Italian prosecutors have given up on catching the person who hacked and destroyed Hacking Team

Hacking Team (previously) was an Italian company that developed cyberweapons that it sold to oppressive government around the world, to be used against their own citizens to monitor and suppress political oppositions; in 2015, a hacker calling themselves "Phineas Fisher" hacked and dumped hundreds of gigabytes' worth of internal Hacking Team data, effectively killing the company. Read the rest

How many computers are in your computer?

Gwern Branwen asks the deceptively simple question "How many computers are in your computer?" Read the rest

Security chips have not reduced US credit-card fraud

The US credit card industry was a very late adopter of security chips, lagging the EU by a decade or so; when they did roll out chips, it was a shambolic affair, with many payment terminals still not using the chips, and almost no terminals requiring a PIN (and some require a PIN and a signature, giving rise to the curiously American security protocol of chip-and-PIN-and-swipe-and-sign). Read the rest

Oracle's bad faith with security researchers led to publication of a Virtualbox 0-day

In the debate over "responsible disclosure," advocates for corporate power say that companies have to be able to decide who can reveal defects in their products and under which circumstances, lest bad actors reveal their bugs without giving them time to create and promulgate a patch. Read the rest

Researchers claim to have permanently neutralized ad-blocking's most promising weapons

Last year, Princeton researchers revealed a powerful new ad-blocking technique: perceptual ad-blocking uses a machine-learning model trained on images of pages with the ads identified to make predictions about which page elements are ads to block and which parts are not. Read the rest

Steganographically hiding secret messages in fake fingerprints

In Towards Construction Based Data Hiding: From Secrets to Fingerprint Images , published in IEEE Transactions on Image Processing (Sci-Hub Mirror), two Fudan University computer scientists propose a fascinating method for hiding encrypted messages in fake fingerprints that are both visually and computationally difficult to distinguish from real ones, which could theoretically allow the use of fingerprint databases to convey secret messages. Read the rest

Unisyn voting machine manual instructs election officials to use and recycle weak passwords

No one knows who wrote this Unisyn optical vote-counting machine manual that has appeared in multiple sites served by the California-based vendor, but only because Unisyn won't comment on whether they wrote it. Read the rest

Voting systems in Wisconsin and Kentucky are running FTP. Seriously.

FTP -- the "file transfer protocol" -- is a long-supplanted Unix tool for transferring files between computers, once standard but now considered to be too insecure to use; so it's alarming that it's running on the voting information systems that will be used in elections in Wisconsin and Kentucky tomorrow. Read the rest

Facebook blames malicious browser plugins for leak of 81,000 users' private messages and offer of account data for 120,000,000 users

A user called FBSaler is offering personal data for Facebook users at $0.10 each, claiming to have account data from 120,000,000 users to offer; to prove that they have the goods, they've dumped the private messages sent by 81,000 Facebook users; and account data from 176,000. Read the rest

Job opening: senior security engineer to work on SecureDrop and protect whistleblowers

Sumana writes, "SecureDrop (previously) (originally coded by Aaron Swartz) is an open source whistleblower submission system that media organizations can install to securely accept documents from anonymous sources. Its parent nonprofit, the Freedom of the Press Foundation (previously), is hiring a Senior Software Engineer to join the team and:" Read the rest

Cybersecurity class challenged to hack a Raspberry-Pi-enabled "smart pumpkin"

Frequent Boing Boing contributor Sean O'Brien and his colleagues Laurin Weissinger and Scott J Shapiro built a Raspberry Pi-enabled smart pumpkin and then challenged their Yale cybersecurity students to hack it. Read the rest

Consumer Reports finds that D-Link's home camera sends unencrypted video without unique passwords

As part of its ongoing commitment to evaluate information security and privacy when reviewing IoT devices (previously), Consumer Reports has published a scathing review of D-Link's home security camera. Read the rest

China Telecom has been using poisoned internet routes to suck up massive amounts of US and Canadian internet traffic

In a new paper published in the journal Military Cyber Affairs researchers from the US Naval War College and Tel Aviv University document the use of BGP spoofing by China Telecom to redirect massive swathes of internet traffic through the company's routers as part of state military and commercial espionage efforts. Read the rest

The Copyright Office just greenlit a suite of DRM-breaking exemptions to the DMCA

Section 1201 of the Digital Millennium Copyright Act bans bypassing "access controls" for copyrighted works -- that is, breaking DRM. Read the rest

Ebay is full of used voting machines full of real electoral data and riddled with security defects

Back in 2012, Symantec researcher Bryan Varner bought some used US voting machines on Ebay and found them to be incredibly insecure and full of real, sensitive election data; in 2016, he did it again and things were even worse. Read the rest

Cathay Pacific leaks 9.4 million travelers' passport numbers and other data

Cathay Pacific started investigating a potential breach in March; by May they'd learned of breaches to a system with 9.4 million travelers' data on it, then for some reason they didn't tell anyone about it, until now: "The following personal data was accessed: passenger name; nationality; date of birth; phone number; email; address; passport number; identity card number; frequent flyer programme membership number; customer service remarks and historical travel information." They are sorry if you are upset: "We are very sorry for any concern this data security event may cause our passengers." Read the rest

Facebook's former security head: making Facebook moderate content will cement its dominance

Alex Stamos stepped down as CSO for Facebook in August, after a career in which he rather fearlessly and bluntly warned about deficiencies in Facebook's security (this was totally in keeping with Stamos's character; he seems to have walked out on his job running security for Yahoo rather than building an NSA backdoor for them, making him something of a human warrant canary). Read the rest

More posts