Solder a 0.3mm chip onto a credit card and Chip-and-PIN is yours to pwn


No one's exactly sure how fraudsters stole over $680,000 from hijacked chip-and-PIN credit cards in Belgium, because the cards are still evidence and can't be subjected to a full tear-down but based on the X-rays of the tampered cards, it's a good bet that the thieves glued a 0.3mm hobbyist FUN chip over the card's own chip, and programmed it to bypass all PIN entries. Read the rest

Exploiting smartphone cables as antennae that receive silent, pwning voice commands


In IEMI Threats for Information Security: Remote Command Injection on Modern Smartphones, French government infosec researchers José Lopes Esteves and Chaouki Kasmi demonstrated a clever attack on smartphones that sent silent voice commands to OK Google and Siri by converting them to radio-waves and tricking headphone cables into acting as antennas. Read the rest

GPS, Plan B: US Navy teaches celestial navigation as fallback for cyberattack


The Naval Academy is digging sextants out of their storage spaces and asking the Merchant Marine Academy (which never stopped teaching celestial navigation) and training its students in celestial navigation so that the ships will still be able to find their way after their adversaries infect the GPS system with malware. Read the rest

Now we know the NSA blew the black budget breaking crypto, how can you defend yourself?


Well, obviously, we need to get Congress to start imposing adult supervision on the NSA, but until that happens, there are some relatively simple steps you can take to protect yourself. Read the rest

Ukrainian botmaster who tried to frame Brian Krebs extradited to US


When security-researcher/hornet-nest-kicker Brian Krebs outed Sergey "Flycracker" Vovnenko as administrator of a darknet crime site and botmaster of a 13,000-PC-strong botnet used to attack sites and launder stolen data, Vovnenko allegedly masterminded a plot to frame Krebs by mailing him heroin. Read the rest

The NSA sure breaks a lot of "unbreakable" crypto. This is probably how they do it.


There have long been rumors, leaks, and statements about the NSA "breaking" crypto that is widely believed to be unbreakable, and over the years, there's been mounting evidence that in many cases, they can do just that. Now, Alex Halderman and Nadia Heninger, along with a dozen eminent cryptographers have presented a paper at the ACM Conference on Computer and Communications Security (a paper that won the ACM's prize for best paper at the conference) that advances a plausible theory as to what's going on. In some ways, it's very simple -- but it's also very, very dangerous, for all of us. Read the rest

Thrust/parry/counter: the history of Web authentication


A beautiful piece of writing by Schabse presents the history of Web authentication as a series of conversational gambits and ripostes between someone who wants to let users prove their identity online, and someone who wants to impersonate those users. It's a great way to present a subject that's both esoteric and vital, and I've never seen it before. Read the rest

TPP requires countries to destroy security-testing tools (and your laptop)


Under TPP, signatories are required to give their judges the power to "order the destruction of devices and products found to be involved in" breaking digital locks, such as those detailed in this year's US Copyright Office Triennial DMCA Hearing docket, which were used to identify critical vulnerabilities in vehicles, surveillance devices, voting machines, medical implants, and many other devices in our world. Read the rest

It's been ten years since Sony Music infected the world with its rootkit


Oct 31 2005: Security researcher Mark Russinovich blows the whistle on Sony-BMG, whose latest "audio CDs" were actually multi-session data-discs, deliberately designed to covertly infect Windows computers when inserted into their optical drives. Read the rest

Smurfs vs phones: GCHQ's smartphone malware can take pics, listen in even when phone is off


In a new episode of the BBC's Panorama, Edward Snowden describes the secret mobile phone malware developed by GCHQ and the NSA, which has the power to listen in through your phone's mic and follow you around, even when your phone is switched off. Read the rest

Newly disclosed Android bugs affect all devices


The newly released bugs are part of the Stagefright family of vulnerabilities, disclosed by Zimperium Zlabs. Read the rest

Theoretical "auto-brothel" attack on mechanics' computers could infect millions of cars


Companies like GM have engineered their cars so that it's a felony to make independent diagnostic tools for them, or to investigate the official diagnostic tools rented to mechanics in exchange for a promise to only buy GM's hyper-inflated replacement parts. Read the rest

The FBI has no trouble spying on encrypted communications


Every time the Bureau wants to spy on someone whose communications are encrypted, they just hack them. Read the rest

Why biometrics suck, the Office of Personnel Management edition


The nation-state hackers who stole 5.6 million+ records of US government employees (cough China cough) also took 5.6 million+ fingerprints. But it's no problem: those people can just get new fingerprints and revoke their old ones right? Read the rest

First issue of new feminist hacker zine


Audrey writes, "The Recompiler is a new feminist hacker magazine dedicated to learning about technology in a fun and inclusive way. The first issue of the magazine is now online, with articles about glitchy art, 80s tech, SSL bugs, and the flaws in DNS." Read the rest

Symantec caught issuing rogue certificates


Your browser trusts SSL certificates from hundreds of "Certificate Authorities," each of which is supposed to exercise the utmost caution before issuing them -- a rogue cert would allow a criminal or a government to act as a man-in-the-middle between you and your bank, email provider, or employer, undetectably intercepting communications that you believed to be secure. Read the rest

Poker malware infects your computers and peeks at your cards


Odlanor is Windows malware that targets users of Pokerstars and Full Tilt Poker, and exfiltrates information about their cards to their competitors. Read the rest

More posts