Schneier on Security

On the Dangers of Cryptocurrencies and the Uselessness of Blockchain

Schneier on Security

Earlier this month, I and others wrote a letter to Congress, basically saying that cryptocurrencies are an complete and total disaster, and urging them to regulate the space. Nothing in that letter is out of the ordinary, and is in line with what I wrote about blockchain in 2019.

Hidden Anti-Cryptography Provisions in Internet Anti-Trust Bills

Schneier on Security

Two bills attempting to reduce the power of Internet monopolies are currently being debated in Congress: S. 2992, the American Innovation and Choice Online Act ; and S. 2710, the Open App Markets Act.

Insiders

Sign Up for our Newsletter

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Symbiote Backdoor in Linux

Schneier on Security

Interesting : What makes Symbiote different from other Linux malware that we usually come across, is that it needs to infect other running processes to inflict damage on infected machines.

When Security Locks You Out of Everything

Schneier on Security

Thought experiment story of someone of someone who lost everything in a house fire, and now can’t log into anything: But to get into my cloud, I need my password and 2FA.

How Preparation and Strategy Can Be Used to Fight and Defeat Any Ransomware Attack

Speaker: Karl Camilleri, Cloud Services Product Manager at phoenixNAP

Through a detailed analysis of major attacks and their consequences, Karl Camilleri, Cloud Services Product Manager at phoenixNAP, will discuss the state of ransomware and future predictions, as well as provide best practices for attack prevention and recovery.

Tracking People via Bluetooth on Their Phones

Schneier on Security

We’ve always known that phones—and the people carrying them—can be uniquely identified from their Bluetooth signatures, and that we need security techniques to prevent that. This new research shows that that’s not enough.

Attacking the Performance of Machine Learning Systems

Schneier on Security

Interesting research: “ Sponge Examples: Energy-Latency Attacks on Neural Networks “: Abstract: The high energy costs of neural network training and inference led to the use of acceleration hardware such as GPUs and TPUs.

245
245

On the Subversion of NIST by the NSA

Schneier on Security

Nadiya Kostyuk and Susan Landau wrote an interesting paper: “ Dueling Over DUAL_EC_DRBG: The Consequences of Corrupting a Cryptographic Standardization Process “: Abstract: In recent decades, the U.S.

Hartzbleed: A New Side-Channel Attack

Schneier on Security

Hartzbleed is a new side-channel attack that works against a variety of microprocressors. Deducing cryptographic keys by analyzing power consumption has long been an attack, but it’s not generally viable because measuring power consumption is often hard.

Manipulating Machine-Learning Systems through the Order of the Training Data

Schneier on Security

Yet another adversarial ML attack: Most deep neural networks are trained by stochastic gradient descent. Now “stochastic” is a fancy Greek word for “random”; it means that the training data are fed into the model in random order. So what happens if the bad guys can cause the order to be not random?

ICE Is a Domestic Surveillance Agency

Schneier on Security

Georgetown has a new report on the highly secretive bulk surveillance activities of ICE in the US: When you think about government surveillance in the United States, you likely think of the National Security Agency or the FBI.

Cover Your SaaS: How to Overcome Security Challenges and Risks For Your Organization

Speaker: Ronald Eddings, Cybersecurity Expert and Podcaster

In this webinar, Ronald Eddings, Cybersecurity Expert, will outline the relationship between SaaS apps and IT & security teams, along with several actionable solutions to overcome the new difficulties facing your organization.

The Limits of Cyber Operations in Wartime

Schneier on Security

Interesting paper by Lennart Maschmeyer: “ The Subversive Trilemma: Why Cyber Operations Fall Short of Expectations “: Abstract: Although cyber conflict has existed for thirty years, the strategic utility of cyber operations remains unclear.

Media 244

Malware-Infested Smart Card Reader

Schneier on Security

Brian Krebs has an interesting story of a smart ID card reader with a malware-infested Windows driver, and US government employees who inadvertently buy and use them.

Undetectable Backdoors in Machine-Learning Models

Schneier on Security

New paper: “ Planting Undetectable Backdoors in Machine Learning Models : Abstract : Given the computational cost and technical expertise required to train machine learning models, users may delegate the task of learning to a service provider.

283
283

Remotely Controlling Touchscreens

Schneier on Security

Researchers have demonstrated controlling touchscreens at a distance, at least in a laboratory setting: The core idea is to take advantage of the electromagnetic signals to execute basic touch events such as taps and swipes into targeted locations of the touchscreen with the goal of taking over remote control and manipulating the underlying device.

Clever Cryptocurrency Theft

Schneier on Security

Beanstalk Farms is a decentralized finance project that has a majority stake governance system: basically people have proportiona votes based on the amount of currency they own.

How to Avoid the Pain and Cost of PCI Compliance While Optimizing Payments

Speaker: P. Andrew Sjogren, Sr. Product Marketing Manager at Very Good Security, Matt Doka, Co-Founder and CTO of Fivestars, and Steve Andrews, President & CEO of the Western Bankers Association 

In this webinar, we have a great set of panelists who will take you through how Zero Data strategies can be used as part of a well-rounded compliance and security approach, and get you to market much sooner by also allowing for payment optimization. They’ll share how to grow your business faster and minimize costs for both security and compliance

iPhone Malware that Operates Even When the Phone Is Turned Off

Schneier on Security

Researchers have demonstrated iPhone malware that works even when the phone is fully shut down. t turns out that the iPhone’s Bluetooth chip­ — which is key to making features like Find My work­ — has no mechanism for digitally signing or even encrypting the firmware it runs.

M1 Chip Vulnerability

Schneier on Security

This is a new vulnerability against Apple’s M1 chip. Researchers say that it is unpatchable.

Twitter Used Two-Factor Login Details for Ad Targeting

Schneier on Security

Twitter was fined $150 million for using phone numbers and email addresses collected for two-factor authentication for ad targeting

Analyzing the Swiss E-Voting System

Schneier on Security

Andrew Appel has a long analysis of the Swiss online voting system. It’s a really good analysis of both the system and the official analyses. Uncategorized voting

163
163

Back to the Office: Privacy and Security Solutions to Compliance Issues for 2021 and Beyond

Speaker: Mike Cramer, Director of HIPAA & Data Security at The Word & Brown Companies

Now that companies are slowly allowing employees to return to work at the office, it's time to re-evaluate your company’s posture towards privacy and security. Join Mike Cramer, Director of HIPAA & Data Security at The Word & Brown Companies, for a discussion that will focus on compliance and the types of privacy and security measures your company should be aware of, as well as tips and methods for implementing these measures.

Security and Human Behavior (SHB) 2022

Schneier on Security

Today is the second day of the fifteenth Workshop on Security and Human Behavior , hosted by Ross Anderson and Alice Hutchings at the University of Cambridge. After two years of having this conference remotely on Zoom, it’s nice to be back together in person.

234
234

Clever — and Exploitable — Windows Zero-Day

Schneier on Security

Researchers have reported a still-unpatched Windows zero-day that is currently being exploited in the wild. Here’s the advisory , which includes a work-around until a patch is available. Uncategorized Microsoft patching Windows zero-day

232
232

Forging Australian Driver’s Licenses

Schneier on Security

The New South Wales digital driver’s license has multiple implementation flaws that allow for easy forgeries. This file is encrypted using AES-256-CBC encryption combined with Base64 encoding.

Bypassing Two-Factor Authentication

Schneier on Security

These techniques are not new, but they’re increasingly popular : …some forms of MFA are stronger than others, and recent events show that these weaker forms aren’t much of a hurdle for some hackers to clear.

Hertzbleed: A New Side-Channel Attack

Schneier on Security

Hertzbleed is a new side-channel attack that works against a variety of microprocressors. Deducing cryptographic keys by analyzing power consumption has long been an attack, but it’s not generally viable because measuring power consumption is often hard.

AirTags Are Used for Stalking Far More than Previously Reported

Schneier on Security

Ever since Apple introduced AirTags, security people have warned that they could be used for stalking.

270
270

Me on Public-Interest Tech

Schneier on Security

Back in November 2020, in the middle of the COVID-19 pandemic, I gave a virtual talk at the International Symposium on Technology and Society: “ The Story of the Internet and How it Broke Bad: A Call for Public-Interest Technologists.”

Apple Mail Now Blocks Email Trackers

Schneier on Security

Apple Mail now blocks email trackers by default. Most email newsletters you get include an invisible “image,” typically a single white pixel, with a unique file name. The server keeps track of every time this “image” is opened and by which IP address.

Long Story on the Accused CIA Vault 7 Leaker

Schneier on Security

Long article about Joshua Schulte, the accused leaker of the WikiLeaks Vault 7 and Vault 8 CIA data. Well worth reading. Uncategorized CIA leaks WikiLeaks

215
215

SMS Phishing Attacks are on the Rise

Schneier on Security

SMS phishing attacks — annoyingly called “smishing” — are becoming more common. I know that I have been receiving a lot of phishing SMS messages over the past few months. I am not getting the “Fedex package delivered” messages the article talks about.

Russian Cyberattack against Ukrainian Power Grid Prevented

Schneier on Security

A Russian cyberweapon, similar to the one used in 2016, was detected and removed before it could be used.

Video Conferencing Apps Sometimes Ignore the Mute Button

Schneier on Security

New research: “ Are You Really Muted?:

ZuoRAT Malware Is Targeting Routers

Schneier on Security

Wired is reporting on a new remote-access Trojan that is able to infect at least eighty different targets: So far, researchers from Lumen Technologies’ Black Lotus Labs say they’ve identified at least 80 targets infected by the stealthy malware, including routers made by Cisco, Netgear, Asus, and DrayTek.

Surveillance by Driverless Car

Schneier on Security

San Francisco police are using autonomous vehicles as mobile surveillance cameras. Privacy advocates say the revelation that police are actively using AV footage is cause for alarm. This is very concerning,” Electronic Frontier Foundation (EFF) senior staff attorney Adam Schwartz told Motherboard.

Linux Improves Its Random Number Generator

Schneier on Security

In kernel version 5.17, both /dev/random and /dev/urandom have been replaced with a new — identical — algorithm based on the BLAKE2 hash function, which is an excellent security improvement. Uncategorized Linux random numbers

271
271

Hacking Alexa through Alexa’s Speech

Schneier on Security

An Alexa can respond to voice commands it issues. This can be exploited : The attack works by using the device’s speaker to issue voice commands.

The Justice Department Will No Longer Charge Security Researchers with Criminal Hacking

Schneier on Security

Following a recent Supreme Court ruling , the Justice Department will no longer prosecute “good faith” security researchers with cybercrimes: The policy for the first time directs that good-faith security research should not be charged.

Hacking Tesla’s Remote Key Cards

Schneier on Security

Leaking Military Secrets on Gaming Discussion Boards

Schneier on Security

People are leaking classified military information on discussion boards for the video game War Thunder to win arguments — repeatedly. Uncategorized games leaks military operational security secrecy

204
204

Bluetooth Flaw Allows Remote Unlocking of Digital Locks

Schneier on Security

Locks that use Bluetooth Low Energy to authenticate keys are vulnerable to remote unlocking. The research focused on Teslas, but the exploit is generalizable.