More Annotations

Favourite Annotations

Text

SCHNEIER ON SECURITYBLOGNEWSLETTERBOOKSESSAYSNEWSTALKS The Misaligned Incentives for Cloud Security. Russia’s Sunburst cyberespionage campaign, discovered late last year, impacted more than 100 large companies and US federal agencies, including the Treasury, Energy, Justice, and Homeland Security departments.A crucial part of the Russians’ success was their ability to move through these organizations by compromising cloud and local network BIZARRO BANKING TROJAN Bizarro is a new banking trojan that is stealing financial information and crypto wallets. the program can be delivered in a couple of ways — either via malicious links contained within spam emails, or through a trojanized app. Using these sneaky methods, trojan operators will implant the malware onto a target device, where it will HOW THE SOLARWINDS HACKERS BYPASSED DUO’S MULTI-FACTOR How the SolarWinds Hackers Bypassed Duo’s Multi-Factor Authentication. This is interesting:. Toward the end of the second incident that Volexity worked involving Dark Halo, the actor was observed accessing the e-mail account of a user via OWA. ADDING A RUSSIAN KEYBOARD TO PROTECT AGAINST RANSOMWARE ABC • May 18, 2021 12:27 PM . One learns as a child when ‘E’ is to be pronounced “ye” (the default) and when it is to be pronounced “yo” (for ‘Ё’). For instance look up a Russian word in “wiktionary” say, “закон“, but then it is spelled with an accent mark to indicate primary stress: зако́н. But “О́” is clearly not a distinct letter from “О” and DISABLING SECURITY CAMERAS WITH LASERS Disabling Security Cameras with Lasers. There’s a really interesting video of protesters in Hong Kong using some sort of laser to disable security cameras. I know nothing more about the technologies involved. EDITED TO ADD (8/14): LIDAR from self-driving cars has damaged security cameras before.. Tags: cameras, Hong Kong, video Posted on August 2, 2019 at 11:53 AM • 14 BACKDOOR FOUND IN CODECOV BASH UPLOADER Backdoor Found in Codecov Bash Uploader. Developers have discovered a backdoor in the Codecov bash uploader. It’s been there for four months. We don’t know who put it there. Codecov said the breach allowed the attackers to export information stored in ACADEMIC: CHINESE TECHNOLOGY PLATFORMS OPERATING IN THE About Bruce Schneier. I am a public-interest technologist, working at the intersection of security, technology, and people.I've been writing about security issues on my blog since 2004, and in my monthly newsletter since 1998. I'm a fellow and lecturer at Harvard's Kennedy School, a board member of EFF, and the Chief of Security Architecture

at Inrupt, Inc.

NEWLY DECLASSIFIED NSA DOCUMENT ON CRYPTOGRAPHY IN THE Newly Declassified NSA Document on Cryptography in the 1970s. This is a newly unclassified NSA history of its reaction to academic cryptography in the 1970s: “ NSA Comes Out of the Closet: The Debate over Public Cryptography in the Inman Era ,” Cryptographic Quarterly, Spring 1996, author still classified. Tags: cryptography,

FOIA, history

ACADEMIC: SIDE CHANNEL CRYPTANALYSIS OF PRODUCT CIPHERS Side Channel Cryptanalysis of Product Ciphers. J. Kelsey, B. Schneier, D. Wagner, and C. Hall. Journal of Computer Security, v. 8, n. 2-3, 2000, pp. 141-158.. ABSTRACT: Building on the work of Kocher, we introduce the notion of side-channel cryptanalysis: cryptanalysis using implementation data.We discuss the notion of side-channel attacks and the vulnerabilities they introduce, demonstrate HACKING COMPUTERS OVER USB Hacking Computers Over USB. I’ve previously written about the risks of small portable computing devices; how more and more data can be stored on them, and then lost or stolen. But there’s another risk: if an attacker can convince you to plug his USB device into your computer, he can take it over.. Plug an iPod or USB stick into a PC running Windows and the device can literally take over SCHNEIER ON SECURITYBLOGNEWSLETTERBOOKSESSAYSNEWSTALKS The Misaligned Incentives for Cloud Security. Russia’s Sunburst cyberespionage campaign, discovered late last year, impacted more than 100 large companies and US federal agencies, including the Treasury, Energy, Justice, and Homeland Security departments.A crucial part of the Russians’ success was their ability to move through these organizations by compromising cloud and local network BIZARRO BANKING TROJAN Bizarro is a new banking trojan that is stealing financial information and crypto wallets. the program can be delivered in a couple of ways — either via malicious links contained within spam emails, or through a trojanized app. Using these sneaky methods, trojan operators will implant the malware onto a target device, where it will HOW THE SOLARWINDS HACKERS BYPASSED DUO’S MULTI-FACTOR How the SolarWinds Hackers Bypassed Duo’s Multi-Factor Authentication. This is interesting:. Toward the end of the second incident that Volexity worked involving Dark Halo, the actor was observed accessing the e-mail account of a user via OWA. ADDING A RUSSIAN KEYBOARD TO PROTECT AGAINST RANSOMWARE ABC • May 18, 2021 12:27 PM . One learns as a child when ‘E’ is to be pronounced “ye” (the default) and when it is to be pronounced “yo” (for ‘Ё’). For instance look up a Russian word in “wiktionary” say, “закон“, but then it is spelled with an accent mark to indicate primary stress: зако́н. But “О́” is clearly not a distinct letter from “О” and DISABLING SECURITY CAMERAS WITH LASERS Disabling Security Cameras with Lasers. There’s a really interesting video of protesters in Hong Kong using some sort of laser to disable security cameras. I know nothing more about the technologies involved. EDITED TO ADD (8/14): LIDAR from self-driving cars has damaged security cameras before.. Tags: cameras, Hong Kong, video Posted on August 2, 2019 at 11:53 AM • 14 BACKDOOR FOUND IN CODECOV BASH UPLOADER Backdoor Found in Codecov Bash Uploader. Developers have discovered a backdoor in the Codecov bash uploader. It’s been there for four months. We don’t know who put it there. Codecov said the breach allowed the attackers to export information stored in ACADEMIC: CHINESE TECHNOLOGY PLATFORMS OPERATING IN THE About Bruce Schneier. I am a public-interest technologist, working at the intersection of security, technology, and people.I've been writing about security issues on my blog since 2004, and in my monthly newsletter since 1998. I'm a fellow and lecturer at Harvard's Kennedy School, a board member of EFF, and the Chief of Security Architecture

at Inrupt, Inc.

FOIA, history

at Inrupt, Inc.

DETECTING DEEPFAKE PICTURE EDITING Detecting Deepfake Picture Editing “Markpainting” is a clever technique to watermark photos in such a way that makes it easier to detect ML-based manipulation:. An image owner can modify their image in subtle ways which are not themselves very visible, but will sabotage any attempt to inpaint it by adding visible information determined in advance by the markpainter. FBI/AFP-RUN ENCRYPTED PHONE FBI/AFP-Run Encrypted Phone. For three years, the Federal Bureau of Investigation and the Australian Federal Police owned and operated a commercial encrypted phone app, called AN0M, that was used by organized crime around the world. SCHNEIER ON SECURITY: PASSWORD SAFE About Bruce Schneier. I am a public-interest technologist, working at the intersection of security, technology, and people.I've been writing about security issues on my blog since 2004, and in my monthly newsletter since 1998. I'm a fellow and lecturer at Harvard's Kennedy School, a board member of EFF, and the Chief of Security Architecture

at Inrupt, Inc.

INFORMATION FLOWS AND DEMOCRACY Information Flows and Democracy. Henry Farrell and I published a paper on fixing American democracy: “Rechanneling Beliefs: How Information Flows Hinder or Help Democracy.” It’s much easier for democratic stability to break down than most people realize, but ESSAYS: RUSSIA’S HACKING SUCCESS SHOWS HOW VULNERABLE THE About Bruce Schneier. I am a public-interest technologist, working at the intersection of security, technology, and people.I've been writing about security issues on my blog since 2004, and in my monthly newsletter since 1998. I'm a fellow and lecturer at Harvard's Kennedy School, a board member of EFF, and the Chief of Security Architecture

at Inrupt, Inc.

NEW RANSOMWARE TARGETS INDUSTRIAL CONTROL SYSTEMS New Ransomware Targets Industrial Control Systems. EKANS is a new ransomware that targets industrial control systems:. But EKANS also uses another trick to ratchet up the pain: It’s designed to terminate 64 different software processes on victim computers, including many that are specific to industrial control systems. SCHNEIER ON SECURITY: CRYPTO-GRAM About Bruce Schneier. I am a public-interest technologist, working at the intersection of security, technology, and people.I've been writing about security issues on my blog since 2004, and in my monthly newsletter since 1998. I'm a fellow and lecturer at Harvard's Kennedy School, a board member of EFF, and the Chief of Security Architecture

at Inrupt, Inc.

CHINESE HACKERS BYPASSING TWO-FACTOR AUTHENTICATION Chinese Hackers Bypassing Two-Factor Authentication. Interesting story of how a Chinese state-sponsored hacking group is bypassing the RSA SecurID two-factor authentication system.. How they did it remains unclear; although, the Fox-IT team has their theory. They said APT20 stole an RSA SecurID software token from a hacked system, which the Chinese actor then used on its computers to SCHNEIER ON SECURITY Friday Squid Blogging: Newly Identified Ichthyosaur Species Probably Ate Squid. This is a deep-diving species that “fed on small prey items such as squid.”. Academic paper.. As usual, you can also use this squid post to talk about the security stories in the news that I

haven’t covered.

SCHNEIER ON SECURITYBLOGNEWSLETTERBOOKSESSAYSNEWSTALKS The Misaligned Incentives for Cloud Security. Russia’s Sunburst cyberespionage campaign, discovered late last year, impacted more than 100 large companies and US federal agencies, including the Treasury, Energy, Justice, and Homeland Security departments.A crucial part of the Russians’ success was their ability to move through these organizations by compromising cloud and local network BIZARRO BANKING TROJAN Bizarro Banking Trojan. Bizarro is a new banking trojan that is stealing financial information and crypto wallets. the program can be delivered in a couple of ways — either via malicious links contained within spam emails, or through a trojanized app. ADDING A RUSSIAN KEYBOARD TO PROTECT AGAINST RANSOMWARE ABC • May 18, 2021 12:27 PM . One learns as a child when ‘E’ is to be pronounced “ye” (the default) and when it is to be pronounced “yo” (for ‘Ё’). For instance look up a Russian word in “wiktionary” say, “закон“, but then it is spelled with an accent mark to indicate primary stress: зако́н. But “О́” is clearly not a distinct letter from “О” and NEW RANSOMWARE TARGETS INDUSTRIAL CONTROL SYSTEMS New Ransomware Targets Industrial Control Systems. EKANS is a new ransomware that targets industrial control systems:. But EKANS also uses another trick to ratchet up the pain: It’s designed to terminate 64 different software processes on victim computers, including many that are specific to industrial control systems. "HOW STORIES DECEIVE" "How Stories Deceive" Fascinating New Yorker article about Samantha Azzopardi, serial con artist and deceiver.. The article is really about how our brains allow stories to deceive us: Stories bring us together. We can talk about them and bond over them. HOW THE SOLARWINDS HACKERS BYPASSED DUO’S MULTI-FACTOR How the SolarWinds Hackers Bypassed Duo’s Multi-Factor Authentication. This is interesting:. Toward the end of the second incident that Volexity worked involving Dark Halo, the actor was observed accessing the e-mail account of a user via OWA. ACADEMIC: CHINESE TECHNOLOGY PLATFORMS OPERATING IN THE About Bruce Schneier. I am a public-interest technologist, working at the intersection of security, technology, and people.I've been writing about security issues on my blog since 2004, and in my monthly newsletter since 1998. I'm a fellow and lecturer at Harvard's Kennedy School, a board member of EFF, and the Chief of Security Architecture

at Inrupt, Inc.

HOWLERMONKEY: NSA EXPLOIT OF THE DAY HOWLERMONKEY: NSA Exploit of the Day. Today’s item from the NSA’s Tailored Access Operations (TAO) group implant catalog:. HOWLERMONKEY (TS//SI//REL) HOWLERMONKEY is a custom Short to Medium range implant

RF Transceiver.

A CRYPTOGRAPHIC EVALUATION OF IPSEC limited to picking one of them. At the time of writing there has been one stage of elimination, and any one of the ve remaining candidates

will make a much

ANOTHER FAKE NSA CODENAME GENERATOR Another Fake NSA Codename Generator. Generate your own fake TAO implant.This is even more fun than the fake NSA program generator.. Sadly, the NSA will probably use these to help develop their R&D

roadmap.

SCHNEIER ON SECURITYBLOGNEWSLETTERBOOKSESSAYSNEWSTALKS The Misaligned Incentives for Cloud Security. Russia’s Sunburst cyberespionage campaign, discovered late last year, impacted more than 100 large companies and US federal agencies, including the Treasury, Energy, Justice, and Homeland Security departments.A crucial part of the Russians’ success was their ability to move through these organizations by compromising cloud and local network BIZARRO BANKING TROJAN Bizarro Banking Trojan. Bizarro is a new banking trojan that is stealing financial information and crypto wallets. the program can be delivered in a couple of ways — either via malicious links contained within spam emails, or through a trojanized app. ADDING A RUSSIAN KEYBOARD TO PROTECT AGAINST RANSOMWARE ABC • May 18, 2021 12:27 PM . One learns as a child when ‘E’ is to be pronounced “ye” (the default) and when it is to be pronounced “yo” (for ‘Ё’). For instance look up a Russian word in “wiktionary” say, “закон“, but then it is spelled with an accent mark to indicate primary stress: зако́н. But “О́” is clearly not a distinct letter from “О” and NEW RANSOMWARE TARGETS INDUSTRIAL CONTROL SYSTEMS New Ransomware Targets Industrial Control Systems. EKANS is a new ransomware that targets industrial control systems:. But EKANS also uses another trick to ratchet up the pain: It’s designed to terminate 64 different software processes on victim computers, including many that are specific to industrial control systems. "HOW STORIES DECEIVE" "How Stories Deceive" Fascinating New Yorker article about Samantha Azzopardi, serial con artist and deceiver.. The article is really about how our brains allow stories to deceive us: Stories bring us together. We can talk about them and bond over them. HOW THE SOLARWINDS HACKERS BYPASSED DUO’S MULTI-FACTOR How the SolarWinds Hackers Bypassed Duo’s Multi-Factor Authentication. This is interesting:. Toward the end of the second incident that Volexity worked involving Dark Halo, the actor was observed accessing the e-mail account of a user via OWA. ACADEMIC: CHINESE TECHNOLOGY PLATFORMS OPERATING IN THE About Bruce Schneier. I am a public-interest technologist, working at the intersection of security, technology, and people.I've been writing about security issues on my blog since 2004, and in my monthly newsletter since 1998. I'm a fellow and lecturer at Harvard's Kennedy School, a board member of EFF, and the Chief of Security Architecture

at Inrupt, Inc.

RF Transceiver.

A CRYPTOGRAPHIC EVALUATION OF IPSEC limited to picking one of them. At the time of writing there has been one stage of elimination, and any one of the ve remaining candidates

will make a much

roadmap.

VULNERABILITIES IN WEAPONS SYSTEMS Vulnerabilities in Weapons Systems “If you think any of these systems are going to work as expected in wartime, you’re fooling yourself.” That was Bruce’s response at a conference hosted by U.S. Transportation Command in 2017, after learning that their computerized logistical systems were mostly unclassified and on the

internet.

INFORMATION FLOWS AND DEMOCRACY Information Flows and Democracy. Henry Farrell and I published a paper on fixing American democracy: “Rechanneling Beliefs: How Information Flows Hinder or Help Democracy.” It’s much easier for democratic stability to break down than most people realize, but DETECTING DEEPFAKE PICTURE EDITING Detecting Deepfake Picture Editing “Markpainting” is a clever technique to watermark photos in such a way that makes it easier to detect ML-based manipulation:. An image owner can modify their image in subtle ways which are not themselves very visible, but will sabotage any attempt to inpaint it by adding visible information determined in advance by the markpainter.

MAILBOX MASTER KEYS

Mailbox Master Keys. Here’s a physical-world example of why master keys are a bad idea. It’s a video of two postal thieves using a master key to open apartment building mailboxes. Changing the master key for physical mailboxes is a logistical nightmare, which FBI/AFP-RUN ENCRYPTED PHONE FBI/AFP-Run Encrypted Phone. For three years, the Federal Bureau of Investigation and the Australian Federal Police owned and operated a commercial encrypted phone app, called AN0M, that was used by organized crime around the world. DISABLING SECURITY CAMERAS WITH LASERS Disabling Security Cameras with Lasers. There’s a really interesting video of protesters in Hong Kong using some sort of laser to disable security cameras. I know nothing more about the technologies involved. EDITED TO ADD (8/14): LIDAR from self-driving cars has damaged security cameras before.. Tags: cameras, Hong Kong, video Posted on August 2, 2019 at 11:53 AM • 14 FRIDAY SQUID BLOGGING: FOSSIL OF SQUID EATING AND BEING Friday Squid Blogging: Fossil of Squid Eating and Being Eaten. We now have a fossil of a squid eating a crustacean while it is being eaten by a shark.. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. SCHNEIER ON SECURITY: NEWS: CATEGORY ARCHIVES: TEXT BetaBoston partnered with Silicon Valley Bank, Hack/Reduce, and Terrible Labs on Thursday to host the Cyber Security Symposium. Security experts from Credit Suisse, Threat Stack, Bit9 and others convened for a day-long event, the second niche-focused conference put together by SVB, Atlas Venture’s Cort Johnson and Terrible Labs’ Smith Anderson after the Quantified Self Conference in March. ACADEMIC: CHINESE TECHNOLOGY PLATFORMS OPERATING IN THE About Bruce Schneier. I am a public-interest technologist, working at the intersection of security, technology, and people.I've been writing about security issues on my blog since 2004, and in my monthly newsletter since 1998. I'm a fellow and lecturer at Harvard's Kennedy School, a board member of EFF, and the Chief of Security Architecture

at Inrupt, Inc.

"HOW STORIES DECEIVE" "How Stories Deceive" Fascinating New Yorker article about Samantha Azzopardi, serial con artist and deceiver.. The article is really about how our brains allow stories to deceive us: Stories bring us together. We can talk about them and bond over them. SCHNEIER ON SECURITYBLOGNEWSLETTERBOOKSESSAYSNEWSTALKS The Misaligned Incentives for Cloud Security. Russia’s Sunburst cyberespionage campaign, discovered late last year, impacted more than 100 large companies and US federal agencies, including the Treasury, Energy, Justice, and Homeland Security departments.A crucial part of the Russians’ success was their ability to move through these organizations by compromising cloud and local network BIZARRO BANKING TROJAN Bizarro is a new banking trojan that is stealing financial information and crypto wallets. the program can be delivered in a couple of ways — either via malicious links contained within spam emails, or through a trojanized app. Using these sneaky methods, trojan operators will implant the malware onto a target device, where it will DUTCH INSIDER ATTACK ON COVID-19 DATA Dutch Insider Attack on COVID-19 Data. Insider data theft:. Dutch police have arrested two individuals on Friday for allegedly selling data from the Dutch health ministry’s COVID-19 systems on the criminal underground.. According to Verlaan, the two suspects worked in DDG call centers, where they had access to official Dutch government COVID-19 systems and databases. ADDING A RUSSIAN KEYBOARD TO PROTECT AGAINST RANSOMWARE ABC • May 18, 2021 12:27 PM . One learns as a child when ‘E’ is to be pronounced “ye” (the default) and when it is to be pronounced “yo” (for ‘Ё’). For instance look up a Russian word in “wiktionary” say, “закон“, but then it is spelled with an accent mark to indicate primary stress: зако́н. But “О́” is clearly not a distinct letter from “О” and NEW RANSOMWARE TARGETS INDUSTRIAL CONTROL SYSTEMS New Ransomware Targets Industrial Control Systems. EKANS is a new ransomware that targets industrial control systems:. But EKANS also uses another trick to ratchet up the pain: It’s designed to terminate 64 different software processes on victim computers, including many that are specific to industrial control systems. HOW THE SOLARWINDS HACKERS BYPASSED DUO’S MULTI-FACTOR How the SolarWinds Hackers Bypassed Duo’s Multi-Factor Authentication. This is interesting:. Toward the end of the second incident that Volexity worked involving Dark Halo, the actor was observed accessing the e-mail account of a user via OWA. "HOW STORIES DECEIVE" "How Stories Deceive" Fascinating New Yorker article about Samantha Azzopardi, serial con artist and deceiver.. The article is really about how our brains allow stories to deceive us: Stories bring us together. We can talk about them and bond over them. HOWLERMONKEY: NSA EXPLOIT OF THE DAY HOWLERMONKEY: NSA Exploit of the Day. Today’s item from the NSA’s Tailored Access Operations (TAO) group implant catalog:. HOWLERMONKEY (TS//SI//REL) HOWLERMONKEY is a custom Short to Medium range implant

RF Transceiver.

A CRYPTOGRAPHIC EVALUATION OF IPSEC limited to picking one of them. At the time of writing there has been one stage of elimination, and any one of the ve remaining candidates

will make a much

roadmap.

SCHNEIER ON SECURITYBLOGNEWSLETTERBOOKSESSAYSNEWSTALKS The Misaligned Incentives for Cloud Security. Russia’s Sunburst cyberespionage campaign, discovered late last year, impacted more than 100 large companies and US federal agencies, including the Treasury, Energy, Justice, and Homeland Security departments.A crucial part of the Russians’ success was their ability to move through these organizations by compromising cloud and local network BIZARRO BANKING TROJAN Bizarro is a new banking trojan that is stealing financial information and crypto wallets. the program can be delivered in a couple of ways — either via malicious links contained within spam emails, or through a trojanized app. Using these sneaky methods, trojan operators will implant the malware onto a target device, where it will DUTCH INSIDER ATTACK ON COVID-19 DATA Dutch Insider Attack on COVID-19 Data. Insider data theft:. Dutch police have arrested two individuals on Friday for allegedly selling data from the Dutch health ministry’s COVID-19 systems on the criminal underground.. According to Verlaan, the two suspects worked in DDG call centers, where they had access to official Dutch government COVID-19 systems and databases. ADDING A RUSSIAN KEYBOARD TO PROTECT AGAINST RANSOMWARE ABC • May 18, 2021 12:27 PM . One learns as a child when ‘E’ is to be pronounced “ye” (the default) and when it is to be pronounced “yo” (for ‘Ё’). For instance look up a Russian word in “wiktionary” say, “закон“, but then it is spelled with an accent mark to indicate primary stress: зако́н. But “О́” is clearly not a distinct letter from “О” and NEW RANSOMWARE TARGETS INDUSTRIAL CONTROL SYSTEMS New Ransomware Targets Industrial Control Systems. EKANS is a new ransomware that targets industrial control systems:. But EKANS also uses another trick to ratchet up the pain: It’s designed to terminate 64 different software processes on victim computers, including many that are specific to industrial control systems. HOW THE SOLARWINDS HACKERS BYPASSED DUO’S MULTI-FACTOR How the SolarWinds Hackers Bypassed Duo’s Multi-Factor Authentication. This is interesting:. Toward the end of the second incident that Volexity worked involving Dark Halo, the actor was observed accessing the e-mail account of a user via OWA. "HOW STORIES DECEIVE" "How Stories Deceive" Fascinating New Yorker article about Samantha Azzopardi, serial con artist and deceiver.. The article is really about how our brains allow stories to deceive us: Stories bring us together. We can talk about them and bond over them. HOWLERMONKEY: NSA EXPLOIT OF THE DAY HOWLERMONKEY: NSA Exploit of the Day. Today’s item from the NSA’s Tailored Access Operations (TAO) group implant catalog:. HOWLERMONKEY (TS//SI//REL) HOWLERMONKEY is a custom Short to Medium range implant

RF Transceiver.

A CRYPTOGRAPHIC EVALUATION OF IPSEC limited to picking one of them. At the time of writing there has been one stage of elimination, and any one of the ve remaining candidates

will make a much

roadmap.

internet.

MAILBOX MASTER KEYS

Mailbox Master Keys. Here’s a physical-world example of why master keys are a bad idea. It’s a video of two postal thieves using a master key to open apartment building mailboxes. Changing the master key for physical mailboxes is a logistical nightmare, which FBI/AFP-RUN ENCRYPTED PHONE FBI/AFP-Run Encrypted Phone. For three years, the Federal Bureau of Investigation and the Australian Federal Police owned and operated a commercial encrypted phone app, called AN0M, that was used by organized crime around the world. DISABLING SECURITY CAMERAS WITH LASERS Disabling Security Cameras with Lasers. There’s a really interesting video of protesters in Hong Kong using some sort of laser to disable security cameras. I know nothing more about the technologies involved. EDITED TO ADD (8/14): LIDAR from self-driving cars has damaged security cameras before.. Tags: cameras, Hong Kong, video Posted on August 2, 2019 at 11:53 AM • 14 LET'S ENCRYPT VULNERABILITY Let's Encrypt Vulnerability. The BBC is reporting a vulnerability in the Let’s Encrypt certificate service:. In a notification email to its clients, the organisation said: “We recently discovered a bug in the Let’s Encrypt certificate authority code. FRIDAY SQUID BLOGGING: FOSSIL OF SQUID EATING AND BEING Friday Squid Blogging: Fossil of Squid Eating and Being Eaten. We now have a fossil of a squid eating a crustacean while it is being eaten by a shark.. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. ACADEMIC: CHINESE TECHNOLOGY PLATFORMS OPERATING IN THE About Bruce Schneier. I am a public-interest technologist, working at the intersection of security, technology, and people.I've been writing about security issues on my blog since 2004, and in my monthly newsletter since 1998. I'm a fellow and lecturer at Harvard's Kennedy School, a board member of EFF, and the Chief of Security Architecture

at Inrupt, Inc.

SCHNEIER ON SECURITY: NEWS: CATEGORY ARCHIVES: TEXT BetaBoston partnered with Silicon Valley Bank, Hack/Reduce, and Terrible Labs on Thursday to host the Cyber Security Symposium. Security experts from Credit Suisse, Threat Stack, Bit9 and others convened for a day-long event, the second niche-focused conference put together by SVB, Atlas Venture’s Cort Johnson and Terrible Labs’ Smith Anderson after the Quantified Self Conference in March. SCHNEIER ON SECURITYBLOGNEWSLETTERBOOKSESSAYSNEWSTALKS Security Vulnerability in Apple’s Silicon “M1” Chip. The website for the M1racles security vulnerability is an excellent demonstration that not all vulnerabilities are exploitable. Be sure to read the FAQ through to the end. EDITED TO ADD: Wired article.. Tags: Apple, humor, vulnerabilities Posted on June 1, 2021 at 6:26 AM • 7 Comments ADDING A RUSSIAN KEYBOARD TO PROTECT AGAINST RANSOMWARE ABC • May 18, 2021 12:27 PM . One learns as a child when ‘E’ is to be pronounced “ye” (the default) and when it is to be pronounced “yo” (for ‘Ё’). For instance look up a Russian word in “wiktionary” say, “закон“, but then it is spelled with an accent mark to indicate primary stress: зако́н. But “О́” is clearly not a distinct letter from “О” and BIZARRO BANKING TROJAN Bizarro is a new banking trojan that is stealing financial information and crypto wallets. the program can be delivered in a couple of ways — either via malicious links contained within spam emails, or through a trojanized app. Using these sneaky methods, trojan operators will implant the malware onto a target device, where it will SCHNEIER ON SECURITY: TWOFISH SOURCE CODE About Bruce Schneier. I am a public-interest technologist, working at the intersection of security, technology, and people.I've been writing about security issues on my blog since 2004, and in my monthly newsletter since 1998. I'm a fellow and lecturer at Harvard's Kennedy School, a board member of EFF, and the Chief of Security Architecture

at Inrupt, Inc.

HOW THE SOLARWINDS HACKERS BYPASSED DUO’S MULTI-FACTOR How the SolarWinds Hackers Bypassed Duo’s Multi-Factor Authentication. This is interesting:. Toward the end of the second incident that Volexity worked involving Dark Halo, the actor was observed accessing the e-mail account of a user via OWA. "HOW STORIES DECEIVE" "How Stories Deceive" Fascinating New Yorker article about Samantha Azzopardi, serial con artist and deceiver.. The article is really about how our brains allow stories to deceive us: Stories bring us together. We can talk about them and bond over them. ACADEMIC: SIDE CHANNEL CRYPTANALYSIS OF PRODUCT CIPHERS Side Channel Cryptanalysis of Product Ciphers. J. Kelsey, B. Schneier, D. Wagner, and C. Hall. Journal of Computer Security, v. 8, n. 2-3, 2000, pp. 141-158.. ABSTRACT: Building on the work of Kocher, we introduce the notion of side-channel cryptanalysis: cryptanalysis using implementation data.We discuss the notion of side-channel attacks and the vulnerabilities they introduce, demonstrate A CRYPTOGRAPHIC EVALUATION OF IPSEC limited to picking one of them. At the time of writing there has been one stage of elimination, and any one of the ve remaining candidates

will make a much

DATA AS POLLUTION

Data as Pollution. Cory Doctorow has a new metaphor:. We should treat personal electronic data with the same care and respect as weapons-grade plutonium — it is dangerous, long-lasting and once it has leaked there’s no getting it back HOWLERMONKEY: NSA EXPLOIT OF THE DAY HOWLERMONKEY: NSA Exploit of the Day. Today’s item from the NSA’s Tailored Access Operations (TAO) group implant catalog:. HOWLERMONKEY (TS//SI//REL) HOWLERMONKEY is a custom Short to Medium range implant

RF Transceiver.

at Inrupt, Inc.

ADDING A RUSSIAN KEYBOARD TO PROTECT AGAINST RANSOMWARE ABC • May 18, 2021 12:27 PM . One learns as a child when ‘E’ is to be pronounced “ye” (the default) and when it is to be pronounced “yo” (for ‘Ё’). For instance look up a Russian word in “wiktionary” say, “закон“, but then it is spelled with an accent mark to indicate primary stress: зако́н. But “О́” is clearly not a distinct letter from “О” and HOW THE SOLARWINDS HACKERS BYPASSED DUO’S MULTI-FACTOR How the SolarWinds Hackers Bypassed Duo’s Multi-Factor Authentication. This is interesting:. Toward the end of the second incident that Volexity worked involving Dark Halo, the actor was observed accessing the e-mail account of a user via OWA. ACADEMIC: CHINESE TECHNOLOGY PLATFORMS OPERATING IN THE About Bruce Schneier. I am a public-interest technologist, working at the intersection of security, technology, and people.I've been writing about security issues on my blog since 2004, and in my monthly newsletter since 1998. I'm a fellow and lecturer at Harvard's Kennedy School, a board member of EFF, and the Chief of Security Architecture

at Inrupt, Inc.

will make a much

GOOGLE RELEASES BASIC HOMOMORPHIC ENCRYPTION TOOL Google Releases Basic Homomorphic Encryption Tool. Google has released an open-source cryptographic tool: Private Join and Compute.From a Wired article:. Private Join and Compute uses a 1970s methodology known as “commutative encryption” to allow data in the data sets to be encrypted with multiple keys, without it mattering which order the keys are used in. HOWLERMONKEY: NSA EXPLOIT OF THE DAY HOWLERMONKEY: NSA Exploit of the Day. Today’s item from the NSA’s Tailored Access Operations (TAO) group implant catalog:. HOWLERMONKEY (TS//SI//REL) HOWLERMONKEY is a custom Short to Medium range implant

RF Transceiver.

BIZARRO BANKING TROJAN Bizarro is a new banking trojan that is stealing financial information and crypto wallets. the program can be delivered in a couple of ways — either via malicious links contained within spam emails, or through a trojanized app. Using these sneaky methods, trojan operators will implant the malware onto a target device, where it will VULNERABILITIES IN WEAPONS SYSTEMS Vulnerabilities in Weapons Systems “If you think any of these systems are going to work as expected in wartime, you’re fooling yourself.” That was Bruce’s response at a conference hosted by U.S. Transportation Command in 2017, after learning that their computerized logistical systems were mostly unclassified and on the

internet.

SCHNEIER ON SECURITY: CONTACT BRUCE SCHNEIER About Bruce Schneier. I am a public-interest technologist, working at the intersection of security, technology, and people.I've been writing about security issues on my blog since 2004, and in my monthly newsletter since 1998. I'm a fellow and lecturer at Harvard's Kennedy School, a board member of EFF, and the Chief of Security Architecture

at Inrupt, Inc.

INFORMATION FLOWS AND DEMOCRACY 17 hours ago · Information Flows and Democracy. Henry Farrell and I published a paper on fixing American democracy: “Rechanneling Beliefs: How Information Flows Hinder or Help Democracy.” It’s much easier for democratic stability to break down than most people realize, but this doesn’t mean we must despair over the future. THE SUPREME COURT NARROWED THE CFAA The Supreme Court Narrowed the CFAA. In a 6-3 ruling, the Supreme Court just narrowed the scope of the Computer Fraud and Abuse Act:. In a ruling delivered today, the court sided with Van Buren and overturned his 18-month conviction. NEW RANSOMWARE TARGETS INDUSTRIAL CONTROL SYSTEMS New Ransomware Targets Industrial Control Systems. EKANS is a new ransomware that targets industrial control systems:. But EKANS also uses another trick to ratchet up the pain: It’s designed to terminate 64 different software processes on victim computers, including many that are specific to industrial control systems. THE DARKSIDE RANSOMWARE GANG The DarkSide Ransomware Gang. The New York Times has a long story on the DarkSide ransomware gang.. A glimpse into DarkSide’s secret communications in the months leading up to the Colonial Pipeline attack reveals a criminal operation on the rise, pulling in millions

of

SCHNEIER ON SECURITY: NEWS: CATEGORY ARCHIVES: TYPE On Tuesday, President-elect Donald Trump named cyber expert Tom Bossert as his homeland security adviser.. Bossert is currently a fellow at the Atlantic Council and was a former national security aide to President George W. Bush.. He says cybersecurity will be one a top priority in his new job. SCHNEIER ON SECURITY: NEWS: CATEGORY ARCHIVES: TEXT BetaBoston partnered with Silicon Valley Bank, Hack/Reduce, and Terrible Labs on Thursday to host the Cyber Security Symposium. Security experts from Credit Suisse, Threat Stack, Bit9 and others convened for a day-long event, the second niche-focused conference put together by SVB, Atlas Venture’s Cort Johnson and Terrible Labs’ Smith Anderson after the Quantified Self Conference in March. SCHNEIER ON SECURITY: NEWS: CATEGORY ARCHIVES: TEXT In his Black Hat 2014 session entitled “The State of Incident Response,” security guru Bruce Schneier, CTO of Co3 Systems, Inc., said that hackers will invariably breach networks, but it is what comes next that really matters.. Placing a great deal of emphasis on automated systems and technology being used to support the people needed for incident response, Schneier proposed a four-step SCHNEIER ON SECURITYBLOGNEWSLETTERBOOKSESSAYSNEWSTALKS Security Vulnerability in Apple’s Silicon “M1” Chip. The website for the M1racles security vulnerability is an excellent demonstration that not all vulnerabilities are exploitable. Be sure to read the FAQ through to the end. EDITED TO ADD: Wired article.. Tags: Apple, humor, vulnerabilities Posted on June 1, 2021 at 6:26 AM • 7 Comments ADDING A RUSSIAN KEYBOARD TO PROTECT AGAINST RANSOMWARE ABC • May 18, 2021 12:27 PM . One learns as a child when ‘E’ is to be pronounced “ye” (the default) and when it is to be pronounced “yo” (for ‘Ё’). For instance look up a Russian word in “wiktionary” say, “закон“, but then it is spelled with an accent mark to indicate primary stress: зако́н. But “О́” is clearly not a distinct letter from “О” and BIZARRO BANKING TROJAN Bizarro is a new banking trojan that is stealing financial information and crypto wallets. the program can be delivered in a couple of ways — either via malicious links contained within spam emails, or through a trojanized app. Using these sneaky methods, trojan operators will implant the malware onto a target device, where it will SCHNEIER ON SECURITY: TWOFISH SOURCE CODE About Bruce Schneier. I am a public-interest technologist, working at the intersection of security, technology, and people.I've been writing about security issues on my blog since 2004, and in my monthly newsletter since 1998. I'm a fellow and lecturer at Harvard's Kennedy School, a board member of EFF, and the Chief of Security Architecture

at Inrupt, Inc.

will make a much

DATA AS POLLUTION

Data as Pollution. Cory Doctorow has a new metaphor:. We should treat personal electronic data with the same care and respect as weapons-grade plutonium — it is dangerous, long-lasting and once it has leaked there’s no getting it back HOWLERMONKEY: NSA EXPLOIT OF THE DAY HOWLERMONKEY: NSA Exploit of the Day. Today’s item from the NSA’s Tailored Access Operations (TAO) group implant catalog:. HOWLERMONKEY (TS//SI//REL) HOWLERMONKEY is a custom Short to Medium range implant

RF Transceiver.

SCHNEIER ON SECURITYBLOGNEWSLETTERBOOKSESSAYSNEWSTALKS Security Vulnerability in Apple’s Silicon “M1” Chip. The website for the M1racles security vulnerability is an excellent demonstration that not all vulnerabilities are exploitable. Be sure to read the FAQ through to the end. EDITED TO ADD: Wired article.. Tags: Apple, humor, vulnerabilities Posted on June 1, 2021 at 6:26 AM • 7 Comments ADDING A RUSSIAN KEYBOARD TO PROTECT AGAINST RANSOMWARE ABC • May 18, 2021 12:27 PM . One learns as a child when ‘E’ is to be pronounced “ye” (the default) and when it is to be pronounced “yo” (for ‘Ё’). For instance look up a Russian word in “wiktionary” say, “закон“, but then it is spelled with an accent mark to indicate primary stress: зако́н. But “О́” is clearly not a distinct letter from “О” and BIZARRO BANKING TROJAN Bizarro is a new banking trojan that is stealing financial information and crypto wallets. the program can be delivered in a couple of ways — either via malicious links contained within spam emails, or through a trojanized app. Using these sneaky methods, trojan operators will implant the malware onto a target device, where it will SCHNEIER ON SECURITY: TWOFISH SOURCE CODE About Bruce Schneier. I am a public-interest technologist, working at the intersection of security, technology, and people.I've been writing about security issues on my blog since 2004, and in my monthly newsletter since 1998. I'm a fellow and lecturer at Harvard's Kennedy School, a board member of EFF, and the Chief of Security Architecture

at Inrupt, Inc.

will make a much

DATA AS POLLUTION

Data as Pollution. Cory Doctorow has a new metaphor:. We should treat personal electronic data with the same care and respect as weapons-grade plutonium — it is dangerous, long-lasting and once it has leaked there’s no getting it back HOWLERMONKEY: NSA EXPLOIT OF THE DAY HOWLERMONKEY: NSA Exploit of the Day. Today’s item from the NSA’s Tailored Access Operations (TAO) group implant catalog:. HOWLERMONKEY (TS//SI//REL) HOWLERMONKEY is a custom Short to Medium range implant

RF Transceiver.

internet.

at Inrupt, Inc.

THE SUPREME COURT NARROWED THE CFAA The Supreme Court Narrowed the CFAA. In a 6-3 ruling, the Supreme Court just narrowed the scope of the Computer Fraud and Abuse Act:. In a ruling delivered today, the court sided with Van Buren and overturned his 18-month conviction. NEW RANSOMWARE TARGETS INDUSTRIAL CONTROL SYSTEMS New Ransomware Targets Industrial Control Systems. EKANS is a new ransomware that targets industrial control systems:. But EKANS also uses another trick to ratchet up the pain: It’s designed to terminate 64 different software processes on victim computers, including many that are specific to industrial control systems. THE DARKSIDE RANSOMWARE GANG The DarkSide Ransomware Gang. The New York Times has a long story on the DarkSide ransomware gang.. A glimpse into DarkSide’s secret communications in the months leading up to the Colonial Pipeline attack reveals a criminal operation on the rise, pulling in millions

of

extractions.

SCHNEIER ON SECURITY: NEWS: CATEGORY ARCHIVES: TEXT In his Black Hat 2014 session entitled “The State of Incident Response,” security guru Bruce Schneier, CTO of Co3 Systems, Inc., said that hackers will invariably breach networks, but it is what comes next that really matters.. Placing a great deal of emphasis on automated systems and technology being used to support the people needed for incident response, Schneier proposed a four-step SCHNEIER ON SECURITYBLOGNEWSLETTERBOOKSESSAYSNEWSTALKS Security Vulnerability in Apple’s Silicon “M1” Chip. The website for the M1racles security vulnerability is an excellent demonstration that not all vulnerabilities are exploitable. Be sure to read the FAQ through to the end. EDITED TO ADD: Wired article.. Tags: Apple, humor, vulnerabilities Posted on June 1, 2021 at 6:26 AM • 7 Comments BIZARRO BANKING TROJAN Bizarro is a new banking trojan that is stealing financial information and crypto wallets. the program can be delivered in a couple of ways — either via malicious links contained within spam emails, or through a trojanized app. Using these sneaky methods, trojan operators will implant the malware onto a target device, where it will ADDING A RUSSIAN KEYBOARD TO PROTECT AGAINST RANSOMWARE ABC • May 18, 2021 12:27 PM . One learns as a child when ‘E’ is to be pronounced “ye” (the default) and when it is to be pronounced “yo” (for ‘Ё’). For instance look up a Russian word in “wiktionary” say, “закон“, but then it is spelled with an accent mark to indicate primary stress: зако́н. But “О́” is clearly not a distinct letter from “О” and SCHNEIER ON SECURITY: TWOFISH SOURCE CODE About Bruce Schneier. I am a public-interest technologist, working at the intersection of security, technology, and people.I've been writing about security issues on my blog since 2004, and in my monthly newsletter since 1998. I'm a fellow and lecturer at Harvard's Kennedy School, a board member of EFF, and the Chief of Security Architecture

at Inrupt, Inc.

will make a much

RF Transceiver.

DATA AS POLLUTION

Data as Pollution. Cory Doctorow has a new metaphor:. We should treat personal electronic data with the same care and respect as weapons-grade plutonium — it is dangerous, long-lasting and once it has leaked there’s no getting it back SCHNEIER ON SECURITYBLOGNEWSLETTERBOOKSESSAYSNEWSTALKS Security Vulnerability in Apple’s Silicon “M1” Chip. The website for the M1racles security vulnerability is an excellent demonstration that not all vulnerabilities are exploitable. Be sure to read the FAQ through to the end. EDITED TO ADD: Wired article.. Tags: Apple, humor, vulnerabilities Posted on June 1, 2021 at 6:26 AM • 7 Comments BIZARRO BANKING TROJAN Bizarro is a new banking trojan that is stealing financial information and crypto wallets. the program can be delivered in a couple of ways — either via malicious links contained within spam emails, or through a trojanized app. Using these sneaky methods, trojan operators will implant the malware onto a target device, where it will ADDING A RUSSIAN KEYBOARD TO PROTECT AGAINST RANSOMWARE ABC • May 18, 2021 12:27 PM . One learns as a child when ‘E’ is to be pronounced “ye” (the default) and when it is to be pronounced “yo” (for ‘Ё’). For instance look up a Russian word in “wiktionary” say, “закон“, but then it is spelled with an accent mark to indicate primary stress: зако́н. But “О́” is clearly not a distinct letter from “О” and SCHNEIER ON SECURITY: TWOFISH SOURCE CODE About Bruce Schneier. I am a public-interest technologist, working at the intersection of security, technology, and people.I've been writing about security issues on my blog since 2004, and in my monthly newsletter since 1998. I'm a fellow and lecturer at Harvard's Kennedy School, a board member of EFF, and the Chief of Security Architecture

at Inrupt, Inc.

will make a much

RF Transceiver.

DATA AS POLLUTION

Data as Pollution. Cory Doctorow has a new metaphor:. We should treat personal electronic data with the same care and respect as weapons-grade plutonium — it is dangerous, long-lasting and once it has leaked there’s no getting it back VULNERABILITIES IN WEAPONS SYSTEMS Vulnerabilities in Weapons Systems “If you think any of these systems are going to work as expected in wartime, you’re fooling yourself.” That was Bruce’s response at a conference hosted by U.S. Transportation Command in 2017, after learning that their computerized logistical systems were mostly unclassified and on the

internet.

at Inrupt, Inc.

THE SUPREME COURT NARROWED THE CFAA 1 day ago · The Supreme Court Narrowed the CFAA. In a 6-3 ruling, the Supreme Court just narrowed the scope of the Computer Fraud and Abuse Act:. In a ruling delivered today, the court sided with Van Buren and overturned his 18-month conviction. NEW RANSOMWARE TARGETS INDUSTRIAL CONTROL SYSTEMS New Ransomware Targets Industrial Control Systems. EKANS is a new ransomware that targets industrial control systems:. But EKANS also uses another trick to ratchet up the pain: It’s designed to terminate 64 different software processes on victim computers, including many that are specific to industrial control systems. THE DARKSIDE RANSOMWARE GANG The DarkSide Ransomware Gang. The New York Times has a long story on the DarkSide ransomware gang.. A glimpse into DarkSide’s secret communications in the months leading up to the Colonial Pipeline attack reveals a criminal operation on the rise, pulling in millions

of

DISABLING SECURITY CAMERAS WITH LASERS Disabling Security Cameras with Lasers. There’s a really interesting video of protesters in Hong Kong using some sort of laser to disable security cameras. I know nothing more about the technologies involved. EDITED TO ADD (8/14): LIDAR from self-driving cars has damaged security cameras before.. Tags: cameras, Hong Kong, video Posted on August 2, 2019 at 11:53 AM • 14 FRIDAY SQUID BLOGGING: SQUIDS IN SPACE Friday Squid Blogging: Squids in Space. NASA is sending baby bobtail squid into space.. As usual, you can also use this squid post to talk about the security stories in the news that I SCHNEIER ON SECURITY: NEWS: CATEGORY ARCHIVES: TYPE On Tuesday, President-elect Donald Trump named cyber expert Tom Bossert as his homeland security adviser.. Bossert is currently a fellow at the Atlantic Council and was a former national security aide to President George W. Bush.. He says cybersecurity will be one a top priority in his new job. SCHNEIER ON SECURITY: NEWS: CATEGORY ARCHIVES: TEXT BetaBoston partnered with Silicon Valley Bank, Hack/Reduce, and Terrible Labs on Thursday to host the Cyber Security Symposium. Security experts from Credit Suisse, Threat Stack, Bit9 and others convened for a day-long event, the second niche-focused conference put together by SVB, Atlas Venture’s Cort Johnson and Terrible Labs’ Smith Anderson after the Quantified Self Conference in March. SCHNEIER ON SECURITY: NEWS: CATEGORY ARCHIVES: TEXT In his Black Hat 2014 session entitled “The State of Incident Response,” security guru Bruce Schneier, CTO of Co3 Systems, Inc., said that hackers will invariably breach networks, but it is what comes next that really matters.. Placing a great deal of emphasis on automated systems and technology being used to support the people needed for incident response, Schneier proposed a four-step SCHNEIER ON SECURITYBLOGNEWSLETTERBOOKSESSAYSNEWSTALKS Security Vulnerability in Apple’s Silicon “M1” Chip. The website for the M1racles security vulnerability is an excellent demonstration that not all vulnerabilities are exploitable. Be sure to read the FAQ through to the end. EDITED TO ADD: Wired article.. Tags: Apple, humor, vulnerabilities Posted on June 1, 2021 at 6:26 AM • 7 Comments SCHNEIER ON SECURITY: PASSWORD SAFEBLOGSMART CARDS With Password Safe, a free utility designed by Bruce Schneier, users can keep their passwords securely encrypted on their computers. A single Safe Combination–just one thing to remember–unlocks them all. Password Safe protects passwords with the Twofish encryption algorithm, a fast, free alternative to DES. ADDING A RUSSIAN KEYBOARD TO PROTECT AGAINST RANSOMWARE ABC • May 18, 2021 12:27 PM . One learns as a child when ‘E’ is to be pronounced “ye” (the default) and when it is to be pronounced “yo” (for ‘Ё’). For instance look up a Russian word in “wiktionary” say, “закон“, but then it is spelled with an accent mark to indicate primary stress: зако́н. But “О́” is clearly not a distinct letter from “О” and SCHNEIER ON SECURITY: TWOFISH SOURCE CODE About Bruce Schneier. I am a public-interest technologist, working at the intersection of security, technology, and people.I've been writing about security issues on my blog since 2004, and in my monthly newsletter since 1998. I'm a fellow and lecturer at Harvard's Kennedy School, a board member of EFF, and the Chief of Security Architecture

at Inrupt, Inc.

service to capture

DATA AS POLLUTION

Data as Pollution. Cory Doctorow has a new metaphor:. We should treat personal electronic data with the same care and respect as weapons-grade plutonium — it is dangerous, long-lasting and once it has leaked there’s no getting it back SCHNEIER ON SECURITYBLOGNEWSLETTERBOOKSESSAYSNEWSTALKS Security Vulnerability in Apple’s Silicon “M1” Chip. The website for the M1racles security vulnerability is an excellent demonstration that not all vulnerabilities are exploitable. Be sure to read the FAQ through to the end. EDITED TO ADD: Wired article.. Tags: Apple, humor, vulnerabilities Posted on June 1, 2021 at 6:26 AM • 7 Comments SCHNEIER ON SECURITY: PASSWORD SAFEBLOGSMART CARDS With Password Safe, a free utility designed by Bruce Schneier, users can keep their passwords securely encrypted on their computers. A single Safe Combination–just one thing to remember–unlocks them all. Password Safe protects passwords with the Twofish encryption algorithm, a fast, free alternative to DES. ADDING A RUSSIAN KEYBOARD TO PROTECT AGAINST RANSOMWARE ABC • May 18, 2021 12:27 PM . One learns as a child when ‘E’ is to be pronounced “ye” (the default) and when it is to be pronounced “yo” (for ‘Ё’). For instance look up a Russian word in “wiktionary” say, “закон“, but then it is spelled with an accent mark to indicate primary stress: зако́н. But “О́” is clearly not a distinct letter from “О” and SCHNEIER ON SECURITY: TWOFISH SOURCE CODE About Bruce Schneier. I am a public-interest technologist, working at the intersection of security, technology, and people.I've been writing about security issues on my blog since 2004, and in my monthly newsletter since 1998. I'm a fellow and lecturer at Harvard's Kennedy School, a board member of EFF, and the Chief of Security Architecture

at Inrupt, Inc.

service to capture

DATA AS POLLUTION

Data as Pollution. Cory Doctorow has a new metaphor:. We should treat personal electronic data with the same care and respect as weapons-grade plutonium — it is dangerous, long-lasting and once it has leaked there’s no getting it back SCHNEIER ON SECURITY: BOOKS BY BRUCE SCHNEIER Carry On Sound Advice from Schneier on Security. Bruce Schneier’s second collection of op-ed pieces, columns, and blog posts features more than 160 commentaries on topics including the Boston Marathon bombing, the NSA’s ubiquitous surveillance programs, Chinese cyber-attacks, the privacy of cloud computing, and how to hack the

Papal election.

SCHNEIER ON SECURITY: ESSAYS Russia’s Sunburst cyberespionage campaign, discovered late last year, impacted more than 100 large companies and U.S. federal agencies, including the Treasury, Energy, Justice, and Homeland Security departments.A crucial part of the Russians’ success was their ability to move through these organizations by compromising cloud and local network identity systems to then access cloud accounts VULNERABILITIES IN WEAPONS SYSTEMS Vulnerabilities in Weapons Systems “If you think any of these systems are going to work as expected in wartime, you’re fooling yourself.” That was Bruce’s response at a conference hosted by U.S. Transportation Command in 2017, after learning that their computerized logistical systems were mostly unclassified and on the

internet.

at Inrupt, Inc.

THE DARKSIDE RANSOMWARE GANG The DarkSide Ransomware Gang. The New York Times has a long story on the DarkSide ransomware gang.. A glimpse into DarkSide’s secret communications in the months leading up to the Colonial Pipeline attack reveals a criminal operation on the rise, pulling in millions

of

* Blog

* Newsletter

* Books

* Essays

* News

* Talks

* Academic

* About Me

SEARCH

_Powered by DuckDuckGo _ blog essays whole site

HACKING VOICE ASSISTANTS WITH ULTRASONIC WAVES

I previously wrote

about hacking voice assistants with lasers. Turns you can do much the same thing with ultrasonic waves

:

> Voice assistants -- the demo targeted Siri, Google Assistant, and > Bixby -- are designed to respond when they detect the owner's voice > after noticing a trigger phrase such as 'Ok, Google'.

>

> Ultimately, commands are just sound waves, which other researchers > have already shown can be emulated using ultrasonic waves which > humans can't hear, providing an attacker has a line of sight on the > device and the distance is short.

>

> What SurfingAttack adds to this is the ability to send the > ultrasonic commands through a solid glass or wood table on which the > smartphone was sitting using a circular piezoelectric disc connected > to its underside.

>

> Although the distance was only 43cm (17 inches), hiding the disc > under a surface represents a more plausible, easier-to-conceal > attack method than previous techniques.

Research paper

.

Demonstration video

.

Tags: academic papers

,

Android

,

Apple

,

Google

,

hacking

,

iPhone

,

side-channel attacks

,

smartphones

,

video

Posted on March 23, 2020 at 6:19 AM

• 0 Comments

*

Two clicks for more privacy: The Facebook Like button will be enabled once you click here. No data is loaded from Facebook until you enable the button. Click the button for more information.not connected to

Facebook

*

Two clicks for more privacy: The Tweet this button will be enabled once you click here. No data is loaded from Twitter until you enable the button. Click the button for more information.not connected to

Twitter

*

Two clicks for more privacy: The Google+ button will be enabled once you click here. No data is loaded from Google until you enable the button. Click the button for more information.not connected to

Google+

*

If you click to activate the share buttons, data will be loaded from a third party (Facebook, Twitter, Google), allowing them to track your visit to schneier.com. For more details click the button.

SettingsPermanently

enable share buttons:FacebookTwitterGoogle+ FRIDAY SQUID BLOGGING: SQUID ORDERS DOWN IN ITALY COVID-19 is depressing the demand for squid in Italy. The article is a week old, and already seems almost comically quaint. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here

.

Tags: COVID-19

,

squid

Posted on March 20, 2020 at 4:18 PM

• 90 Comments

*

Facebook

*

Twitter

*

Two clicks for more privacy: The Google+ button will be enabled once you click here. No data is loaded from Google until you enable the button. Click the button for more information.not connected to

Google+

*

If you click to activate the share buttons, data will be loaded from a third party (Facebook, Twitter, Google), allowing them to track your visit to schneier.com. For more details click the button.

SettingsPermanently

enable share buttons:FacebookTwitterGoogle+ EMERGENCY SURVEILLANCE DURING COVID-19 CRISIS Israel is using emergency surveillance powers to track people who may have COVID-19, joining China

and Iran

in using mass surveillance in this way. I believe pressure will increase to leverage existing corporate surveillance infrastructure for these purposes in the US and other countries. With that in mind, the EFF has some good thinking on how to balance public safety with civil liberties: > Thus, any data collection and digital monitoring of potential > carriers of COVID-19 should take into consideration and commit to > these principles:

>

> * PRIVACY INTRUSIONS MUST BE NECESSARY AND PROPORTIONATE. A program > that collects, en masse, identifiable information about people must > be scientifically justified and deemed necessary by public health > experts for the purpose of containment. And that data processing > must be proportionate to the need

> . For example,

> maintenance of 10 years of travel history of all people would not be > proportionate to the need to contain a disease like COVID-19, which

> has a two-week

>

> incubation period.

>

> * DATA COLLECTION BASED ON SCIENCE, NOT BIAS. Given the global > scope of communicable diseases, there is historical precedent for

> improper

>

> government

>

> containment

>

> efforts

>

> driven by bias based on nationality, ethnicity, religion, and race > -- rather than facts about a particular individual's actual > likelihood of contracting the virus, such as their travel history or > contact with potentially infected people. Today, we must ensure that > any automated data systems used to contain COVID-19 do not > erroneously identify members of specific demographic groups as > particularly susceptible to infection.

>

> * EXPIRATION. As in other major emergencies in the past, there is a > hazard that the data surveillance infrastructure we build to contain > COVID-19 may long outlive the crisis it was intended to address. The > government and its corporate cooperators must roll back any invasive > programs created in the name of public health after crisis has been

> contained.

>

> * TRANSPARENCY. Any government use of "big data" to track virus > spread must be clearly and quickly explained to the public. This > includes publication of detailed information about the information > being gathered, the retention period for the information, the tools > used to process that information, the ways these tools guide public > health decisions, and whether these tools have had any positive or > negative outcomes.

>

> * DUE PROCESS. If the government seeks to limit a person's rights > based on this "big data" surveillance (for example, to quarantine > them based on the system's conclusions about their relationships or > travel), then the person must have the opportunity to timely and > fairly challenge these conclusions and limits.

Tags: China

,

COVID-19

,

data collection

,

EFF

,

epidemiology

,

Iran

,

Israel

,

national security policy

,

privacy

,

surveillance

Posted on March 20, 2020 at 6:25 AM

• 24 Comments

*

Facebook

*

Twitter

*

Two clicks for more privacy: The Google+ button will be enabled once you click here. No data is loaded from Google until you enable the button. Click the button for more information.not connected to

Google+

*

If you click to activate the share buttons, data will be loaded from a third party (Facebook, Twitter, Google), allowing them to track your visit to schneier.com. For more details click the button.

SettingsPermanently

enable share buttons:FacebookTwitterGoogle+ WORK-FROM-HOME SECURITY ADVICE SANS has made freely available its "Work-from-Home Awareness Kit

."

When I think about how COVID-19's security measures are affecting organizational networks, I see several interrelated problems: > One, employees are working from their home networks and sometimes > from their home computers. These systems are more likely to be out > of date, unpatched, and unprotected. They are more vulnerable to > attack simply because they are less secure.

>

> Two, sensitive organizational data will likely migrate outside of > the network. Employees working from home are going to save data on > their own computers, where they aren't protected by the > organization's security systems. This makes the data more likely to > be hacked and stolen.

>

> Three, employees are more likely to access their organizational > networks insecurely. If the organization is lucky, they will have > already set up a VPN for remote access. If not, they're either > trying to get one quickly or not bothering at all. Handing people > VPN software to install and use with zero training is a recipe for > security mistakes, but not using a VPN is even worse.

>

> Four, employees are being asked to use new and unfamiliar tools like > Zoom to replace face-to-face meetings. Again, these hastily set-up > systems are likely to be insecure.

>

> Five, the general chaos of "doing things differently" is an opening > for attack. Tricks like business email compromise, where an employee > gets a fake email from a senior executive asking him to transfer > money to some account, will be more successful when the employee > can't walk down the hall to confirm the email's validity -- and when > everyone is distracted and so many other things are being done

> differently.

Worrying about network security seems almost quaint in the face of the massive health risks from COVID-19, but attacks on infrastructure can have effects far greater than the infrastructure itself. Stay safe, everyone, and help keep your networks safe as well.

Tags: COVID-19

,

epidemiology

,

infrastructure

,

security awareness

,

VPN

,

vulnerabilities

Posted on March 19, 2020 at 6:49 AM

• 23 Comments

*

Facebook

*

Twitter

*

Two clicks for more privacy: The Google+ button will be enabled once you click here. No data is loaded from Google until you enable the button. Click the button for more information.not connected to

Google+

*

If you click to activate the share buttons, data will be loaded from a third party (Facebook, Twitter, Google), allowing them to track your visit to schneier.com. For more details click the button.

SettingsPermanently

enable share buttons:FacebookTwitterGoogle+ THE INSECURITY OF WORDPRESS AND APACHE STRUTS

Interesting data

:

> A study that analyzed all the vulnerability disclosures between 2010 > and 2019 found that around 55% of all the security bugs that have > been weaponized and exploited in the wild were for two major > application frameworks, namely WordPress and Apache Struts.

>

> The Drupal content management system ranked third, followed by Ruby > on Rails and Laravel, according to a report published this week by > risk analysis firm RiskSense. The full report is here

.

Tags: Apache

,

reports

,

security engineering

,

vulnerabilities

Posted on March 18, 2020 at 7:45 AM

• 18 Comments

*

Facebook

*

Twitter

*

Two clicks for more privacy: The Google+ button will be enabled once you click here. No data is loaded from Google until you enable the button. Click the button for more information.not connected to

Google+

*

If you click to activate the share buttons, data will be loaded from a third party (Facebook, Twitter, Google), allowing them to track your visit to schneier.com. For more details click the button.

SettingsPermanently

enable share buttons:FacebookTwitterGoogle+ TSA ADMITS LIQUID BAN IS SECURITY THEATER

The TSA is allowing

people to bring larger bottles of hand sanitizer with them on

airplanes:

> Passengers will now be allowed to travel with containers of liquid > hand sanitizer up to 12 ounces. However, the agency cautioned that > the shift could mean slightly longer waits at checkpoint because the > containers may have to be screened separately when going through

> security.

Won't airplanes blow up as a result? Of course not. Would they have blown up last week were the restrictions lifted back then? Of course not. It's always been security theater.

Interesting context

:

> The TSA can declare this rule change because the limit was always > arbitrary, just one of the countless rituals of security theater to > which air passengers are subjected every day. Flights are no more > dangerous today, with the hand sanitizer, than yesterday, and if the > TSA allowed you to bring 12 ounces of shampoo on a flight tomorrow, > flights would be no more dangerous then. The limit was bullshit. The > ease with which the TSA can toss it aside makes that clear.

>

> All over America, the coronavirus is revealing, or at least > reminding us, just how much of contemporary American life is > bullshit, with power structures built on punishment and fear as > opposed to our best interest. Whenever the government or a > corporation benevolently withdraws some punitive threat because of > the coronavirus, it's a signal that there was never any good reason > for that threat to exist in the first place.

Tags: air travel

,

medicine

,

security theater

,

TSA

Posted on March 16, 2020 at 9:31 AM

• 34 Comments

*

Facebook

*

Twitter

*

Two clicks for more privacy: The Google+ button will be enabled once you click here. No data is loaded from Google until you enable the button. Click the button for more information.not connected to

Google+

*

If you click to activate the share buttons, data will be loaded from a third party (Facebook, Twitter, Google), allowing them to track your visit to schneier.com. For more details click the button.

SettingsPermanently

enable share buttons:FacebookTwitterGoogle+ FRIDAY SQUID BLOGGING: NEW REPORT ON SQUID MARKETS

This

report

costs $2,000. (Please don't buy it for me.) As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here

.

Tags: squid

Posted on March 13, 2020 at 4:02 PM

• 213 Comments

*

Facebook

*

Twitter

*

Two clicks for more privacy: The Google+ button will be enabled once you click here. No data is loaded from Google until you enable the button. Click the button for more information.not connected to

Google+

*

If you click to activate the share buttons, data will be loaded from a third party (Facebook, Twitter, Google), allowing them to track your visit to schneier.com. For more details click the button.

SettingsPermanently

enable share buttons:FacebookTwitterGoogle+

THE EARN-IT ACT

Prepare for another attack on encryption in the U.S. The EARN-IT Act purports to be about protecting children from predation, but it's really about forcing the tech companies to break their encryption schemes: > The EARN IT Act would create a "National Commission on Online Child > Sexual Exploitation Prevention" tasked with developing "best > practices" for owners of Internet platforms to "prevent, reduce, and > respond" to child exploitation. But far from mere recommendations, > those "best practices" would be approved by Congress as legal > requirements: if a platform failed to adhere to them, it would lose > essential legal protections for free speech.

>

> It's easy to predict how Attorney General William Barr would use > that power: to break encryption. He's said over and over that he > thinks the "best practice" is to force encrypted messaging systems > to give law enforcement access to our private conversations. The > Graham-Blumenthal bill would finally give Barr the power to demand > that tech companies obey him or face serious repercussions, > including both civil and criminal liability. Such a demand would put > encryption providers like WhatsApp and Signal in an awful conundrum: > either face the possibility of losing everything in a single lawsuit > or knowingly undermine their users' security, making all of us more > vulnerable to online criminals. Matthew Green has a long explanation of the bill and its effects: > The new bill, out of Lindsey Graham's Judiciary committee, is > designed to force providers to either solve the > encryption-while-scanning problem, or stop using encryption > entirely. And given that we don't yet know how to solve the problem > -- and the techniques to do it are basically at the _research_ stage > of R&D -- it's likely that "stop using encryption" is really the

> preferred goal.

>

> EARN IT works by revoking a type of liability called Section 230 > that makes it possible for > providers to operate on the Internet, by preventing the provider for > being held responsible for what their customers do on a platform > like Facebook. The new bill would make it financially impossible for > providers like WhatsApp and Apple to operate services unless they > conduct "best practices" for scanning their systems for CSAM.

>

> Since there are no "best practices" in existence, and the techniques > for doing this while preserving privacy are completely unknown, the > bill creates a government-appointed committee that will tell > technology providers what technology they have to use. The specific > nature of the committee is byzantine and described within the bill > itself. Needless to say, the makeup of the committee, which can > include as few as zero data security experts, ensures that > end-to-end encryption will almost certainly not be considered a best

> practice.

>

> So in short: this bill is a backdoor way to allow the government to > ban encryption on commercial services. And even more beautifully: it > doesn't come out and actually _ban_ the use of encryption, it just > makes encryption commercially infeasible for major providers to > deploy, ensuring that they'll go bankrupt if they try to disobey > this committee's recommendations.

>

> It's the kind of bill you'd come up with if you knew the thing you > wanted to do was unconstitutional and highly unpopular, and you > basically didn't care.

Another criticism

of the bill. Commentary

by

EPIC. Kinder

analysis.

Sign a petition

against this act.

Tags: backdoors

,

children

,

crypto wars

,

cryptography

,

encryption

Posted on March 13, 2020 at 6:20 AM

• 52 Comments

*

Facebook

*

Twitter

*

Two clicks for more privacy: The Google+ button will be enabled once you click here. No data is loaded from Google until you enable the button. Click the button for more information.not connected to

Google+

*

If you click to activate the share buttons, data will be loaded from a third party (Facebook, Twitter, Google), allowing them to track your visit to schneier.com. For more details click the button.

SettingsPermanently

enable share buttons:FacebookTwitterGoogle+ THE WHISPER SECRET-SHARING APP EXPOSED LOCATIONS

This

is a big deal:

> Whisper , the

> secret-sharing app that called itself the "safest place on the > Internet," left years of users' most intimate confessions exposed on > the Web tied to their age, location and other details, raising alarm > among cybersecurity researchers that users could have been unmasked

> or blackmailed.

>

> The records were viewable on a non-password-protected database open > to the public Web. A Post reporter was able to freely browse and > search through the records, many of which involved children: A > search of users who had listed their age as 15 returned 1.3 million

> results.

>

> The exposed records did not include real names but did include a > user's stated age, ethnicity, gender, hometown, nickname and any > membership in groups, many of which are devoted to sexual > confessions and discussion of sexual orientation and desires.

>

> The data also included the location coordinates of the users' last > submitted post, many of which pointed back to specific schools, > workplaces and residential neighborhoods. Or homes. I hope people didn't confess things from their bedrooms.

Tags: blackmail

,

children

,

data collection

,

data loss

,

leaks

,

secret sharing

Posted on March 12, 2020 at 6:30 AM

• 23 Comments

*

Facebook

*

Twitter

*

Two clicks for more privacy: The Google+ button will be enabled once you click here. No data is loaded from Google until you enable the button. Click the button for more information.not connected to

Google+

*

If you click to activate the share buttons, data will be loaded from a third party (Facebook, Twitter, Google), allowing them to track your visit to schneier.com. For more details click the button.

SettingsPermanently

enable share buttons:FacebookTwitterGoogle+ LA COVERS UP BAD CYBERSECURITY

This

is

bad in several dimensions. > The Los Angeles Department of Water and Power has been accused of > deliberately keeping widespread gaps in its cybersecurity a secret > from regulators in a large-scale coverup involving the city's mayor.

Tags: cover-ups

,

cybersecurity

,

utilities

,

vulnerabilities

Posted on March 11, 2020 at 10:52 AM

• 11 Comments

*

Facebook

*

Twitter

*

Two clicks for more privacy: The Google+ button will be enabled once you click here. No data is loaded from Google until you enable the button. Click the button for more information.not connected to

Google+

*

If you click to activate the share buttons, data will be loaded from a third party (Facebook, Twitter, Google), allowing them to track your visit to schneier.com. For more details click the button.

SettingsPermanently

enable share buttons:FacebookTwitterGoogle+

← Earlier Entries

Sidebar photo of Bruce Schneier by Joe MacInnis. ABOUT BRUCE SCHNEIER I am a public-interest technologist , working at the intersection of security, technology, and people. I've been writing about security issues on my blog since 2004, and in my monthly newsletter since 1998. I'm a fellow and lecturer at Harvard's

Kennedy School

and a board member of EFF . This personal website expresses the opinions of neither of those organizations.

FEATURED ESSAYS

* The Value of Encryption * Data Is a Toxic Asset, So Why Not Throw It Out? * How the NSA Threatens National Security * Terrorists May Use Google Earth, But Fear Is No Reason to Ban It * In Praise of Security Theater * Refuse to be Terrorized * The Eternal Value of Privacy * Terrorists Don't Do Movie Plots

More Annotations

Paul Gonzalez

2020-02-16 07:06:33

Paul Gonzalez

2020-02-16 07:06:43

Paul Gonzalez

2020-02-16 07:07:03

Paul Gonzalez

2020-02-16 07:07:13

Paul Gonzalez

2020-02-16 07:07:48

Paul Gonzalez

2020-02-16 07:07:57

Paul Gonzalez

2020-02-16 07:08:16

Paul Gonzalez

2020-02-16 07:08:16

Paul Gonzalez

2020-02-16 07:08:35

Paul Gonzalez

2020-02-16 07:09:02

Paul Gonzalez

2020-02-16 07:09:13

Paul Gonzalez

2020-02-16 07:09:25

Favourite Annotations

Paul Gonzalez

2021-06-04 21:07:48

Paul Gonzalez

2021-06-04 21:07:50

Paul Gonzalez

2021-06-04 21:07:52

Paul Gonzalez

2021-06-04 21:07:53

Paul Gonzalez

2021-06-04 21:07:53

Paul Gonzalez

2021-06-04 21:07:53

Paul Gonzalez

2021-06-04 21:07:54

Paul Gonzalez

2021-06-04 21:07:56

Paul Gonzalez

2021-06-04 21:07:57

Paul Gonzalez

2021-06-04 21:07:58

Paul Gonzalez

2021-06-04 21:07:59

Paul Gonzalez

2021-06-04 21:08:00

Text

at Inrupt, Inc.

FOIA, history

at Inrupt, Inc.

FOIA, history

at Inrupt, Inc.

at Inrupt, Inc.

at Inrupt, Inc.

at Inrupt, Inc.

haven’t covered.

at Inrupt, Inc.

RF Transceiver.

will make a much

roadmap.

at Inrupt, Inc.

RF Transceiver.

will make a much

roadmap.

internet.

MAILBOX MASTER KEYS

at Inrupt, Inc.

RF Transceiver.

will make a much

roadmap.

RF Transceiver.

will make a much

roadmap.

internet.

MAILBOX MASTER KEYS

at Inrupt, Inc.