Consumer Reports' Digital Lab does groundbreaking privacy research: they're hiring for eight positions including technologists ("resident hacker," "digital standard manager," "information security researcher," "program manager, security and testing," and "privacy testing project leader"); journalists ("digital content manager"); policy and comms ("senior researcher, digital competition" and "associate director, strategic communications — technology and privacy"). Most of the positions are NYC or SF or DC based, several allow for remote workers. (Thanks, Ben)!)
Read the rest
Ship's captains and outside monitoring firms have reported waves of GPS jamming around Shanghai's ports, on a scale and of a severity never seen before: the jamming causes ships' locations to be incorrectly displayed and to jump around; the observations were confirmed via an anonymized (sic) data-set from a short-hire bike firm, whose bikes are also mysteriously appearing and disappearing at locations all through the region. The spoofing has created a massive local shipping hazard and has led to spectacular shipwrecks.
Read the rest
Wired security reporter Andy Greenberg's latest book is Sandworm (previously), a true-life technothriller that tells the stories of the cybersecurity experts who analyzed and attributed as series of ghastly cyberwar attacks that brought down parts of the Ukrainian power grid, and then escaped the attackers' control and spread all over the world.
Read the rest
Daniel Moghimi, Berk Sunar, Thomas Eisenbarth and Nadia Heninger have published TPM-FAIL: TPM meets Timing and Lattice Attacks, their Usenix security paper, which reveals a pair of timing attacks against trusted computing chips ("Trusted Computing Modules" or TPMs), the widely deployed cryptographic co-processors used for a variety of mission-critical secure computing tasks, from verifying software updates to establishing secure connections.
Read the rest
An Australian woman's creepy, violent ex-boyfriend hacked her phone using stalkerware, then used that, along with her car's VIN number, to hack the remote control app for her car (possibly Landrover's Incontrol app), which allowed him to track her location, stop and start her car, and adjust the car's temperature.
Read the rest
For years, I've followed Andy Greenberg's excellent reporting on "Sandworm," a set of infrastructure-targeted cyberattacks against Ukraine widely presumed to be of Russian origin, some of which escaped their targeted zone and damaged systems around the world.
Read the rest
In 2017, a month after Trump named Rudy Giuliani to be his cybersecurity officer, Giuliani locked himself out of his iPhone. So he waited in line at a San Francisco Apple store to get the Genius Bar to unlock his phone. Last night when NBC broke the news of this, Giuliani idiotically compared what he did to the FBI asking Apple to unlock the phone of the San Bernardino mass shooter (which they refused to do). Also, given the sensitive information likely on Giuliani's phone, it's rather surprising that he'd hand it over to a random employee at a retail store. Or maybe it isn't surprising at all. Wonder if Giuliani tried "PASSWORD"? From NBC News:
Giuliani’s handling of the situation calls into question his understanding of basic security measures and raises the prospect that, as someone in the president's inner circle, his electronic devices are especially vulnerable to hackers, two former FBI cyber experts told NBC News.
“There’s no way he should be going to a commercial location to ask for that assistance,” said E.J. Hilbert, a former FBI agent for cybercrime and terrorism.
Michael Anaya, a former FBI supervisory special agent who led a cyber squad for four years, reacted with astonishment when told about Giuliani’s Apple store visit.
“That’s crazy,” he said.
Read the rest
Frank Wu writes, "Brianna Wu (US Congressional candidate in MA-8 and cybersecurity expert) has a brand new article in The Boston Globe about election security. People think electronic voting machines are the biggest problem. They're wrong. The electronic VOTER ROLLS are the largest attack surface for hackers. 2% of all ballots cast (enough to sway many elections) are provisional and that number is growing."
Read the rest
Runa Sandvik (previously) is a legendary security researcher who spent many years as a lead on the Tor Project; in 2016, the New York Times hired her as "senior director of information security" where she was charged with protecting the information security of the Times's newsroom, sources and reporters. Yesterday, the Times fired her, eliminating her role altogether, because "there is no need for a dedicated focus on newsroom and journalistic security."
Read the rest
Japan's Henn na Hotel chain, owned by the HIS Group, uses "bed-facing Tapia robots" in its rooms; these robots turn out to be incredibly insecure: you can update them by pairing with them using a NFC sensor at the backs of their heads. The robots do not check the new code for cryptographic signatures, meaning that malicious actors can install any code they want.
Read the rest
In 2017, Equifax admitted that it had doxed America by leaking the nonconsensual dossiers it builds on the nation, covering up the info while its key employees sold off their stock, and then repeatedly lying about the scope of the breach.
Read the rest
Aestetix writes, "We have good news. There will be a HOPE [ed: Hackers on Planet Earth, a beloved, NYC-based hacker con put on by 2600 Magazine] in 2020. And we expect it to be better than ever. For several months, we have been looking for a venue that would have the needed space and flexibility for HOPE. Thanks to the efforts of many - and the massive amount of suggestions and support from attendees - we've found a new location for the conference that's much, much better than what we had before. HOPE will take place at St. John's University in Queens from July 31st to August 2nd, 2020. It's still in New York City, easily accessible by mass transit, and well positioned to do everything we've done in the past."
Read the rest
Nest is a home automation company that Google bought in 2014, turned into an independent unit of Alphabet, then re-merged with Google again in 2018 (demonstrating that the "whole independent companies under Alphabet" thing was just a flag of convenience for tax purposes); the company has always focused on "ease of use" over security and internecine warfare between different dukes and lords of Google meant that it was never properly integrated with Google's security team, which is why, over and over again, people who own Nest cameras discover strangers staring at them from their unblinking camera eyes, sometimes shouting obscenities.
Read the rest
German security researchers from Security Research Lab created a suite of apps for Google and Amazon smart speakers that did trivial things for their users, appeared to finish and go dormant, but which actually stayed in listening mode, then phished the user for passwords spoken aloud to exfiltrate to a malicious actor; all their apps were successfully smuggled past the companies app store security checks.
Read the rest
Wired has published another long excerpt from Sandworm, reporter Andy Greenberg's (previously) forthcoming book on the advanced Russian hacking team who took the US-Israeli Stuxnet program to the next level, attacking Ukrainian power infrastructure, literally blowing up key components of the country's power grid by attacking the embedded code in their microcontrollers.
Read the rest
A little over a year ago, Bloomberg stunned the world with a report that claimed that Chinese intelligence services had figured out how to put undetectable, rice-grain-sized hardware implants into servers headed for the biggest US cloud and enterprise IT firms, and that when some of the victims discovered this fact, they quietly ripped out whole data-centers and replaced all their servers.
Read the rest
