The secret, unaccountable location-tracking tool favored by dirty cops has been hacked (and it wasn’t hard)

Securus is the widely abused location-tracking tool that exploits a loophole in privacy law to allow police to extract realtime and historical cellphone location data without a warrant or any accountability. Read the rest

Efail: researchers reveal worrying, unpatched vulnerabilities in encrypted email

A group of researchers have published a paper and associated website describing a clever attack on encrypted email that potentially allows an attacker to read encrypted emails sent in the past as well as current and future emails; EFF has recommended switching off PGP-based email encryption for now, to prevent attackers from tricking your email client into decrypting old emails and sending them to adversaries. Read the rest

A new strain of IoT malware can survive a reboot

As scary as the epidemics of malware for Internet of Things devices have been, they had one saving grace: because they only lived in RAM (where they were hard to detect!), they could be flushed just by rebooting the infected gadget. Read the rest

Nova Scotia premier won't apologise for libeling teen who discovered massive data breach

In the wake of the Nova Scotia police fully exonerating the 19 year old who accidentally discovered an open directory full of compromising personal information belonging to Nova Scotians, you'd think that Nova Scotia premier Stephen McNeil would apologise for having called the act "stealing." Read the rest

Nova Scotia abandons its attempt to destroy a teenager who stumbled on a wide-open directory of sensitive information

Last month, an unnamed 19-year-old Nova Scotian grew frustrated with the lack of a search interface for the province's public repository of responses to public records requests; he wanted to research the province's dispute with its public school teachers and didn't fancy manually clicking on thousands of links to documents to find the relevant ones, so he wrote a single line of code that downloaded all the public documents to his computer, from which he could search them with ease. Read the rest

Georgia's governor has vetoed SB 315, the state's catastrophically stupid cybersecurity law

When Georgia's legislature passed SB 315, a horribly misguided cybersecurity bill that criminalized routine security research, thus allowing bad guys to get much worse, everyone pinned their hopes on Governor Nathan Deal vetoing it. Read the rest

Equifax finally publishes a tally of what got breached when it left 146.6 million credit files unsecured

Ever since the news of the Equifax breach broke last September, we've been waiting for the company to publish an authoritative tally of what, exactly, got breached. Read the rest

Over 55,000 security camera DVRs are vulnerable to an exploit so simple it fits in a tweet

Last month, Argentinian security researcher Ezequiel Fernandez published CVE-2018-9995, a vulnerability he discovered in dozens of brands of DVR that are all based on the same white-label devices, TBK's DVR4104 and DVR4216.

Read the rest

Son of Spectre: researchers are about to announce eight more Meltdown-style defects in common microprocessors

The New Years revelation that decades' worth of Intel's processors had deep, scary defects called "Spectre" and "Meltdown" still has security experts reeling as they contemplate the scale of patching billions of devices that are vulnerable to attack. Read the rest

Security researchers can turn Alexa into a transcribing, always-on listening device

Checkmarx researchers including Erez Yalon have created a "rogue Alexa skill" that bypasses Amazon's security checks: it lurks silently and unkillably in the background of your Alexa, listening to all speech in range of it and transcribing it, then exfiltrating the text and audio of your speech to the attacker. Read the rest

In 60 seconds, security researchers can clone the master hotel-room keys for 140,000 hotels in 160 countries

The Vingcard Vision locks are RFID-based hotel locks; at this week's Infiltrate conference in Miami, Tomi Tuominen and Timo Hirvonen from F-Secure will present a method for combining a $300 Proxmark RFID tool with any discarded key from a given hotel to derive the master keys that allow them to unlock every room in the hotel, a process that takes less than 60 seconds. Read the rest

Cops shoot man, then interrupt his funeral to press his corpse's finger to his Iphone

Linus F. Phillip was 30 years old when Largo, Florida cops shot him when he drove his car away from a gas-station where he had been stopped by police. Read the rest

ISO rejects the NSA's IoT crypto standard, believing it to be backdoored

For three years, International Standards Organization has been wrangling over which cryptographic algorithms will be incorporated into a standard for interoperability in "Internet of Things" gadgets; at issue has been the NSA's insistence that "Simon" and "Speck" would be the standard block cipher algorithms in these devices. Read the rest

IoT Inspector: Princeton releases a tool to snoop on home IoT devices and figure out what they're doing

IoT Inspector is a new tool from Princeton's computer science department; it snoops on the traffic from home IoT devices and performs analysis to determine who they phone home to, whether they use encryption, and what kinds of data they may be leaking. Read the rest

The FDA is finally doing something about the medical device security dumpster-fire

Medical device security very, very, very, very, very, very, very bad. Read the rest

People with implanted neurostimulators are vulnerable to wireless attacks

A group of Belgian academic security researchers from KU Leuwen have published a paper detailing their investigation into improving the security of neurostimulators: electrical brain implants used to treat chronic pain, Parkinson's, and other conditions. Read the rest

Stealing data from airgapped computers by using power fluctuations as a covert channel

Ben Gurion university's Mordechai Guri is a master exfiltrator, a computer scientist who's devised a bewildering array of innovative techniques for getting data off of "airgapped" computers that have been fully disconnected from any kind of network. Read the rest

More posts