My keynote from the O'Reilly Security Conference: "Security and feudalism: Own or be pwned"

hqdefault

Here's the 32 minute video of my presentation at last month's O'Reilly Security Conference in New York, "Security and feudalism: Own or be pwned." Read the rest

UK reports of webcam blackmail (sextortion, RATting, etc) more than double in 2016

webcam-blackmail-800x434

So far 864 people in the UK have reported instances of "webcam blackmail" to police in 2016, more than double the number of reported incidents in 2015. Read the rest

The hacker who took over San Francisco's Muni got hacked

lenovo-victim

Last week, the San Francisco Municipal Light Rail system (the Muni) had to stop charging passengers to ride because a ransomware hacker had taken over its network and encrypted the drives of all of its servers. Read the rest

NTP: the rebirth of ailing, failing core network infrastructure

050-056c026d-1c66-4d42-9fae-a8

Network Time Protocol is how the computers you depend on know what time it is (this is critical to network operations, cryptography, and many other critical functions); NTP software was, until recently, stored in a proprietary format on a computer that no one had the password for (and which had not been updated in a decade), and maintained almost entirely by one person. Read the rest

Trump Tower has two "privately owned public spaces" that anyone is entitled to visit

2012-725_fifth_ave-e1353913657

In order to get permission to add an extra 20 floors to Trump Tower's plan, Donald Trump had to promise to build public amenities, "including access to restrooms, an atrium, and two upper-level gardens." Read the rest

The Snoopers Charter gives these 48 organisations unlimited, secret access to all UK browsing history

service-laptop-1-png

With the passage of the Snoopers Charter earlier this month, the UK has become the most-surveilled "democratic" state in the world, where service providers are required to retain at least a year's worth of their customers' browsing history and make it searchable, without a warrant, to a variety of agencies -- and no records are kept of these searches, making it virtually impossible to detect petty vendetta-settling, stalking, or systemic abuses (including selling access to criminals, foreign governments, and institutionalised racism). Read the rest

Two hackers are selling DDoS attacks from 400,000 IoT devices infected with the Mirai worm

mirai-spam-censored

The Mirai worm -- first seen attacking security journalist Brian Krebs with 620gbps floods, then taking down Level 3, Dyn and other hardened, well-provisioned internet giants, then spreading to every developed nation on Earth (and being used to take down some of those less-developed nations) despite being revealed as clumsy and amateurish (a situation remedied shortly after by hybridizing it with another IoT worm) -- is now bigger than ever, and you can rent time on it to punish journalists, knock countries offline, or take down chunks of the core internet. Read the rest

Ransomware creep accidentally hijacks San Francisco Muni, won't give it back

cyosyiquuaa40y6

A ransomware criminal's self-reproducing malicious software spread through a critical network used by the San Francisco light rail system, AKA the Muni, and shut it down; the anonymous criminal -- cryptom27@yandex.com -- says they won't give it back until they get paid. Read the rest

Wisconsin: America's top voting-machine security expert says count was irregular; Fed judge says gerrymandering was unconstitutional

flag_of_wisconsin-svg

University of Michigan prof J Alex Halderman (previously) is one of America's top experts on voting machine security (see this, for example), and he's issued a joint statement with voting-rights attorney John Bonifaz to the Clinton campaign, advising them to ask for a recount of the Wisconsin votes. Read the rest

Listening to users is the first step in making them secure

surprise-kitten-spider

Quinn Norton's lecture A Network of Sorrows: Small Adversaries and Small Allies at Hack.lu (helpfully transcribed by the Open Transcripts folks!) is a great call-to-arms for user-centered security. Read the rest

Even if you've ripped out your laptop's mic, hackers can listen in through your headphones

headphones-1308676_960_720

Realtek's audio chips -- found in Macs and many PCs -- can repurpose your laptop's headphone jack to serve as a mic jack, and capture audio through your headphones. Read the rest

Whaling: phishing for executives and celebrities

050-056c026d-1c66-4d42-9fae-a8

A fraudster's term of art, "whaling" refers to phishing attempts targeted at "C-level corporate executives, politicians and celebrities" -- it's a play on "phishing" (attacks that trick users into downloading dangerous files or visiting attack sites by impersonating known sources) and "whales" (a term of art from casinos, referring to high-stakes gamblers). Read the rest

Iphones secretly send your call history to Apple's cloud, even after you tell them not to

050-056c026d-1c66-4d42-9fae-a8

Apple has acknowledged that its Icloud service is a weak link in its security model, because by design Apple can gain access to encrypted data stored in its customers' accounts, which means that the company can be hacked, coerced or tricked into revealing otherwise secure customer data to law enforcement, spies and criminals. Read the rest

Office Depot techs accused of faking malware infections to meet sales targets

050-056c026d-1c66-4d42-9fae-a8

Seattle's KIRO TV made undercover visits to Office Depot stores in Washington state and Oregon and asked the technicians working in the store's "PC Health Check" to evaluate a working, uninfected PC; four out of six times, Office Depot technicians diagnosed nonexistent virus activity and prescribed $200 worth of service to get rid of it. Read the rest

Beyond Bad USB: Poisontap takes over your sleeping computer with a $5 USB stick

cropped6

Prolific and dramatic security researcher Samy Kamkar (previously) has unveiled a terrifying device that reveals the devastating vulnerabilities of computers, even when in sleep mode. Read the rest

Your user data is secretly sent to China through a backdoor on some U.S. Android phones

blurgh

Included for free with some Android phones: “a backdoor that sends all your text messages to China every 72 hours.”

Read the rest

Shazam song-identification program keeps your mic on, even when you turn it off

appstore

If you run the Shazam song identification app an Mac, the mic will never switch off, even when the program reports that it has. Read the rest

More posts