has to the revelations he made when he blew the whistle on illegal NSA spying in 2013. Read the rest

Hackers claim to have stolen NSA cyberweapons, auctioning them to highest bidder

050 056c026d-1c66-4d42-9fae-a8e96df290c5-1020x1185

The Shadow Brokers, a previously unknown hacker group, has announced that it has stolen a trove of ready-to-use cyber weapons from The Equation Group (previously), an advanced cyberweapons dealer believed to be operating on behalf of, or within, the NSA. Read the rest

It's pretty easy to hack traffic lights

DCF 1.0

Researchers from the University of Michigan EE/Computer Science Department (previously) presented their work on hacking traffic signals at this year's Usenix Security Symposium (previously), and guess what? It's shockingly easy to pwn the traffic control system. Read the rest

UK/EU security researchers: tax-free stipend to study privacy and authentication

UCL_Portico_Building

UC London's offering a tax-free stipend for UK/EU students to work on designing and evaluating new approaches for continuous authentication, based on a solid theoretical underpinning so as to give a high degree of confidence that the resulting decisions match expectations and requirements" as well as "ways to preserve user privacy by processing behavioural measurements on the user’s computer such that sensitive information is not sent to the online service." (Image: LordHarris, CC-BY-SA) (Thanks, William!) Read the rest

If the 2016 election is hacked, it's because no one listened to these people

Ever since the Supreme Court ordered the nation's voting authorities to get their act together in 2002 in the wake of Bush v Gore, tech companies have been flogging touchscreen voting machines to willing buyers across the country, while a cadre computer scientists trained in Ed Felten's labs at Princeton have shown again and again and again and again that these machines are absolutely unfit for purpose, are trivial to hack, and endanger the US election system. Read the rest

100 million VWs can be unlocked with a $40 cracker (and other cars aren't much better)

Screen-Shot-2016-08-10-at-11.34.18-AM

In Lock It and Still Lose It—On the (In)Security of Automotive Remote Keyless Entry Systems, a paper given at the current Usenix Security conference in Austin, researchers with a proven track record of uncovering serious defects in automotive keyless entry and ignition systems revealed a technique for unlocking over 100,000 million Volkswagen cars, using $40 worth of hardware; they also revealed a technique for hijacking the locking systems of millions of other vehicles from other manufacturers. Read the rest

Your medical data: misappropriated by health-tech companies, off-limits to you

056c026d-1c66-4d42-9fae-a8e96df290c5-1020x1153

Backchannel's package on medical data and the health-tech industry profiles three people who were able to shake loose their own data and make real improvements in their lives with it: Marie Moe, who discovered that the reason she was having terrifying cardiac episodes was out-of-date firmware on her pacemaker; Steven Keating, who created a website with exquisitely detailed data on his brain tumor, including a gene-sequence that had to be run a second time because the first scan wasn't approved for "commercial" use, which included publishing it on his own site; and Annie Kuehl, whose advocacy eventually revealed the fact that doctors had suspected all along that her sick baby had a rare genetic disorder, which she only learned about after years of agonizing victim-blaming and terrifying seizures. Read the rest

Return of Dieselgate: 3 more hidden programs found in VW Audi/Porsche firmware

2008-2010_Porsche_Cayenne_S_--_03-21-2012

The German newspaper Bild am Sonntag says that US investigators have discovered three more hidden cheat apps in a Volkswagen product line: these ones were discovered in 3-liter Audi diesels. Read the rest

Proof-of-concept ransomware for smart thermostats demoed at Defcon

1470580434407450

Last week, Andrew Tierney and Ken Munro from Pen Test Partners demoed their proof-of-concept ransomware for smart thermostats, which relies on users being tricked into downloading malware that then roots the device and locks the user out while displaying a demand for one bitcoin. Read the rest

Researchers learn about wire-fraud scam after Nigerian scammers infect themselves with their own malware

image001_wire-wire

In Wire Wire: A West African Cyber Threat, researchers from Secureworks reveal their findings from monitoring a Nigerian bank-fraud ring whose members had unwittingly infected themselves with their own malware, which captured their keystrokes and files and uploaded them to a file-server from which the researchers were able to monitor their activities and methodologies. Read the rest

1 billion computer monitors vulnerable to undetectable firmware attacks

056c026d-1c66-4d42-9fae-a8e96df290c5-1020x1153

A team led by Ang Cui (previously) -- the guy who showed how he could take over your LAN by sending a print-job to your printer -- have presented research at Defcon, showing that malware on your computer can poison your monitor's firmware, creating nearly undetectable malware implants that can trick users by displaying fake information, and spy on the information being sent to the screen. Read the rest

BBC will use surveillance powers to sniff Britons' wifi and find license-cheats

BLW_TV_Detector_Van (1)

If you live in the UK and watch live TV or use the Iplayer video-on-demand service, you have to pay a "license fee" that directly supports public media in the UK (in other countries, public media is funded out of the tax-coffers, but in the UK, it's a direct transfer from viewers to the media, which is meant to make the BBC independent of the whims of government and thus more able to hold it to account). Read the rest

EFF and partners reveal Kazakh government phished journalists, opposition politicians

056c026d-1c66-4d42-9fae-a8e96df290c5-1020x1152

At Defcon, researchers from the Electronic Frontier Foundation, First Look Media and Amnesty International, revealed their findings on a major phishing attack through which the government of Kazakhstan was able to hack opposition journalists and arrange for an opposition politician's extradition from exile in Italy to Kazakhstan. Read the rest

Airport lounges will let anyone in, provided you can fake a QR code

IMG_8177-482x362

When computer security expert and hardcore traveller Przemek Jaroszewski found that he couldn't enter an airline lounge in Warsaw because the automated reader mistakenly rejected his boarding card, he wrote a 600-line Javascript program that generated a QR code for "Batholemew Simpson," a business-class traveller on a flight departing that day. Read the rest

More posts