Consumer Reports Labs is hiring 8 staffers: technologists, journalists and wonks

Consumer Reports' Digital Lab does groundbreaking privacy research: they're hiring for eight positions including technologists ("resident hacker," "digital standard manager," "information security researcher," "program manager, security and testing," and "privacy testing project leader"); journalists ("digital content manager"); policy and comms ("senior researcher, digital competition" and "associate director, strategic communications — technology and privacy"). Most of the positions are NYC or SF or DC based, several allow for remote workers. (Thanks, Ben)!) Read the rest

Sand thieves believed to be behind epidemic of Chinese GPS jamming

Ship's captains and outside monitoring firms have reported waves of GPS jamming around Shanghai's ports, on a scale and of a severity never seen before: the jamming causes ships' locations to be incorrectly displayed and to jump around; the observations were confirmed via an anonymized (sic) data-set from a short-hire bike firm, whose bikes are also mysteriously appearing and disappearing at locations all through the region. The spoofing has created a massive local shipping hazard and has led to spectacular shipwrecks. Read the rest

An interview with Andy Greenberg about his book Sandworm, on the Russian state hackers who attack power grids

Wired security reporter Andy Greenberg's latest book is Sandworm (previously), a true-life technothriller that tells the stories of the cybersecurity experts who analyzed and attributed as series of ghastly cyberwar attacks that brought down parts of the Ukrainian power grid, and then escaped the attackers' control and spread all over the world. Read the rest

Tpmfail: a timing attack that can extract keys from secure computing chips in 4-20 minutes

Daniel Moghimi, Berk Sunar, Thomas Eisenbarth and Nadia Heninger have published TPM-FAIL: TPM meets Timing and Lattice Attacks, their Usenix security paper, which reveals a pair of timing attacks against trusted computing chips ("Trusted Computing Modules" or TPMs), the widely deployed cryptographic co-processors used for a variety of mission-critical secure computing tasks, from verifying software updates to establishing secure connections. Read the rest

A woman's stalker compromised her car's app, giving him the ability to track and immobilize it

An Australian woman's creepy, violent ex-boyfriend hacked her phone using stalkerware, then used that, along with her car's VIN number, to hack the remote control app for her car (possibly Landrover's Incontrol app), which allowed him to track her location, stop and start her car, and adjust the car's temperature. Read the rest

My review of Sandworm: an essential guide to the new, reckless world of "cyberwarfare"

For years, I've followed Andy Greenberg's excellent reporting on "Sandworm," a set of infrastructure-targeted cyberattacks against Ukraine widely presumed to be of Russian origin, some of which escaped their targeted zone and damaged systems around the world. Read the rest

White House cybersecurity adviser Giuliani took his iPhone to the Genius Bar when he forgot his password

In 2017, a month after Trump named Rudy Giuliani to be his cybersecurity officer, Giuliani locked himself out of his iPhone. So he waited in line at a San Francisco Apple store to get the Genius Bar to unlock his phone. Last night when NBC broke the news of this, Giuliani idiotically compared what he did to the FBI asking Apple to unlock the phone of the San Bernardino mass shooter (which they refused to do). Also, given the sensitive information likely on Giuliani's phone, it's rather surprising that he'd hand it over to a random employee at a retail store. Or maybe it isn't surprising at all. Wonder if Giuliani tried "PASSWORD"? From NBC News:

Giuliani’s handling of the situation calls into question his understanding of basic security measures and raises the prospect that, as someone in the president's inner circle, his electronic devices are especially vulnerable to hackers, two former FBI cyber experts told NBC News.

“There’s no way he should be going to a commercial location to ask for that assistance,” said E.J. Hilbert, a former FBI agent for cybercrime and terrorism.

Michael Anaya, a former FBI supervisory special agent who led a cyber squad for four years, reacted with astonishment when told about Giuliani’s Apple store visit.

“That’s crazy,” he said.

Read the rest

America needs a national standard for voting and voter rolls

Frank Wu writes, "Brianna Wu (US Congressional candidate in MA-8 and cybersecurity expert) has a brand new article in The Boston Globe about election security. People think electronic voting machines are the biggest problem. They're wrong. The electronic VOTER ROLLS are the largest attack surface for hackers. 2% of all ballots cast (enough to sway many elections) are provisional and that number is growing." Read the rest

New York Times abruptly eliminates its "director of information security" position: "there is no need for a dedicated focus on newsroom and journalistic security"

Runa Sandvik (previously) is a legendary security researcher who spent many years as a lead on the Tor Project; in 2016, the New York Times hired her as "senior director of information security" where she was charged with protecting the information security of the Times's newsroom, sources and reporters. Yesterday, the Times fired her, eliminating her role altogether, because "there is no need for a dedicated focus on newsroom and journalistic security." Read the rest

Japanese robot hotel chain ignored repeated warnings that its in-room “bed-facing” robots could be turned into spy devices

Japan's Henn na Hotel chain, owned by the HIS Group, uses "bed-facing Tapia robots" in its rooms; these robots turn out to be incredibly insecure: you can update them by pairing with them using a NFC sensor at the backs of their heads. The robots do not check the new code for cryptographic signatures, meaning that malicious actors can install any code they want. Read the rest

Equifax used "admin/admin" as login and pass for an unencrypted server full of your personal data

In 2017, Equifax admitted that it had doxed America by leaking the nonconsensual dossiers it builds on the nation, covering up the info while its key employees sold off their stock, and then repeatedly lying about the scope of the breach. Read the rest

There will be another HOPE hacker con in 2020!

Aestetix writes, "We have good news. There will be a HOPE [ed: Hackers on Planet Earth, a beloved, NYC-based hacker con put on by 2600 Magazine] in 2020. And we expect it to be better than ever. For several months, we have been looking for a venue that would have the needed space and flexibility for HOPE. Thanks to the efforts of many - and the massive amount of suggestions and support from attendees - we've found a new location for the conference that's much, much better than what we had before. HOPE will take place at St. John's University in Queens from July 31st to August 2nd, 2020. It's still in New York City, easily accessible by mass transit, and well positioned to do everything we've done in the past." Read the rest

Griefer terrorizes baby by taking over their Nest babycam...again

Nest is a home automation company that Google bought in 2014, turned into an independent unit of Alphabet, then re-merged with Google again in 2018 (demonstrating that the "whole independent companies under Alphabet" thing was just a flag of convenience for tax purposes); the company has always focused on "ease of use" over security and internecine warfare between different dukes and lords of Google meant that it was never properly integrated with Google's security team, which is why, over and over again, people who own Nest cameras discover strangers staring at them from their unblinking camera eyes, sometimes shouting obscenities. Read the rest

It's dismayingly easy to make an app that turns a smart-speaker into a password-stealing listening device and sneak it past the manufacturer's security checks

German security researchers from Security Research Lab created a suite of apps for Google and Amazon smart speakers that did trivial things for their users, appeared to finish and go dormant, but which actually stayed in listening mode, then phished the user for passwords spoken aloud to exfiltrate to a malicious actor; all their apps were successfully smuggled past the companies app store security checks. Read the rest

Attribution is hard: the incredible skullduggery used to try to blame the 2018 Olympic cyberattack on North Korea

Wired has published another long excerpt from Sandworm, reporter Andy Greenberg's (previously) forthcoming book on the advanced Russian hacking team who took the US-Israeli Stuxnet program to the next level, attacking Ukrainian power infrastructure, literally blowing up key components of the country's power grid by attacking the embedded code in their microcontrollers. Read the rest

Proof-of-concept supply-chain poisoning: tiny, undetectable hardware alterations could compromise corporate IT

A little over a year ago, Bloomberg stunned the world with a report that claimed that Chinese intelligence services had figured out how to put undetectable, rice-grain-sized hardware implants into servers headed for the biggest US cloud and enterprise IT firms, and that when some of the victims discovered this fact, they quietly ripped out whole data-centers and replaced all their servers. Read the rest

One Weird Law That Interferes With Security Research, Remix Culture, and Even Car Repair

How can a single, ill-conceived law wreak havoc in so many ways? It prevents you from making remix videos. It blocks computer security research. It keeps those with print disabilities from reading ebooks. It makes it illegal to repair people's cars. It makes it harder to compete with tech companies by designing interoperable products. It's even been used in an attempt to block third-party ink cartridges for printers. Read the rest

More posts