The previous owners of used "smart" cars can still control them via the cars' apps (not just cars!)

It's not just that smart cars' Android apps are sloppily designed and thus horribly insecure; they are also deliberately designed with extremely poor security choices: even if you factory-reset a car after it is sold as used, the original owner can still locate it, honk its horn, and unlock its doors. Read the rest

It's very hard to maintain an anonymous Twitter account that can withstand government-level attempts to de-anonymize it

It's one thing to set up an "anonymous" Twitter Hulk account whose anonymity your friends and colleagues can't pierce, because the combination of your care not to tweet identifying details, the stilted Hulk syntax, and your friends' inability to surveil the global internet and compel phone companies to give up their caller records suffice for that purpose. Read the rest

Bad Android security makes it easy to break into and steal millions of "smart" cars

Securelist's report on the security vulnerabilities in Android-based "connected cars" describes how custom Android apps could be used to find out where the car is, follow it around, unlock its doors, start its engine, and drive it away. Read the rest

Why did Brinks "mindlessly copy" an old defective padlock design?

Locksmith Bosnian Bill experienced deja vu upon seeing a new padlock offered in stores by Brinks. It looks awfully similar to a Master-brand padlock withdrawn from sale due to a critical flaw that makes it easy to spring open. And wouldn't you know, the same trick works!

It's advertised as "medium security," but all you need is a mini boxcutter and you're in.

"I can't believe it," Bill says. "The battle we won to tell everyone about this master, here we are again. Don't buy this even for your kid's tricycle. ... Brinks, stay out of the lock business." [via] Read the rest

Researchers show they can beat address space layout randomization with Javascript in a browser (!)

Address space layout randomization is an important first line of defense against malicious software: by randomizing where in memory instructions are stored, ASLR makes it much harder to overwrite memory with new code that will be jumped to as a program executes, offering significant protection against buffer overflow attacks. Read the rest

"I’ll never bring my phone on an international flight again. Neither should you."

Quincy Larson asks you to image "What’s the worst thing that could happen if the Customs and Border Patrol succeed in getting ahold of your unlocked phone?"

Read the rest

Amnesty: hackers spent months building personas used to phish Qatari labor activists

In a new report, Amnesty International summarizes the security research they did on the victims of a sophisticated phishing attack aimed at Qatari labor activists, dubbed "Operation Kingphish." Read the rest

Proof-of-concept ransomware locks up the PLCs that control power plants

In Out of Control: Ransomware for Industrial Control Systems, three Georgia Tech computer scientists describe their work to develop LogicLocker, a piece of proof-of-concept ransomware that infects the programmable logic controllers that are used to control industrial systems like those in power plants. Read the rest

Anonymous infiltrated the KKK by friending Blue Lives Matter supporters on Facebook

The Anonymous activists behind "OpKKK" -- which infiltrated and unmasked Klan members, including many in US military and police departments -- began by creating thin-but-plausible fake identities on Facebook that signalled support for "Blue Lives Matter." By friending other accounts that indicated support for Blue Lives Matter, they found themselves being auto-suggested friendships with KKK members. Read the rest

Trump blabbed about response to North Korean missile launch in the Mar A Lago dining room while diners listened in

After a day of engaging in the most irresponsible activity a president can undertake (according to Donald Trump, anyway), President Trump and Japanese Prime Minister Shinzo Abe went to the Mar A Lago dining room with Steve Bannon and Michael Flynn, when Trump got a phone call about North Korea's missile tests. Read the rest

The W3C, DRM, and future of the open web

JM Porup's long, thoughtful article on the W3C's entry into the DRM standardization game gives a sense of the different forces that are pushing one of the open web's staunchest allies into a disastrous compromise: the competition that siloed apps present to open-web browsers, the debts of the W3C, the relentless pressure from the entertainment industry to redesign browsers to do a corporation's bidding, rather than the user's. Read the rest

Cyberarms dealer's weapons used against Mexican soda-tax activists

NSO is an Israel cyberarms dealer, which buys or researches vulnerabilities in software and then weaponizes them; claiming that these cyberweapons will only be used by democratic governments and their police forces to attacks serious criminals and terrorists -- a claim repeated by its competitors, such as Italy's Hacking Team and Gamma Group. Read the rest

The World Wide Web Consortium wants to give companies a veto over warnings about browser defects

Since 2013, when the W3C decided to standardize DRM for web videos, activists, security researchers and disabled rights advocates have been asking the organization what it plans on doing about the laws that make it illegal to bypass DRM, even to add features to help blind people, or to improve on browsers, or just to point out the defects in browsers that put billions of web users at risk. Read the rest

Enterprise firewalls are man-in-the-middling HTTPS sessions like crazy, and weakening security

A group of security researchers from academe and industry (including perennial Boing Boing favorite J Alex Halderman) have published an important paper documenting the prevalence and problems of firewalls that break secure web sessions in order to scan their contents for undesirable and malicious content. Read the rest

Son of Stuxnet: "invisible," memory-resident malware stalks the world's banks

Duqu 2.0 is a strain of clever, nearly undetectable malware, derived from Stuxnet, that stays resident in its hosts' memory without ever writing persistent files to the system's drives. Read the rest

This dump of Iphone-cracking tools shows how keeping software defects secret makes everyone less secure

Last month, a hacker took 900GB of data from Cellebrite, an Israeli cyber-arms dealer that was revealed to be selling surveillance and hacking tools to Russia, the UAE, and Turkey. Read the rest

Trump to sign yet another trash executive order, this time on 'the cyber'

'President' Donald Trump is expected to sign an executive order addressing cybersecurity today, Reuters reports in an item that cites "two sources familiar with the situation.” The EO is expected to be Trump's first action to address what he called a top priority of his administration during the Presidential campaign.

Read the rest

More posts