Hiding malware in boobytrapped replacement screens would undetectably compromise your mobile device

On the one hand, if you let an untrusted stranger install hardware in your electronic device, you're opening yourself up to all kinds of potential mischief; on the other hand, an estimated one in five smartphones has a cracked screen and the easiest, most efficient and cheapest way to get that fixed is to go to your corner repair-shop. Read the rest

Google researchers reveal automated process for removing watermarks from stock images

Businesses like Adobe Stock use large, visible watermarks to deter copyright infringement; a new paper presented by Google Researchers to the Computer Vision and Pattern Recognition shows that these watermarks can be reliably detected and undetectably erased by software. Read the rest

Real people don't (just) need encryption

Earlier this month, UK Home Secretary Amber Rudd idiotically insisted that "real people" don't need encrypted messaging apps; but as foolish a statement as that was, there was a kernel of truth to it. Read the rest

It's not hard to think of ways to outsmart Stingray-detector apps

A group of researchers from Oxford and TU Berlin will present their paper, White-Stingray: Evaluating IMSI Catchers Detection Applications at the Usenix Workshop on Offensive Technologies, demonstrating countermeasures that Stingray vendors could use to beat Stingrays and other "cell-site simulators" (AKA IMSI catchers). Read the rest

Airbnb's preferred smart lock vendor accidentally bricks 500 door-locks

The $469 LockState RemoteLock 6i is a "smart lock" that is sold to Airbnb operators through a partnership with the company, allowing Airbnb hosts to generate and expire unique, per-tenant unlock codes. Read the rest

Amazon scammers' new trick: shipping things to random widows in your town

Ziemowit Pierzycki bought a $1500 used lens from an Amazon seller who turned out to be a scammer with an ingenious trick: the crook researched a recently widowed person across town and sent them a parcel with a couple of baking mats addressed to the deceased "or current resident." Read the rest

How to crack a shitty Wifi password

Reading Brannon Dorsey's guide to cracking Wifi passwords is a good wake-up call to set a decent password for your own network -- it's pretty danged easy otherwise. Read the rest

You can hijack a gene sequencer by hiding malware in a DNA sample

Today at the Usenix Security conference, a group of University of Washington researchers will present a paper showing how they wrote a piece of malware that attacks common gene-sequencing devices and encoded it into a strand of DNA: gene sequencers that read the malware are corrupted by it, giving control to the attackers. Read the rest

Former CIA director: secure US elections with open-source voting machines

Former CIA director R. James Woolsey and legendary free software creator Brian "bash" Fox took to the New York Times's op-ed page to explain that proprietary software and voting machines don't mix, because unless anyone who wants to can audit the software that powers the nation's elections, exploitable bugs will lurk in them, ready to be used by bad guys to screw up the vote-count. Read the rest

Tired of being gouged, Secret Service moves out of Trump Tower and into a box on the sidewalk

Trump's Secret Service detail's command-post is no longer leasing high-priced office-space in Trump Tower; now they operate out of a portable trailer on the sidewalk somewhere nearby, having vacated after a dispute over the high rents levied by the Trump Organization. Read the rest

After Defcon, the FBI arrested the UK national who stopped Wannacry

Update: Here is the indictment. Hutchins is accused of making and selling a keylogger called the "Kronos banking trojan."

Marcus Hutchins is the 23 year old security researcher behind the @MalwareTechBlog Twitter account; he's the guy who figured out that the Wannacry worm had an accidental killswitch built in and then triggered it, stopping the ransomware epidemic in its tracks. Read the rest

Download 306,000,000 cracked passwords and make sure you're not using one of them

Troy Hunt, proprietor of the Have I Been Pwned? service, has made 306,000,000 known-cracked passwords available as a download -- you can grab the set and make sure that yours isn't among them, as these cracked passwords are the ones that are likely being used by hackers when they do brute-force attacks against encrypted password files. Read the rest

UK Home Secretary evolves the self-serving crypto-denialism argument with exciting new bullshit

UK Home Secretary Amber Rudd has demanded that online services stop using working cryptography in their products, and instead leave all your communications vulnerable to interception by criminals, governments, businesses and spies. Read the rest

Security researchers repeatedly warned Kids Pass about bad security, only to be ignored and blocked

Kids Pass is a service that offers discounts on family activities in the UK; their website makes several common -- and serious -- security problems that could allow hackers to capture their users' passwords, which endangers those users' data on other services where they have (unwisely) recycled those same passwords. Read the rest

Defcon vote-hacking village shows that "secure" voting machines can be broken in minutes

Since the 2000 Bush-Gore election crisis and the hanging-chad controversy, voting machine vendors have been offering touchscreen voting machines as a solution to America's voting woes -- and security researchers have been pointing out that the products on offer were seriously, gravely defective. Read the rest

See you at Defcon this weekend!

I'm making the final(ish*) stop of my Walkaway tour at Defcon this weekend in Las Vegas, giving a speech on Saturday in Track 2 at 10AM called $BIGNUM steps forward, $TRUMPNUM steps back: how can we tell if we're winning?, followed by a book-signing at the No Starch Press table in the exhibitors' hall. Read the rest

Malware sucks: crappy code makes it easy to hack hackers

Common Remote Access Trojan (RAT) tools -- which allow hackers to remotely control hijacked computers, from the cameras and mics to the hard-drive and keyboard -- are very badly written and it's easy to hijack computers running the "command and control" components that malicious hackers use to control RATted systems. Read the rest

More posts