The eminently hackable police bodycam

Josh Mitchell's Defcon presentation analyzes the security of five popular brands of police bodycams (Vievu, Patrol Eyes, Fire Cam, Digital Ally, and CeeSc) and reveals that they are universally terrible, though the Digital Ally models are the least bad of the batch, as Wired's Lily Hay Newman reports. Read the rest

Interview with a cryptocurrency scammer

Adam Guerbuez is a cryptocurrency evangelist whose Youtube channel is full of videos promoting cryptocurrency trading; when he got a Twitter message from a scammer promising to send him free Ethereum coins, he asked the scammer if they could talk about the scam. Read the rest

Stylistic analysis can de-anonymize code, even compiled code

A presentation today at Defcon from Drexel computer science prof Rachel Greenstadt and GWU computer sicence prof Aylin Caliskan builds on the pair's earlier work in identifying the authors of software and shows that they can, with a high degree of accuracy, identify the anonymous author of software, whether in source-code or binary form. Read the rest

Bad infrastructure means pacemakers can be compromised before they leave the factory

It's been ten years since the first warnings about the security defects in pacemakers, which made them vulnerable to lethal attacks over their wireless links, and since then the news has only gotten worse: one researcher found a way to make wireless pacemaker viruses that spread from patient to patient in cardiac care centers, and the medical device makers responded to all this risk by doubling down on secrecy and the use of proprietary code. Read the rest

Defective Comcast security exposes 26.5m customers' partial Social Security Numbers and addresses

Comcast Xfininty's login page had an easily found bug that allowed anyone to gain access to the partial Social Security Numbers and partial home addresses of over 26.5 million customers. Read the rest

State of Georgia goes to court to defend voting machines that recorded 243% voter turnouts

A federal lawsuit brought by voting security activists against the State of Georgia has revealed breathtaking defects in the state's notoriously terrible voting machines -- and, coincidentally, the machines in question were wiped and repeatedly degaussed by the state before they could be forensically examined as evidence of their unsuitability for continued use. Read the rest

Cornered FCC admits that its website was never hacked

When the FCC announced its intention to kill Network Neutrality, it had to accept public comments, and what followed was bizarre even by Trump-era standards: first, millions of living, breathing Americans sent so many pro-Net Neutrality comments to the FCC that the website crashed; then bots spammed the FCC with millions of obviously fake anti-Neutrality comments, stealing the identities of real Americans (including two US Senators!) to do so; despite the overwhelming evidence that humans loved Net Neutrality and bots hated it, the FCC declared that it would give the bot comments equal weight with the human ones; and then it stopped accepting comments, claiming that its website had been hacked. Read the rest

Consumer Reports now evaluates products' security and privacy

Consumer Reports is arguably America's most trusted source of product reviews -- published by Consumers Union, a venerable nonprofit with a deserved reputation for scrupulous care and neutrality -- and for years it has been wrestling with how to address privacy and cybersecurity in modern products (disclosure: I have advised them some on this). Read the rest

Equifax says it's spent $200m on security since the breach, so everything's OK now

It's been a year since Equifax doxed the nation of America through carelessness, deception and greed, lying about it and stalling while the problem got worse and worse. Read the rest

Half a billion IoT devices inside of businesses can be hacked through decade-old DNS rebinding attacks

In 2008, a presentation at the RSA conference revealed the existence of "DNS rebinding attacks," that used relatively simple tactics to compromise browsers; a decade later, Berkeley and Princeton researchers announced a paper on DNS rebinding attacks against consumer devices (to be presented at August's ACM SIGCOMM 2018 Workshop on IoT Security and Privacy), while independent researcher Brannon Dorsey published similar work. Read the rest

Singapore healthcare provider breached, personal records of 1.5m people - including the Prime Minister - stolen

Singhealth, a Singaporean public health service, suffered the worst breach in Singaporean history, losing control of 1.5 million peoples' data; included in the breach was prescription data on 160,000 people, including Singapore's prime minister, Lee Hsien Loong. Read the rest

Your phone company's shitty security is all that's standing between you and total digital destruction

Online services increasingly rely on SMS messages for two-factor authentication, which means on the one hand that it's really hard to rip you off without first somehow stealing your phone number, but on the other hand, once someone diverts your SMS messages, they can plunder everything Read the rest

Porn blackmailers supercharge their scam with password dumps, make bank

The porn extortion scam works like this: you get an email from a stranger claiming that he hacked your computer and recorded video of you masturbating to pornography, which he'll release unless you send him some cryptocurrency. Read the rest

Hackers say they stole tens of thousands of health records of Ontario home-care patients and they want to get paid

CBC reporters have verified health record files provided by hackers who say they acquired them by breaking into the computers of CarePartners, a company that contracts with the Ontario government. Read the rest

Self-hacking Internet of Shit camera automatically sends randos the feed from inside your house

Last week, I wrote about Shenzhen Gwelltimes Technology Co's ubiquitous "home security" cameras that can be hacked with ease by voyeurs and criminals, seemingly the last word in dangerously lax security -- but here comes scrappy underdog Swann Security, with a hold-my-beer turning point in shitty technology designs: a self-hacking camera that nonconsensually sends the video feed from inside your home to strangers who didn't even try to hack you. Read the rest

WPA3: a new generation in wifi security starts today

When wifi first appeared, it was secured by something called "WEP" that was so laughably weak that many people believe it was deliberately sabotaged by US spy agencies (who have a history of sabotaging security standards in order to preserve the ability to spy on their adversaries). Read the rest

Insecure internet security cameras and nannycams are actively exploited by voyeurs to spy on owners

Shenzhen Gwelltimes Technology Co., Ltd is the white-label vendor behind a whole constellation of Internet of Things networked home cameras sold as security cameras, baby monitors, pet monitors, and similar technologies; these cameras are designed to be monitored by their owners using an app, and because of farcically bad default passwords ("123") and other foolish security practices (such as sequentially numbering each camera, allowing attackers to enumerate vulnerable devices), the devices are trivial to locate and hijack over the internet. Read the rest

More posts