Airport lounges will let anyone in, provided you can fake a QR code

IMG_8177-482x362

When computer security expert and hardcore traveller Przemek Jaroszewski found that he couldn't enter an airline lounge in Warsaw because the automated reader mistakenly rejected his boarding card, he wrote a 600-line Javascript program that generated a QR code for "Batholemew Simpson," a business-class traveller on a flight departing that day. Read the rest

Spoofing GPS is surprisingly easy; detecting it is surprisingly hard

Mjc5MDkzOQ

GPS security is increasingly implicated in both physical and information security: from steering a super-yacht (or a super-tanker) into pirate-friendly waters to diverting self-driving cars or even unlocking geo-tagged tokens and AR game objectives. Read the rest

Decision to retain personally identifying information puts Australian census under threat

Without an accurate census, it's virtually impossible to make good national policy, which is why so many countries make census participation mandatory (when former Canadian Prime Minister Stephen "Dumpster Fire" Harper made the long-form census optional, statisticians and policy wonks quailed) -- which is why the Australian government's decision to collect and retain -- for 10 years -- personally identifying information on census participants is such a big deal. Read the rest

Big rigs can be hijacked and driven with software-based attacks

animation

In a two-month-long class assignment, researchers from the University of Michigan found vulnerabilities in J1939, the standard for networking in big rigs and other large industrial vehicles, that allowed them to control the acceleration, braking, and instrument panels of their target vehicles. Read the rest

Iranians connected to phishing attempt on tortured Syrian activist

1-Syria-publicly-reported-threat-actors

Former Syrian National Council vice-president Nour Al-Ameer fled to Turkey after being arrested and tortured by the Assad regime -- that's when someone attempted to phish her and steal her identity with a fake Powerpoint attachment purporting to be about the crimes of the Assad regime. Read the rest

Hacker puppets explain how they find your passwords in non-technical ways

animation

Gus the hacker puppeteer writes, "Last weekend was the Hackers On Planet Earth conference (where, ICYMI, Cory was the keynote address). I always come away from HOPE wishing there were easier ways to share what I learned there with friends and family. Fortunately, the Internet Society has been streaming and storing videos of HOPE talks for the past two conferences. (My own talk, on getting into the minds of everyday computer users, should be up there eventually.)" Read the rest

Pregnancy-tracking app was riddled with vulnerabilities, exposing extremely sensitive personal information

Consumer Reports Labs tested Glow, a very popular menstrual cycle/fertility-tracking app, and found that the app's designers had made a number of fundamental errors in the security and privacy design of the app, which would make it easy for stalkers or griefers to take over the app, change users' passwords, spy on them, steal their identities, and access extremely intimate data about the millions of women and their partners who use the app. Read the rest

Russia and other states could hack the US election by attacking voting machines

291981104_69292356e3_o

It's been more than 16 years since faulty voting machine technology called into question a US presidential election, and in the ensuing 1.6 decades, the voting machine industry has used bafflegab, intimidation and salesmanship to continue selling faulty goods, whose flaws surface with despressing regularity. Read the rest

Bruce Schneier on the coming IoT security dumpster-fire

Brain-Controlled_Prosthetic_Arm_2

Bruce Schneier warns us that the Internet of Things security dumpster-fire isn't just bad laptop security for thermostats: rather, that "software control" (of an ever-widening pool of technologies); interconnections; and autonomy (systems designed to act without human intervention, often responding faster than humans possibly could) creates an urgency over security questions that presents an urgent threat the like of which we've never seen. Read the rest

EFF is suing the US government to invalidate the DMCA's DRM provisions

Bunnie_Huang

The Electronic Frontier Foundation has just filed a lawsuit that challenges the Constitutionality of Section 1201 of the DMCA, the "Digital Rights Management" provision of the law, a notoriously overbroad law that bans activities that bypass or weaken copyright access-control systems, including reconfiguring software-enabled devices (making sure your IoT light-socket will accept third-party lightbulbs; tapping into diagnostic info in your car or tractor to allow an independent party to repair it) and reporting security vulnerabilities in these devices. Read the rest

Ed Snowden and Andrew "bunnie" Huang announce a malware-detecting smartphone case

Acr821342097496832-8341-1024x768

Exiled NSA whistleblower Edward Snowden and legendary hardware hacker Andrew bunnie" Huang have published a paper detailing their new "introspection engine" for the Iphone, an external hardware case that clips over the phone and probes its internal components with a miniature oscilloscope that reads all the radio traffic in and out of the device to see whether malicious software is secretly keeping the radio on after you put it in airplane mode. Read the rest

Baseband vulnerability could mean undetectable, unblockable attacks on mobile phones

Qualcomm_MDM9615

The baseband firmware in your phone is the outermost layer of software, the "bare metal" code that has to be implicitly trusted by the phone's operating system and apps to work; a flaw in that firmware means that attackers can do scary things to your hone that the phone itself can't detect or defend against. Read the rest

For 90 years, lightbulbs were designed to burn out. Now that's coming to LED bulbs.

E27_with_38_LCD

In 1924, representatives of the world's leading lightbulb manufacturers formed Phoebus, a cartel that fixed the average life of an incandescent bulb at 1,000 hours, ensuring that people would have to regularly buy bulbs and keep the manufacturers in business. Read the rest

"Security is what happens to people, not machines"

056c026d-1c66-4d42-9fae-a8e96df290c5-1020x1142

Eleanor Saitta (previously) -- a security researcher who's done extensive work training vulnerable groups in information security and now security architect for Etsy -- appears on the most recent O'Reilly Security podcast (MP3), discussing a human-centered approach to security, design and usability that I found to be an accessible and concise critique of mainstream security thinking and an inspiring direction for security practitioners. Read the rest

Black-hat hacker handles are often advertisements

056c026d-1c66-4d42-9fae-a8e96df290c5-1020x1129

When Bruce Sterling wrote his seminal book The Hacker Crackdown -- a history of the rise of hackers, the passage of the first anti-hacking laws, and the formation of the Electronic Frontier Foundation -- most of the hackers he chronicled had handles that were a combination of playfulness and menace, like Phiber Optik, Scorpion and Acid Phreak. Read the rest

Researchers find over 100 spying Tor nodes that attempt to compromise darknet sites

800px-Red_onion_closeup_2

When it comes to accessing public websites, Tor has an intrinsic security problem: though the nodes between your computer and the public internet are unable to see where the traffic is coming from or going to, the final hop in the network (known as an exit node) gets to know what webserver you are connecting to. Read the rest

"Dark Overlord"'s health record dumps were calculated, reputation-building spectacles

056c026d-1c66-4d42-9fae-a8e96df290c5-1020x1123

"The Dark Overlord" is a hacker who's made headline by advertising the availability of millions of health records on darknet sites, sending samples to news-outlets to validate their authenticity; in an interview with Motherboard's Joseph Cox, Dark Overlord reveals that the disclosures are timed to put the pressure on other victims to pay ransoms to guarantee that their stolen data won't leak. Read the rest

More posts