Schneier on Security

Hidden Cameras in Streetlights

Schneier on Security - 3 hours 53 min ago
Both the US Drug Enforcement Administration (DEA) and Immigration and Customs Enforcement (ICE) are hiding surveillance cameras in streetlights. According to government procurement data, the DEA has paid a Houston, Texas company called Cowboy Streetlight Concealments LLC roughly $22,000 since June 2018 for "video recording and reproducing equipment." ICE paid out about $28,000 to Cowboy Streetlight Concealments over the same... Bruce Schneier
Categories: Schneier on Security

Chip Cards Fail to Reduce Credit Card Fraud in the US

Schneier on Security - Thu, 11/15/2018 - 7:24am
A new study finds that credit card fraud has not declined since the introduction of chip cards in the US. The majority of stolen card information comes from hacked point-of-sale terminals. The reasons seem to be twofold. One, the US uses chip-and-signature instead of chip-and-PIN, obviating the most critical security benefit of the chip. And two, US merchants still accept... Bruce Schneier
Categories: Schneier on Security

More Spectre/Meltdown-Like Attacks

Schneier on Security - Wed, 11/14/2018 - 4:30pm
Back in January, we learned about a class of vulnerabilities against microprocessors that leverages various performance and efficiency shortcuts for attack. I wrote that the first two attacks would be just the start: It shouldn't be surprising that microprocessor designers have been building insecure hardware for 20 years. What's surprising is that it took 20 years to discover it. In... Bruce Schneier
Categories: Schneier on Security

Upcoming Speaking Engagements

Schneier on Security - Wed, 11/14/2018 - 9:03am
This is a current list of where and when I am scheduled to speak: I'm speaking at Kiwicon in Wellington, New Zealand on November 16, 2018. I'm appearing on IBM Resilient's End of Year Review webinar on "The Top Cyber Security Trends in 2018 and Predictions for the Year Ahead," December 6, 2018 at 12:00 PM EST. I'm giving a... Bruce Schneier
Categories: Schneier on Security

Oracle and "Responsible Disclosure"

Schneier on Security - Wed, 11/14/2018 - 7:46am
I've been writing about "responsible disclosure" for over a decade; here's an essay from 2007. Basically, it's a tacit agreement between researchers and software vendors. Researchers agree to withhold their work until software companies fix the vulnerabilities, and software vendors agree not to harass researchers and fix the vulnerabilities quickly. When that agreement breaks down, things go bad quickly. This... Bruce Schneier
Categories: Schneier on Security

New IoT Security Regulations

Schneier on Security - Tue, 11/13/2018 - 8:04am
Due to ever-evolving technological advances, manufacturers are connecting consumer goods­ -- from toys to lightbulbs to major appliances­ -- to the internet at breakneck speeds. This is the Internet of Things, and it's a security nightmare. The Internet of Things fuses products with communications technology to make daily life more effortless. Think Amazon's Alexa, which not only answers questions and... Bruce Schneier
Categories: Schneier on Security

Hiding Secret Messages in Fingerprints

Schneier on Security - Mon, 11/12/2018 - 7:17am
This is a fun steganographic application: hiding a message in a fingerprint image. Can't see any real use for it, but that's okay.... Bruce Schneier
Categories: Schneier on Security

Friday Squid Blogging: Australian Fisherman Gets Inked

Schneier on Security - Fri, 11/09/2018 - 5:07pm
Pretty good video. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here.... Bruce Schneier
Categories: Schneier on Security

The Pentagon is Publishing Foreign Nation-State Malware

Schneier on Security - Fri, 11/09/2018 - 2:52pm
This is a new thing: The Pentagon has suddenly started uploading malware samples from APTs and other nation-state sources to the website VirusTotal, which is essentially a malware zoo that's used by security pros and antivirus/malware detection engines to gain a better understanding of the threat landscape. This feels like an example of the US's new strategy of actively harassing... Bruce Schneier
Categories: Schneier on Security

Privacy and Security of Data at Universities

Schneier on Security - Fri, 11/09/2018 - 7:04am
Interesting paper: "Open Data, Grey Data, and Stewardship: Universities at the Privacy Frontier," by Christine Borgman: Abstract: As universities recognize the inherent value in the data they collect and hold, they encounter unforeseen challenges in stewarding those data in ways that balance accountability, transparency, and protection of privacy, academic freedom, and intellectual property. Two parallel developments in academic data collection... Bruce Schneier
Categories: Schneier on Security

iOS 12.1 Vulnerability

Schneier on Security - Thu, 11/08/2018 - 7:35am
This is really just to point out that computer security is really hard: Almost as soon as Apple released iOS 12.1 on Tuesday, a Spanish security researcher discovered a bug that exploits group Facetime calls to give anyone access to an iPhone users' contact information with no need for a passcode. [...] A bad actor would need physical access to... Bruce Schneier
Categories: Schneier on Security

Consumer Reports Reviews Wireless Home-Security Cameras

Schneier on Security - Wed, 11/07/2018 - 7:39am
Consumer Reports is starting to evaluate the security of IoT devices. As part of that, it's reviewing wireless home-security cameras. It found significant security vulnerabilities in D-Link cameras: In contrast, D-Link doesn't store video from the DCS-2630L in the cloud. Instead, the camera has its own, onboard web server, which can deliver video to the user in different ways. Users... Bruce Schneier
Categories: Schneier on Security

Security of Solid-State-Drive Encryption

Schneier on Security - Tue, 11/06/2018 - 7:51am
Interesting research: "Self-encrypting deception: weaknesses in the encryption of solid state drives (SSDs)": Abstract: We have analyzed the hardware full-disk encryption of several SSDs by reverse engineering their firmware. In theory, the security guarantees offered by hardware encryption are similar to or better than software implementations. In reality, we found that many hardware implementations have critical security weaknesses, for many... Bruce Schneier
Categories: Schneier on Security

Troy Hunt on Passwords

Schneier on Security - Mon, 11/05/2018 - 11:24am
Troy Hunt has a good essay about why passwords are here to stay, despite all their security problems: This is why passwords aren't going anywhere in the foreseeable future and why [insert thing here] isn't going to kill them. No amount of focusing on how bad passwords are or how many accounts have been breached or what it costs when... Bruce Schneier
Categories: Schneier on Security

Friday Squid Blogging: Eating More Squid

Schneier on Security - Fri, 11/02/2018 - 5:08pm
This research paper concludes that we'll be eating more squid in the future. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here.... Bruce Schneier
Categories: Schneier on Security

How to Punish Cybercriminals

Schneier on Security - Fri, 11/02/2018 - 7:01am
Interesting policy paper by Third Way: "To Catch a Hacker: Toward a comprehensive strategy to identify, pursue, and punish malicious cyber actors": In this paper, we argue that the United States currently lacks a comprehensive overarching strategic approach to identify, stop and punish cyberattackers. We show that: There is a burgeoning cybercrime wave: A rising and often unseen crime wave... Bruce Schneier
Categories: Schneier on Security

Buying Used Voting Machines on eBay

Schneier on Security - Thu, 11/01/2018 - 7:18am
This is not surprising: This year, I bought two more machines to see if security had improved. To my dismay, I discovered that the newer model machines -- those that were used in the 2016 election -- are running Windows CE and have USB ports, along with other components, that make them even easier to exploit than the older ones.... Bruce Schneier
Categories: Schneier on Security

Was the Triton Malware Attack Russian in Origin?

Schneier on Security - Wed, 10/31/2018 - 1:44pm
The conventional story is that Iran targeted Saudi Arabia with Triton in 2017. New research from FireEye indicates that it might have been Russia. I don't know. FireEye likes to attribute all sorts of things to Russia, but the evidence here look pretty good.... Bruce Schneier
Categories: Schneier on Security

ID Systems Throughout the 50 States

Schneier on Security - Wed, 10/31/2018 - 7:53am
Jim Harper at CATO has a good survey of state ID systems in the US.... Bruce Schneier
Categories: Schneier on Security

Cell Phone Security and Heads of State

Schneier on Security - Tue, 10/30/2018 - 7:38am
Earlier this week, the New York Times reported that the Russians and the Chinese were eavesdropping on President Donald Trump's personal cell phone and using the information gleaned to better influence his behavior. This should surprise no one. Security experts have been talking about the potential security vulnerabilities in Trump's cell phone use since he became president. And President Barack... Bruce Schneier
Categories: Schneier on Security

Pages