Federal prosecutors say that Ohio man used MacOS malware that covertly operated cameras and mics and exfiltrated porn searches for 13 years

An indictment in the US District Court for the Northern District of Ohio's Eastern Division alleges that Phillip R Durachinsky created a strain of MacOS "creepware" called Fruitfly, which was able to covertly operate the cameras and microphones of infected computers as well as capturing and sharing porn searches from the infected machines; the indictment alleges that Durachinsky used the software for 13 years, targeting individuals, schools, and federal agencies including the Department of Energy. Read the rest

Vtech covered up a leak of data on 6.3m children and their families, then tried to force us not to sue - the FTC just fined them $0.09/kid

Vtech is the Taiwanese kids' crapgadget vendor that breached sensitive data on 6.3 million children and their families, lied about it and covered it up, then added a dirty EULA to its products that made us promise not to sue them if they did it again. Read the rest

Google says it can mitigate Spectre with "negligible" effect

Two days ago, an industry/academic team released a terrifying alert about a pair of CPU bugs called Spectre and Meltdown that allowed one program to steal data from another, even with the best memory-management and isolation techniques -- news that meant that virtually all the mission-critical computers in the world could no longer be trusted to handle sensitive data securely. Read the rest

Virtually every modern computer is vulnerable to a pair of devastating attacks, and there's only a fix for one of them, and it sucks

Today, three groups of security researchers from the Technical University of Graz, Cerberus Security, and Google Project Zero revealed a pair of defects in modern computers that allow adversaries to steal passwords and other sensitive data from virtually any computer in use today. Read the rest

The NSA can't recruit or retain hackers because the pay sucks and the Agency is a bureaucratic mess

The Washington Post reports that the NSA "is losing its top talent at a worrisome rate as highly skilled personnel" because of a mix of low-pay, uninspiring leaders, and a bureaucratic re-org that everyone hates. Read the rest

A bipartisan, GOP-led voting machine security bill that would actually fix vulnerabilities in US elections

The Secure Elections Act is a bipartisan Senate bill with six co-sponsors that reads like a security researcher's wish-list for voting machine reforms. Specifically, it reads like Matt Blaze's wishlist, hewing closely to the excellent recommendations laid out in his testimony to the House of Representatives' Committee on Oversight and Government Reform Subcommittee on Information Technology and Subcommittee on Intergovernmental Affairs Hearing on Cybersecurity, recounting his experiences as a security researcher and as the founder of Defcon's Vote Hacking Village. Read the rest

You absolutely must secure your home router and you probably can't

Lucian Constantin's Motherboard guide to protecting your home router is full of excellent, nearly impossible-to-follow advice that you should follow, but probably won't. Read the rest

Climate deniers beat Google and topped the page on searches for "climate change"

Google has long maintained that it must keep the workings of its search and ad-placement algorithms a secret, lest they provide a roadmap to the kinds of bad actors who'd like tweak the results and give their bad ideas (or sleazy products) pride of placement on its pages. Read the rest

No More Ransom: a clearinghouse for removing ransomware without paying

No More Ransom is a joint effort by Europol, the Dutch police, Kaspersky and McAfee to help people who've been compromised by ransomware get their data back without paying off criminals. Read the rest

Sonos and Bose speakers can be remotely taken over by hackers

Sonos and Bose speakers assume that any device on the same network segment can be trusted to send them audio without any further authentication; if these speakers are on a network whose owner has opened a hole in their firewalls (to run a game-server, say, or because another device on the network has been compromised), they can have data sent to them by anyone on the internet. Read the rest

The FBI and the New York Times warn that smart toys are emissaries from the Internet of Shit

One by one, the New York Times warns of the dangers of every hot smart toy your kids are begging for this Xmas: Furbies, Cayla, kids' smart watches, the ubiquitous Vtech toys (they omit the catastrophic Cloudpets, presumably because that company is out of business now). Read the rest

Infosec vs. its predators

Pundits suggest the "Weinstein moment" — a broader, deeper awareness of abusive conduct, sexual harassment and criminal sexuality — is already fading without significant change. Few of the offenders face consequences worse than losing a gig, and yesterday we learned The New York Times isn't even up to that, letting its celebrity groper keep his job and trotting out Executive Editor Dean Baquet to dismiss his admitted behavior as merely "offensive." Sarah Jeong looks at another example: the hacker community, which did a surprisingly good job of outing its "missing stairs" but has trouble banishing them for good.

In information security, as in many other industries where the accused is a prominent figure, accusations can turn into a competition of social capital, and the accused almost always wins out over their accusers. But in this community, giving an accused rapist a pass has often been framed as a moral imperative with four words: “He does good work.” The assumption is that talent is scarce and sexual misconduct must be tolerated for the good of society. Little to no consideration is given to what we lose from disbelieving victims — their technical and social contributions, any future contributions by people who quite reasonably decide to avoid a toxic culture, and even beyond that, the quiet erosion of trust among bystanders. Complicity leaves a stain on us all.
Read the rest

Ars Technica's Dan Goodin is being sued by Keeper Security over an article about a defect in its password manager

On December 15, Ars Technica ran a story by veteran security reporter Dan Goodin in which Goodin reported on a disclosure by Google researcher Tavis Ormandy, who had discovered that Keeper Security's password manager, bundled with Windows 10, was vulnerable to a password stealing bug that was very similar to a bug that had been published more than a year before. Read the rest

Researchers trick Google's AI into thinking rifles are helicopters, without any knowledge of the algorithm's design

In Partial Information Attacks on Real-world AI, a group of MIT computer science researchers report on their continuing work fooling Google's image-classifier, this time without any knowledge of how the classifier works. Read the rest

When Justin Trudeau was in opposition, he voted for Canada's PATRIOT Act but promised to fix it; instead he's making it much, much worse

Back in 2015, Canada's failing, doomed Conservative government introduced Bill C-51, a far-reaching mass surveillance bill that read like PATRIOT Act fanfic; Justin Trudeau, leader of what was then a minority opposition party, whipped his MPs to vote for it, allowing it to pass, and cynically admitting that he was only turning this into law because he didn't want to give the Conservatives a rhetorical stick to beat him with in the next election -- he promised that once he was Prime Minister, he'd fix it. Read the rest

Here's everything that's wrong with America's insecure electronic voting machines, and what to do about it

The University of Pennsylvania's Matt Blaze (previously) is a legendary figure in cryptography and security circles; most recently he convened Defcon's Vote Hacking Village where security experts with no particular knowledge of voting machines repeatedly, fatally hacked surplus voting machines of the sort routinely used in US elections. Read the rest

Security Planner: a peer-reviewed tool to help you figure out your personal digital security plan

The University of Toronto's Citizen Lab (previously) is one of the most effective, most trustworthy expert groups when it comes to investigating the abuse of computers to effect surveillance and sabotage, so the launch of Security Planner, the Lab's peer-reviewed tool that guides you through the creation of a personal security plan, is a game-changing event. Read the rest

More posts