Security researchers: help EFF keep the Web safe for browser research!

fight_for_the_user_by_nostrildarmus-d385u9h

With the Electronic Frontier Foundation, I've been lobbying the World Wide Web Consortium (W3C), which sets the open standards that the Web runs on, to take measures to protect security researchers (and the users they help) from their own bad decision to standarize Digital Rights Management as part of HTML5. Read the rest

Ransomware gets a lot faster by encrypting the master file table instead of the filesystem

056c026d-1c66-4d42-9fae-a8e96df290c5-1020x1005

In just a few short years, ransomware -- malware that encrypts all the files on the computer and then charges you for a key to restore them -- has gone from a clever literary device for technothrillers to a cottage industry to an epidemic to a public menace. Read the rest

Security-conscious darkweb crime marketplaces institute world-leading authentication practices

056c026d-1c66-4d42-9fae-a8e96df290c5-1020x1002

If you are a seller on Alphabay -- a darkweb site that sells "drugs, stolen data and hacking tools," you'll have to use two-factor authentication (based on PGP/GPG) for all your logins. Read the rest

Names that break databases

056c026d-1c66-4d42-9fae-a8e96df290c5-1020x998

Jennifer Null is impossible: her name can't be entered into most modern databases (plane reservations, wedding registries) because "null" is used to separate fields in databases themselves. Read the rest

Ransomware hackers steal a hospital. Again.

methodhop

A month after a hospital in Hollywood was shut down by a ransomware infection that encrypted all the files on its computers and computer-controlled instruments and systems, another hospital, this one in Kentucky, has suffered a similar fate. Read the rest

Security nerds: 25% discount to for the ISSA-LA Summit, May 19-20

AAEAAQAAAAAAAAKpAAAAJDliZWMyOGNhLTI1YzItNGQ3Yi05MTBiLWJkNDhkMTJmNzhhZg

I'm giving the closing keynote at this year's Information Security Summit, which is being held at the Universal City Hilton in Los Angeles. Read the rest

Vulnerability in recorders used by 70+ manufacturers' CCTV systems has been known since 2014

retailer

Back in 2014, RSA published a report documenting a new tactic by criminal gangs: they were hacking into the digital video recorders that stored the feeds from security cameras to gather intelligence on their targets prior to committing their robberies. Read the rest

Dozens of car models can be unlocked and started with a cheap radio amp

animation (1)

A group of German researchers from ADAC have published their work on extending last year's amplification attack that let thieves steal Priuses with a $17 gadget that detected your key's unlock signal and amplified it so it would reach the car. Read the rest

US Embassy staffer ran a sextortion racket from work computer for 2 years

1280px-US_Embassy_London_view_from_SE

Michael C Ford has been sentenced to four years and nine months in prison, having pleaded guilty to running a sextortion/phishing operation from his work computer at the US embassy in London for two years. Read the rest

FBI issues car-hacking warning, tells drivers to keep their cars' patch-levels current

giphy

More proof that all devices in the modern world are just computers in fancy cases: the FBI's joint warning issued with the DoT and the National Highway Traffic and Safety Administration tells drivers that they're at risk of local and remote hack-attacks against their cars, and tells them they have to keep their cars' patch-levels current or they'll be in serious danger. Read the rest

Hack-attacks with stolen certs tell you the future of FBI vs Apple

056c026d-1c66-4d42-9fae-a8e96df290c5-1020x989

Since 2014, Suckfly, a hacker group apparently based in Chengdu, China, has used at least 9 signing certs to make their malware indistinguishable from official updates from the vendor. Read the rest

Hotel's Android-based lightswitches are predictably, horribly insecure

056c026d-1c66-4d42-9fae-a8e96df290c5-1020x982

Matthew Garrett checked into a London hotel and discovered that the proprietors had decided that "light switches are unfashionable and replaced them with a series of Android tablets." Read the rest

Web security company breached, client list (including KKK) dumped, hackers mock inept security

Screen-Shot-2016-03-11-at-12.00.51-PM-640x263 (1)

Newport Beach based Staminus Communications offered DDoS protection and other security services to its clients; early this morning, their systems went down and a dump of their internal files were dumped to the Internet. Read the rest

If the FBI can force decryption backdoors, why not backdoors to turn on your phone's camera?

HAL9000.svg

Eddy Cue, Apple's head of services, has warned that if the FBI wins its case and can force Apple to produce custom software to help break into locked phones, there's nothing in principle that would stop it from seeking similar orders for custom firmware to remotely spy on users through their phones' cameras and microphones. Read the rest

Using distributed code-signatures to make it much harder to order secret backdoors

056c026d-1c66-4d42-9fae-a8e96df290c5-1020x985

Cothority is a new software project that uses "multi-party cryptographic signatures" to make it infinitely harder for governments to order companies to ship secret, targeted backdoors to their products as innocuous-looking software updates. Read the rest

Home Depot might pay up to $0.34 in compensation for each of the 53 million credit cards it leaked

spare_change__by_aliceintheflowers-d4rhdh0

In 2014, Home Depot disclosed a security breach of 53 million customer credit cards and 56 million email addresses. This week the company settled a class action lawsuit and agreed to pay as much as $19.5 million in damages and compensation. Read the rest

Less than a year on, America has all but forgotten the epic Jeep hack

IMG_0724-1024x7681

Last summer, security researchers Charlie Miller and Chris Valasek were so alarmed at the terrible state of information security in cars that they demo'ed a hack that let them take over Chrysler Jeep Cherokees over the public Internet, controlling the steering and the brakes and the acceleration. Read the rest

More posts