Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2021/09/zero-click-imessage-exploit.html
Citizen Lab released a report on a zero-click iMessage exploit that is used in NSO Group’s Pegasus spyware.
Apple patched the vulnerability; everyone needs to update their OS immediately.
Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2021/09/identifying-computer-generated-faces.html
It’s the eyes:
The researchers note that in many cases, users can simply zoom in on the eyes of a person they suspect may not be real to spot the pupil irregularities. They also note that it would not be difficult to write software to spot such errors and for social media sites to use it to remove such content. Unfortunately, they also note that now that such irregularities have been identified, the people creating the fake pictures can simply add a feature to ensure the roundness of pupils.
And the arms race continues….
Research paper.
Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2021/09/designing-contact-tracing-apps.html
Susan Landau wrote an essay on the privacy, efficacy, and equity of contract-tracing smartphone apps.
Also see her excellent book on the topic.
Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2021/09/friday-squid-blogging-possible-evidence-of-squid-paternal-care.html
Researchers have found possible evidence of paternal care among bigfin reef squid.
As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered.
Read my blog posting guidelines here.
Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2021/09/protonmail-now-keeps-ip-logs.html
After being compelled by a Swiss court to monitor IP logs for a particular user, ProtonMail no longer claims that “we do not keep any IP logs.”
EDITED TO ADD (9/14): This seems to be more complicated. ProtonMail is not yet saying that they keep logs. Their privacy policy still states that they do not keep logs except in certain circumstances, and outlines those circumstances. And ProtonMail’s warrant canary has an interesting list of data orders they have received from various authorities, whether they complied, and why or why not.
Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2021/09/more-detail-on-the-juniper-hack-and-the-nsa-prng-backdoor.html
We knew the basics of this story, but it’s good to have more detail.
Here’s me in 2015 about this Juniper hack. Here’s me in 2007 on the NSA backdoor.
Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2021/09/security-risks-of-relying-on-a-single-smartphone.html
Isracard used a single cell phone to communicate with credit card clients, and receive documents via WhatsApp. An employee stole the phone. He reformatted the phone and replaced the SIM card, which was oddly the best possible outcome, given the circumstances. Using the data to steal money would have been much worse.
Here’s a link to an archived version.
Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2021/09/lightning-cable-with-embedded-eavesdropping.html
Normal-looking cables (USB-C, Lightning, and so on) that exfiltrate data over a wireless network.
I blogged about a previous prototype here.
Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2021/09/tracking-people-by-their-mac-addresses.html
Yet another article on the privacy risks of static MAC addresses and always-on Bluetooth connections. This one is about wireless headphones.
The good news is that product vendors are fixing this:
Several of the headphones which could be tracked over time are for sale in electronics stores, but according to two of the manufacturers NRK have spoken to, these models are being phased out.
“The products in your line-up, Elite Active 65t, Elite 65e and Evolve 75e, will be going out of production before long and newer versions have already been launched with randomized MAC addresses. We have a lot of focus on privacy by design and we continuously work with the available security measures on the market,” head of PR at Jabra, Claus Fonnesbech says.
“To run Bluetooth Classic we, and all other vendors, are required to have static addresses and you will find that in older products,” Fonnesbech says.
Jens Bjørnkjær Gamborg, head of communications at Bang & Olufsen, says that “this is products that were launched several years ago.”
“All products launched after 2019 randomize their MAC-addresses on a frequent basis as it has become the market standard to do so,” Gamborg says.
EDITED TO ADD (9/13): It’s not enough to randomly change MAC addresses. Any other plaintext identifiers need to be changed at the same time.
Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2021/09/friday-squid-blogging-squid-communication.html
Interesting article on squid communication.
As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered.
Read my blog posting guidelines here.
Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2021/09/hacker-themed-board-game.html
Black Hat is a hacker-themed board game.
Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2021/09/history-of-the-hx-63-rotor-machine.html
Jon D. Paul has written the fascinating story of the HX-63, a super-complicated electromechanical rotor cipher machine made by Crypto AG.
Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2021/09/zero-click-iphone-exploits.html
Citizen Lab is reporting on two zero-click iMessage exploits, in spyware sold by the cyberweapons arms manufacturer NSO Group to the Bahraini government.
These are particularly scary exploits, since they don’t require to victim to do anything, like click on a link or open a file. The victim receives a text message, and then they are hacked.
Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2021/08/more-military-cryptanalytics-part-iii.html
Late last year, the NSA declassified and released a redacted version of Lambros D. Callimahos’s Military Cryptanalytics, Part III. We just got most of the index. It’s hard to believe that there are any real secrets left in this 44-year-old volume.
Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2021/08/excellent-write-up-of-the-solarwinds-security-breach.html
Robert Chesney wrote up the Solar Winds story as a case study, and it’s a really good summary.
Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2021/08/friday-squid-blogging-tentacle-doorknob.html
It’s pretty.
As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered.
Read my blog posting guidelines here.
Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2021/08/details-of-the-recent-t-mobile-breach.html
Seems that 47 million customers were affected. Surprising no one, T-Mobile had awful security.
I’ve lost count of how many times T-Mobile has been hacked.
Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2021/08/interesting-privilege-escalation-vulnerability.html
If you plug a Razer peripheral (mouse or keyboard, I think) into a Windows 10 or 11 machine, you can use a vulnerability in the Razer Synapse software — which automatically downloads — to gain SYSTEM privileges.
It should be noted that this is a local privilege escalation (LPE) vulnerability, which means that you need to have a Razer devices and physical access to a computer. With that said, the bug is so easy to exploit as you just need to spend $20 on Amazon for Razer mouse and plug it into Windows 10 to become an admin.
Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2021/08/surveillance-of-the-internet-backbone.html
Vice has an article about how data brokers sell access to the Internet backbone. This is netflow data. It’s useful for cybersecurity forensics, but can also be used for things like tracing VPN activity.
At a high level, netflow data creates a picture of traffic flow and volume across a network. It can show which server communicated with another, information that may ordinarily only be available to the server owner or the ISP carrying the traffic. Crucially, this data can be used for, among other things, tracking traffic through virtual private networks, which are used to mask where someone is connecting to a server from, and by extension, their approximate physical location.
In the hands of some governments, that could be dangerous.
Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2021/08/friday-squid-blogging-on-squid-brains.html
Interesting National Geographic article.
As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered.
Read my blog posting guidelines here.
