A deep dive into stalkerware's creepy marketing, illegal privacy invasions, and terrible security

Stalkerware -- spyware sold to people as a means of keeping tabs on their romantic partners, kids, employees, etc -- is a dumpster fire of terrible security (compounded by absentee management), sleazy business practices, and gross marketing targeted at abusive men who want to spy on women. Read the rest

Hackers stole a US Customs and Border Patrol facial recognition database

Data from facial recognition scans performed by US Customs and Border Patrol on travelers crossing at an unnamed lander border point (an anonymous source says it's a US-Canada crossing) have been stolen by hacker or hackers unknown. Read the rest

Weekend SIM-swapping blitz targets US cryptocurrency holders

SIM swapping attacks involve tricking or bribing a phone company into assigning someone else's phone number to you; once you have the number, you can intercept SMS-based two-factor authentication messages and use them to take over accounts. Read the rest

It's time to stop asking users for periodic password changes

Image: Santeri Viinamäki [CC BY-SA 4.0], via Wikimedia Commons

Ars Technica outlines the case for a policy that might sound counter-intuitive at first: not forcing password rotation. Read the rest

Real estate title insurance company exposed 885,000,000 customers' records, going back 16 years: bank statements, drivers' licenses, SSNs, and tax records

First American Financial Corp is a Fortune 500 company that insures titles on peoples' property; their insecure website exposed 885,000,000 records for property titles, going back 16 years, including bank accounts (with scanned statements), Social Security numbers, wire transaction receipts, scanned drivers' licenses, tax records, mortgage records, etc -- when notified of the error, the company (which employs 18,000 people and grossed more than $5.7B last year) closed the misconfiguration. Read the rest

Nominations are open for EFF's Barlow/Pioneer Awards

Every year, the Electronic Frontier Foundation presents its Pioneer Awards (previously); now renamed the Barlow Award in honor of EFF co-founder John Perry Barlow, who died last year. Read the rest

In less than one second, a malicious web-page can uniquely fingerprint an Iphone, Pixel 2 or Pixel 3 without any explicit user interaction

In a new paper for IEEE Security, a trio of researchers (two from Cambridge, one from private industry) identify a de-anonymizing attack on Iphones that exploits minute differences in sensor calibration: an Iphone user who visits a webpage running the attack code can have their phone uniquely identified in less than a second, through queries to the sensors made through automated background processes running on the page. Read the rest

Thangrycat: a deadly Cisco vulnerability named after an emoji 😾😾😾

Thangrycat is a newly disclosed vulnerability in Cisco routers that allows attackers to subvert the router's trusted computing module, which allows malicious software to run undetectably and makes it virtually impossible to eliminate malware once it has been installed. Read the rest

The government of Baltimore has been taken hostage by ransomware and may remain shut down for weeks

Nearly two weeks after the city of Baltimore's internal networks were compromised by the Samsam ransomware worm (previously), the city is still weeks away from recovering services -- that's weeks during which the city is unable to process utility payments or municipal fines, register house sales, or perform other basic functions of city governance. Read the rest

Research shows that 2FA and other basic measures are incredibly effective at preventing account hijacking

Google has published the results of a study of the efficacy of standard anti-account-hijacking techniques like two-factor authentication (2FA), secret questions, and passwords: the good news is that when these are used, they are incredibly effective at stopping both automated and targeted attacks, including "advanced" attacks of the sort that are often characterized as unstoppable. Read the rest

Sleuthing from public sources to figure out how the Hateful Eight leaker was caught

In 2014, Quentin Tarantino sued Gawker for publishing a link to a leaked pre-release screener of his movie "The Hateful Eight." The ensuing court-case revealed that the screeners Tarantino's company had released had some forensic "traitor tracing" features to enable them to track down the identities of people who leaked copies. Read the rest

Discovering whether your Iphone has been hacked is nearly impossible thanks to Apple's walled garden

This week, we learned that the notorious Israeli cyber-arms-dealer NSO Group had figured out how hijack your Iphone or Android phone by placing a simple Whatsapp call, an attack that would work even if you don't answer the call. Read the rest

A year after Meltdown and Spectre, security researchers are still announcing new serious risks from low-level chip operations

Spectre and Meltdown are a pair of chip-level security bugs that exploit something called "speculative execution," through which chips boost performance by making shrewd guesses about which computer operations are performed together. Read the rest

DOJ accuses Verizon and AT&T employees of participating in SIM-swap identity theft crimes

The DOJ has indicted three former Verizon and AT&T employees for alleged membership in a crime-ring known as the "The Community"; the indictment says the telco employees helped their confederates undertake "port-out" scams (AKA "SIM-swapping" AKA "SIM hijacking"), which allowed criminals to gain control over targets' phone numbers, thereby receiving SMS-based two-factor authentication codes. Read the rest

Lawyer involved in suits against Israel's most notorious cyber-arms dealer targeted by its weapons, delivered through a terrifying Whatsapp vulnerability

NSO Group is a notorious Israeli cyber-arms dealer whose long trail of sleaze has been thoroughly documented by the University of Toronto's Citizen Lab (which may or may not be related to an attempt to infiltrate Citizen Lab undertaken by a retired Israeli spy); NSO has been implicated in the murder and dismemberment of the dissident Saudi journalist Jamal Khashoggi (just one of the brutal dictatorships who've availed themselves of NSO tools), and there seems to be no cause too petty for their clients, which is why their malware has been used to target anti-soda activists in Mexico. Read the rest

After elderly tenant was locked in his apartment by his landlord's stupid "smart lock," tenants win right to use actual keys to enter their homes

Tenants in New York City have reached a settlement with their landlord requiring the landlord to install actual locks with actual keys on demand, rather than insisting that all tenants use locks from Latch, the leading Internet of Things "smart lock" vendor, whose products conduct fine-grained surviellance on their users, which the company reserves the right to share with third parties. Read the rest

Towards a method for fixing machine learning's persistent and catastrophic blind spots

An adversarial preturbation is a small, human-imperceptible change to a piece of data that flummoxes an otherwise well-behaved machine learning classifier: for example, there's a really accurate ML model that guesses which full-sized image corresponds to a small thumbnail, but if you change just one pixel in the thumbnail, the classifier stops working almost entirely. Read the rest

More posts