Penetration tester releases proof-of-concept code for hijacking smart buttplugs

Last week at Defcon, a security researcher named Smea presented their findings on vulnerabilities in the Lovesense Hush, an internet-of-things buttplug that has already been shown to have critical privacy vulnerabilities. Read the rest

Judge orders the State of Georgia to be prepared for pen-and-paper balloting by March 2020

Few states have voting machines that are simultaneously more obviously defective and more ardently defended by the state government than Georgia, where 16-year-old touchscreen systems are prone to reporting ballots cast by 243% of the eligible voters and where gross irregularities in election administration sends voters to the wrong polling places or sends co-habitating husbands and wives to polls in different cities to cast their votes. Read the rest

Defeating Apple's Faceid's proof-of-life by putting tape over glasses' lenses

Apple's Faceid -- a facial recognition tool that unlocks mobile devices -- has a countermeasure that is designed to prevent attackers from scanning an sleeping/unconscious (or dead) person's face to unlock their phone, by scanning the face for signs of consciousness. Read the rest

Compromised speakers can be forced to play tones so loud that the speakers start to melt

Security research Matt Wixey from PWC UK tried putting different kinds of consumer speakers -- noise canceling headphones, smart speakers, parametric speakers -- in an anechoic chamber after infecting them with malware that caused them to emit tones beyond those intended by the manufacturer. Read the rest

The voting machines that local officials swore were not connected to the internet have been connected to the internet for years

Election Systems & Software (ES&S) is America's leading voting machine vendor; they tell election officials (who are county-level officials who often have zero cybersecurity advice or expertise) not to connect their systems to the internet, except briefly to transmit unofficial tallies on election night. Read the rest

Group sex dating app has "the worst security for any dating app"

One of the wonderful and terrible things about the internet is how it allows people seeking others with hard-to-find traits to find them: advertisers can find people thinking about buying a refrigerator; people who think they might be trans can find others in the same boat and make common cause; people with the same rare disease can form support groups, and Nazis can find sociopaths to march through the streets of Charlottesville carrying tiki torches and chanting "Jews will not replace us." Read the rest

Whatsapp, Slack, Skype and apps based on popular Electron framework vulnerable to backdoor attacks

This week at B-Sides LV, security researcher Pavel Tsakalidis presented his work on security defects in the Electron framework, a cross-platform development framework that combines Javascript with Node.js: apps built with Electron include Skype, Slack, Whatsapp, Visual Studio Code and others. Read the rest

Warshipping: attack a target network by shipping a cellular-enabled wifi cracker to a company's mail-room

IBM's ridiculously named X-Force Red have documented a new attack vector they've dubbed "Warshipping": they mailed a sub-$100 custom, wifi-enabled low-power PC with a cellular radio to their target's offices. Read the rest

You have the right to remain encrypted

“You have the right to remain silent.” We’ve heard the Miranda warning countless times on TV, but what good is the right to remain silent if our own cellphones testify against us? Imagine every incriminating and embarrassing secret our devices hold in the hands of prosecutors, simply because you’ve been accused of a minor crime. This is the brave new world that Attorney General Bill Barr advocated when he recently addressed the International Conference on Cyber Security and called for an end to encryption as we know it. Read the rest

Cisco's failure to heed whistleblower's warning about security defects in video surveillance software costs the company $8.6m in fines

In 2008, a security researcher named James Glenn warned Cisco that its video surveillance software had a defect that made it vulnerable to a trivial-to-exploit attack; for four years afterward, the company continued to sell this software to schools, airports, hospitals, state/local governments, the US military, FEMA, the Secret Service and police departments without mitigating the defect or warning their customers that internet-connected randos could undetectably peer through their security cameras, unlock their doors, disable their alarms, and delete footage. Read the rest

Hong Kong protesters use lasers to blind security cameras

Freelance journalist Alessandra Bocchi posted this video of protesters in Hong Kong using some kind of laser to target security forces' cameras: it's part of the #612strike movement's stunning repertoire of improvised anti-police countermeasures, in a near-civil-war where faces have become a battleground. Read the rest

Fascinating, accessible guide to cryptographic attacks, from brute-force to POODLE and beyond

Ben Herzog's Cryptographic Attacks: A Guide for the Perplexed from Check Point Research is one of the clearest, most useful guides to how cryptography fails that I've ever read. Read the rest

Defects in embedded OS Vxworks leaves an estimated 200m devices vulnerable, many of them mission-critical, "forever day" systems

Vxworks is a lightweight, thin OS designed for embedded systems; a new report from Armis identifies critical vulnerabilities (called "Urgent 11") in multiple versions of the OS that they estimate affects 200m systems (Vxworks' make, Wind River, disputes this figure). Read the rest

2600's Hackers on Planet Earth con needs your help because the Hotel Pennsylvania has tripled its fees

Aestetix sez, "2600 Magazine has hosted the biennial Hackers On Planet Earth conference since 1994. However, for 2020 the host hotel, the Hotel Pennsylvania, has tripled the fee charged to the conference. Rather than raising ticket prices and making the event inaccessible to all but the rich, HOPE is reaching out to the community to help solve the crisis." Read the rest

Design competition to create graphics to illustrate cybersecurity stories

Illustrating abstract articles is a pain in the ass, and in the age of social media, a post without an illustration is likely to disappear without attaining any kind of readership, which leaves those of us who cover the field endlessly remixing HAL9000 eyes using walls of code, Matrix text-waterfalls, or variations on hacker-in-a-hoodie. Read the rest

The Airbus 350 needs a hard reboot every 149 hours

Two years ago, the EU Aviation Safety Agency warned that some Airbus 350s required a hard reboot every 149 hours to be safe to fly; two years later, most of the affected planes are still being rebooted to cope with the bug. Read the rest

Siemens contractor hid "logic bomb" in complicated spreadsheet, guaranteeing future maintenance work

David Tinley developed complex spreadsheets under contract to Siemens, which used them to manage its equipment orders; Tinley hid "logic bombs" in the spreadsheets' scripts that caused them to malfunction every couple of years, which would gin up new work for him as he was called in to fix them. Read the rest

More posts