Nominations are open for EFF's Barlow/Pioneer Awards

Every year, the Electronic Frontier Foundation presents its Pioneer Awards (previously); now renamed the Barlow Award in honor of EFF co-founder John Perry Barlow, who died last year. Read the rest

In less than one second, a malicious web-page can uniquely fingerprint an Iphone, Pixel 2 or Pixel 3 without any explicit user interaction

In a new paper for IEEE Security, a trio of researchers (two from Cambridge, one from private industry) identify a de-anonymizing attack on Iphones that exploits minute differences in sensor calibration: an Iphone user who visits a webpage running the attack code can have their phone uniquely identified in less than a second, through queries to the sensors made through automated background processes running on the page. Read the rest

Thangrycat: a deadly Cisco vulnerability named after an emoji 😾😾😾

Thangrycat is a newly disclosed vulnerability in Cisco routers that allows attackers to subvert the router's trusted computing module, which allows malicious software to run undetectably and makes it virtually impossible to eliminate malware once it has been installed. Read the rest

The government of Baltimore has been taken hostage by ransomware and may remain shut down for weeks

Nearly two weeks after the city of Baltimore's internal networks were compromised by the Samsam ransomware worm (previously), the city is still weeks away from recovering services -- that's weeks during which the city is unable to process utility payments or municipal fines, register house sales, or perform other basic functions of city governance. Read the rest

Research shows that 2FA and other basic measures are incredibly effective at preventing account hijacking

Google has published the results of a study of the efficacy of standard anti-account-hijacking techniques like two-factor authentication (2FA), secret questions, and passwords: the good news is that when these are used, they are incredibly effective at stopping both automated and targeted attacks, including "advanced" attacks of the sort that are often characterized as unstoppable. Read the rest

Sleuthing from public sources to figure out how the Hateful Eight leaker was caught

In 2014, Quentin Tarantino sued Gawker for publishing a link to a leaked pre-release screener of his movie "The Hateful Eight." The ensuing court-case revealed that the screeners Tarantino's company had released had some forensic "traitor tracing" features to enable them to track down the identities of people who leaked copies. Read the rest

Discovering whether your Iphone has been hacked is nearly impossible thanks to Apple's walled garden

This week, we learned that the notorious Israeli cyber-arms-dealer NSO Group had figured out how hijack your Iphone or Android phone by placing a simple Whatsapp call, an attack that would work even if you don't answer the call. Read the rest

A year after Meltdown and Spectre, security researchers are still announcing new serious risks from low-level chip operations

Spectre and Meltdown are a pair of chip-level security bugs that exploit something called "speculative execution," through which chips boost performance by making shrewd guesses about which computer operations are performed together. Read the rest

DOJ accuses Verizon and AT&T employees of participating in SIM-swap identity theft crimes

The DOJ has indicted three former Verizon and AT&T employees for alleged membership in a crime-ring known as the "The Community"; the indictment says the telco employees helped their confederates undertake "port-out" scams (AKA "SIM-swapping" AKA "SIM hijacking"), which allowed criminals to gain control over targets' phone numbers, thereby receiving SMS-based two-factor authentication codes. Read the rest

Lawyer involved in suits against Israel's most notorious cyber-arms dealer targeted by its weapons, delivered through a terrifying Whatsapp vulnerability

NSO Group is a notorious Israeli cyber-arms dealer whose long trail of sleaze has been thoroughly documented by the University of Toronto's Citizen Lab (which may or may not be related to an attempt to infiltrate Citizen Lab undertaken by a retired Israeli spy); NSO has been implicated in the murder and dismemberment of the dissident Saudi journalist Jamal Khashoggi (just one of the brutal dictatorships who've availed themselves of NSO tools), and there seems to be no cause too petty for their clients, which is why their malware has been used to target anti-soda activists in Mexico. Read the rest

After elderly tenant was locked in his apartment by his landlord's stupid "smart lock," tenants win right to use actual keys to enter their homes

Tenants in New York City have reached a settlement with their landlord requiring the landlord to install actual locks with actual keys on demand, rather than insisting that all tenants use locks from Latch, the leading Internet of Things "smart lock" vendor, whose products conduct fine-grained surviellance on their users, which the company reserves the right to share with third parties. Read the rest

Towards a method for fixing machine learning's persistent and catastrophic blind spots

An adversarial preturbation is a small, human-imperceptible change to a piece of data that flummoxes an otherwise well-behaved machine learning classifier: for example, there's a really accurate ML model that guesses which full-sized image corresponds to a small thumbnail, but if you change just one pixel in the thumbnail, the classifier stops working almost entirely. Read the rest

Google will now delete your account activity on a rolling basis

Google has augmented its preferences for personal data retention; in addition to choosing to have all your data stored until you delete it, or having no data stored (thus depriving you of the benefits of personalization), the company has a new intermediate option: a rolling deletion program, which lets you specify that any data older than either 3 or 12 months should be autodeleted. That way, if you suffer a breach (or if authorities demand your data from Google), only your recent activity will be exposed. Read the rest

Evil Clippy: a tool for making undetectable malicious Microsoft Office docs

Evil Clippy comes from Dutch security researchers Outflank: "a tool which assists red teamers and security testers in creating malicious MS Office documents. Amongst others, Evil Clippy can hide VBA macros, stomp VBA code (via p-code) and confuse popular macro analysis tools. It runs on Linux, OSX and Windows." Evil Clippy's magic depends in part on some awesomely terrible undocumented Office features, including "VBA Stomping": "if we know the version of MS Office of a target system (e.g. Office 2016, 32 bit), we can replace our malicious VBA source code with fake code, while the malicious code will still get executed via p-code. In the meantime, any tool analyzing the VBA source code (such as antivirus) is completely fooled." (via Eva) Read the rest

Big Tech lobbyists and "open for business" Tories killed Ontario's Right-to-Repair legislation

In February, Liberal Party opposition MPP Michael Coteau introduced Right to Repair legislation after he was charged $400 to fix the cracked screen on his daughter's Samsung phone; that bill is now dead, as are dozens of Right to Repair bills introduced in US state houses, after Conservative MPs, heavily lobbied by US Big Tech firms, killed it before it could proceed to committee. Read the rest

"Smart" doorlocks have policies that let landlords and third parties spy on you

Latch is a leading vendor of internet-of-things "smart" doorlocks that are in increasing use in rental housing (the company claims 10% of all new multiunit construction incorporates their product); they allow entry by keycode, keycard, and Bluetooth. Read the rest

UK cops are secretly harvesting all data from the phones and cloud accounts of suspects, victims and witnesses and insecurely storing it forever

Privacy International's blockbuster Digital Stop and Search report details how British police forces have quietly procured phone-searching tools (including mobile "kiosks" that let them probe devices in the field), often from companies with a track-record of abetting some of the world's worst human rights abusers, and they use these in secret to capture all the data they can from phones taken from suspects, victims and witnesses. Read the rest

More posts