95% of America's largest voting districts' mailservers lack basic anti-phishing protection

DMARC is an anti-email-spoofing tool that mail-server administrators can enable; it's designed to reject emails with forged return addresses. Read the rest

Browser plugins from Avast and AVG yanked for stealing user data

The Firefox extensions store removed four plugins from Avast/AVG, including two that are supposed to keep users safe from malicious activity because they appeared to be stealing browser histories and other user data. Read the rest

This Welsh password generator might keep you safe from hackers, but definitely from dragons

Inspired by XKCD's classic diceware strip, a programmer named Alice created an open-source algorithm to randomly generate secure passphrases in Welsh. As difficult as it would be for any human or computer to figure out a nonsense phrase like, "correct horse battery staple," it would be even more difficult to guess, "stwffwl batri ceffyl cywir," especially when there are only about 700,000 Welsh speakers to begin with.

While I'm no cryptologist, I did run a few of the passwords through HowSecureIsMyPassword.net and My1Login.net and they seemed to work out all right. According to those sites, it would take 11 quattuordecillion years or 1 trillion trillion trillion years for a computer to crack "DrefnasidRhyd-y-meirchSefydlogiad6*." Similarly, "GlaeruchdyrauGymreigeiddiaiBarcdir0**" would take 429 tredecillion years, or 94 billion trillion trillion years, respectively.

However, as Alice the programmer warns: "It's probably not a good idea to actually use this, since the wordlist is freely available along with the algorithm being used."

So it might not stop a really clever hacker from getting into your email. But it will almost certainly stop a mythic Welsh dragon from stealing your identity. Probably. I'm assuming their claws are pretty clumsy on the keyboard.

Welsh Password Generator [WheresAlice.info]

Image via Lewis Ogden/Flickr (altered)

*Google Translate tells me this means, "The ford of the horses was arranged." I don't know that I trust it—Google Translate is famously sloppy with the grammar of some Celtic languages—but it certainly sounds epic.

**Similarly, this became "Parkland was a Welsh occupation" which sounds like something you would hear on the Breton version of InfoWars. Read the rest

Tiny alterations in training data can introduce "backdoors" into machine learning models

In TrojDRL: Trojan Attacks on Deep Reinforcement Learning Agents, a group of Boston University researchers demonstrate an attack on machine learning systems trained with "reinforcement learning" in which ML systems derive solutions to complex problems by iteratively trying multiple solutions. Read the rest

Consumer Reports Labs is hiring 8 staffers: technologists, journalists and wonks

Consumer Reports' Digital Lab does groundbreaking privacy research: they're hiring for eight positions including technologists ("resident hacker," "digital standard manager," "information security researcher," "program manager, security and testing," and "privacy testing project leader"); journalists ("digital content manager"); policy and comms ("senior researcher, digital competition" and "associate director, strategic communications — technology and privacy"). Most of the positions are NYC or SF or DC based, several allow for remote workers. (Thanks, Ben)!) Read the rest

Sand thieves believed to be behind epidemic of Chinese GPS jamming

Ship's captains and outside monitoring firms have reported waves of GPS jamming around Shanghai's ports, on a scale and of a severity never seen before: the jamming causes ships' locations to be incorrectly displayed and to jump around; the observations were confirmed via an anonymized (sic) data-set from a short-hire bike firm, whose bikes are also mysteriously appearing and disappearing at locations all through the region. The spoofing has created a massive local shipping hazard and has led to spectacular shipwrecks. Read the rest

An interview with Andy Greenberg about his book Sandworm, on the Russian state hackers who attack power grids

Wired security reporter Andy Greenberg's latest book is Sandworm (previously), a true-life technothriller that tells the stories of the cybersecurity experts who analyzed and attributed as series of ghastly cyberwar attacks that brought down parts of the Ukrainian power grid, and then escaped the attackers' control and spread all over the world. Read the rest

Tpmfail: a timing attack that can extract keys from secure computing chips in 4-20 minutes

Daniel Moghimi, Berk Sunar, Thomas Eisenbarth and Nadia Heninger have published TPM-FAIL: TPM meets Timing and Lattice Attacks, their Usenix security paper, which reveals a pair of timing attacks against trusted computing chips ("Trusted Computing Modules" or TPMs), the widely deployed cryptographic co-processors used for a variety of mission-critical secure computing tasks, from verifying software updates to establishing secure connections. Read the rest

A woman's stalker compromised her car's app, giving him the ability to track and immobilize it

An Australian woman's creepy, violent ex-boyfriend hacked her phone using stalkerware, then used that, along with her car's VIN number, to hack the remote control app for her car (possibly Landrover's Incontrol app), which allowed him to track her location, stop and start her car, and adjust the car's temperature. Read the rest

My review of Sandworm: an essential guide to the new, reckless world of "cyberwarfare"

For years, I've followed Andy Greenberg's excellent reporting on "Sandworm," a set of infrastructure-targeted cyberattacks against Ukraine widely presumed to be of Russian origin, some of which escaped their targeted zone and damaged systems around the world. Read the rest

White House cybersecurity adviser Giuliani took his iPhone to the Genius Bar when he forgot his password

In 2017, a month after Trump named Rudy Giuliani to be his cybersecurity officer, Giuliani locked himself out of his iPhone. So he waited in line at a San Francisco Apple store to get the Genius Bar to unlock his phone. Last night when NBC broke the news of this, Giuliani idiotically compared what he did to the FBI asking Apple to unlock the phone of the San Bernardino mass shooter (which they refused to do). Also, given the sensitive information likely on Giuliani's phone, it's rather surprising that he'd hand it over to a random employee at a retail store. Or maybe it isn't surprising at all. Wonder if Giuliani tried "PASSWORD"? From NBC News:

Giuliani’s handling of the situation calls into question his understanding of basic security measures and raises the prospect that, as someone in the president's inner circle, his electronic devices are especially vulnerable to hackers, two former FBI cyber experts told NBC News.

“There’s no way he should be going to a commercial location to ask for that assistance,” said E.J. Hilbert, a former FBI agent for cybercrime and terrorism.

Michael Anaya, a former FBI supervisory special agent who led a cyber squad for four years, reacted with astonishment when told about Giuliani’s Apple store visit.

“That’s crazy,” he said.

Read the rest

America needs a national standard for voting and voter rolls

Frank Wu writes, "Brianna Wu (US Congressional candidate in MA-8 and cybersecurity expert) has a brand new article in The Boston Globe about election security. People think electronic voting machines are the biggest problem. They're wrong. The electronic VOTER ROLLS are the largest attack surface for hackers. 2% of all ballots cast (enough to sway many elections) are provisional and that number is growing." Read the rest

New York Times abruptly eliminates its "director of information security" position: "there is no need for a dedicated focus on newsroom and journalistic security"

Runa Sandvik (previously) is a legendary security researcher who spent many years as a lead on the Tor Project; in 2016, the New York Times hired her as "senior director of information security" where she was charged with protecting the information security of the Times's newsroom, sources and reporters. Yesterday, the Times fired her, eliminating her role altogether, because "there is no need for a dedicated focus on newsroom and journalistic security." Read the rest

Japanese robot hotel chain ignored repeated warnings that its in-room “bed-facing” robots could be turned into spy devices

Japan's Henn na Hotel chain, owned by the HIS Group, uses "bed-facing Tapia robots" in its rooms; these robots turn out to be incredibly insecure: you can update them by pairing with them using a NFC sensor at the backs of their heads. The robots do not check the new code for cryptographic signatures, meaning that malicious actors can install any code they want. Read the rest

Equifax used "admin/admin" as login and pass for an unencrypted server full of your personal data

In 2017, Equifax admitted that it had doxed America by leaking the nonconsensual dossiers it builds on the nation, covering up the info while its key employees sold off their stock, and then repeatedly lying about the scope of the breach. Read the rest

There will be another HOPE hacker con in 2020!

Aestetix writes, "We have good news. There will be a HOPE [ed: Hackers on Planet Earth, a beloved, NYC-based hacker con put on by 2600 Magazine] in 2020. And we expect it to be better than ever. For several months, we have been looking for a venue that would have the needed space and flexibility for HOPE. Thanks to the efforts of many - and the massive amount of suggestions and support from attendees - we've found a new location for the conference that's much, much better than what we had before. HOPE will take place at St. John's University in Queens from July 31st to August 2nd, 2020. It's still in New York City, easily accessible by mass transit, and well positioned to do everything we've done in the past." Read the rest

Griefer terrorizes baby by taking over their Nest babycam...again

Nest is a home automation company that Google bought in 2014, turned into an independent unit of Alphabet, then re-merged with Google again in 2018 (demonstrating that the "whole independent companies under Alphabet" thing was just a flag of convenience for tax purposes); the company has always focused on "ease of use" over security and internecine warfare between different dukes and lords of Google meant that it was never properly integrated with Google's security team, which is why, over and over again, people who own Nest cameras discover strangers staring at them from their unblinking camera eyes, sometimes shouting obscenities. Read the rest

More posts