This month, University of Washington researchers will present Exploring ADINT: Using Ad Targeting for Surveillance on a
Budget — or — How Alice Can Buy Ads to Track Bob at the Workshop on Privacy in the Electronic Society in Dallas; the paper details a novel way that stalkers and other low-level criminals can accomplish state-grade surveillance on the cheap with targeted ad-purchases.
Computers that are isolated from the internet and local networks are said to be "airgapped," and it's considered a best practice for securing extremely sensitive systems.
Blockchain transactions are recorded forever and indelibly, and that means that all the Bitcoin transactions on early Tor hidden service marketplaces like Silk Road are on permanent, public display; because many people who made these transactions later went on to link those Bitcoin wallets with their real identities, those early deals are now permanently associated with their public, identifiable selves.
Hacker takeovers of power infrastructure have been seen in Ukraine (where they are reliably attributed to Russian state actors), but now the US power-grid has been compromised by hackers of unknown origin, who have "switch-flipping" control — that is, they can just turn it all off.
In cryptographic and security circles, the "evil maid" problem describes a class of attacks in which a piece of unguarded hardware, is tampered with by someone who gains physical access to it: for example, a hotel chambermaid who can access your laptop while you're out of the room.
This week at Singapore's Hack in the Box conference, researchers Lucas Apa and Cesar Cerrudo from the Argentinian security research company IOActive will present their findings on the defects in humanoid domestic robots from UBTech and Softbank and industrial robot arms from Universal Robots; they're building on research published in March in which they released incomplete findings in order to give vendors a chance to patch the vulnerabilities they discovered.
Security researchers from Rhino Security Labs have shown that it is trivial to disable the Amazon Cloud Cam that is a crucial component of the Amazon Key product — a connected home door-lock that allows delivery personnel to open your locked front door and leave your purchases inside — and have demonstrated attacks that would allow thieves to exploit this weakness to rob your home.
University of Tulsa security researchers Jason Staggs and his colleagues will present Adventures in Attacking Wind Farm Control Networks at this year's Black Hat conference, detailing the work they did penetration-testing windfarms.
In An Empirical Analysis of Traceability in the Monero Blockchain, a group of eminent computer scientists analyze a longstanding privacy defect in the Monero cryptocurrency, and reveal a new, subtle flaw, both of which can be used to potentially reveal the details of transactions and identify their parties.
Ever since the Ukrainian "Maidan" revolution, the country has been subjected to waves of punishing cyberwar attacks, targeting its power grids, finance ministry, TV networks, election officials, and other critical systems.
Security researchers at Stony Brook deliberately visited websites that try to trick visitors into thinking that their computers are broken, urging them to call a toll-free "tech support" number run by con artists that infect the victim's computer with malware, lie to them about their computer's security, and con them out of an average of $291 for "cleanup services."
Whoever created the Wcry ransomware worm — which uses a leaked NSA cyberweapon to spread like wildfire — included a killswitch: newly infected systems check to see if a non-existent domain is active, and if it is, they fall dormant, ceasing their relentless propagation.
Realtek's audio chips — found in Macs and many PCs — can repurpose your laptop's headphone jack to serve as a mic jack, and capture audio through your headphones.
A group of researchers from Oxford and TU Berlin will present their paper, White-Stingray: Evaluating IMSI Catchers Detection Applications at the Usenix Workshop on Offensive Technologies, demonstrating countermeasures that Stingray vendors could use to beat Stingrays and other "cell-site simulators" (AKA IMSI catchers).
Amir Taaki is a well-known anarchist bitcoin hacker whose project, Dark Wallet, is meant to create strong anonymity for cryptocurrency transactions; when he discovered that anarchists around the world had gone to Rojava, a district in Kurdish Syria on the Turkish border, to found an anarchist collective with 4,000,000 members "based on principles of local direct democracy, collectivist anarchy, and equality for women," he left his home in the UK to defend it.
The combination of 2014's Supreme Court decision not to hear Cotterman (where the 9th Circuit held that the data on your devices was subject to suspicionless border-searches, and suggested that you simply not bring any data you don't want stored and shared by US government agencies with you when you cross the border) and Trump's announcement that people entering the USA will be required to give border officers their social media passwords means that a wealth of sensitive data on our devices and in the cloud is now liable to search and retention when we cross into the USA.
Five years ago, Benjamin Delpy was working for an unspecified French government agency and teaching himself to program in C, and had discovered a vital flaw in the way that Windows protected its users' passwords.
Well, there's a second-decade-of-the-21st-century headline for you!
Charlie Miller made headlines in 2015 as part of the team that showed it was possible to remote-drive a Jeep Cherokee over the internet, triggering a 1.4 million vehicle recall; now, he's just quit a job at Uber where he was working on security for future self-driving taxis, and he's not optimistic about the future of this important task.