Schneier on Security

IoT Security Principles

Schneier on Security - Tue, 07/07/2020 - 7:38am
The BSA -- also known as the Software Alliance, formerly the Business Software Alliance -- is an industry lobbying group. They just published "Policy Principles for Building a Secure and Trustworthy Internet of Things." They call for: Distinguishing between consumer and industrial IoT. Offering incentives for integrating security. Harmonizing national and international policies. Establishing regularly updated baseline security requirements As... Bruce Schneier
Categories: Schneier on Security

ThiefQuest Ransomware for the Mac

Schneier on Security - Mon, 07/06/2020 - 7:43am
There's a new ransomware for the Mac called ThiefQuest or EvilQuest. It's hard to get infected: For your Mac to become infected, you would need to torrent a compromised installer and then dismiss a series of warnings from Apple in order to run it. It's a good reminder to get your software from trustworthy sources, like developers whose code is... Bruce Schneier
Categories: Schneier on Security

Friday Squid Blogging: Strawberry Squid

Schneier on Security - Fri, 07/03/2020 - 5:07pm
Pretty. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here.... Bruce Schneier
Categories: Schneier on Security

Hacked by Police

Schneier on Security - Fri, 07/03/2020 - 11:39am
French police hacked EncroChat secure phones, which are widely used by criminals: Encrochat's phones are essentially modified Android devices, with some models using the "BQ Aquaris X2," an Android handset released in 2018 by a Spanish electronics company, according to the leaked documents. Encrochat took the base unit, installed its own encrypted messaging programs which route messages through the firm's... Bruce Schneier
Categories: Schneier on Security

The Security Value of Inefficiency

Schneier on Security - Thu, 07/02/2020 - 10:26am
For decades, we have prized efficiency in our economy. We strive for it. We reward it. In normal times, that's a good thing. Running just at the margins is efficient. A single just-in-time global supply chain is efficient. Consolidation is efficient. And that's all profitable. Inefficiency, on the other hand, is waste. Extra inventory is inefficient. Overcapacity is inefficient. Using... Bruce Schneier
Categories: Schneier on Security

Securing the International IoT Supply Chain

Schneier on Security - Wed, 07/01/2020 - 10:31am
Together with Nate Kim (former student) and Trey Herr (Atlantic Council Cyber Statecraft Initiative), I have written a paper on IoT supply chain security. The basic problem we try to solve is: how to you enforce IoT security regulations when most of the stuff is made in other countries? And our solution is: enforce the regulations on the domestic company... Bruce Schneier
Categories: Schneier on Security

Android Apps Stealing Facebook Credentials

Schneier on Security - Tue, 06/30/2020 - 11:15am
Google has removed 25 Android apps from its store because they steal Facebook credentials: Before being taken down, the 25 apps were collectively downloaded more than 2.34 million times. The malicious apps were developed by the same threat group and despite offering different features, under the hood, all the apps worked the same. According to a report from French cyber-security... Bruce Schneier
Categories: Schneier on Security

iPhone Apps Stealing Clipboard Data

Schneier on Security - Mon, 06/29/2020 - 11:24am
iOS apps are repeatedly reading clipboard data, which can include all sorts of sensitive information. While Haj Bakry and Mysk published their research in March, the invasive apps made headlines again this week with the developer beta release of iOS 14. A novel feature Apple added provides a banner warning every time an app reads clipboard contents. As large numbers... Bruce Schneier
Categories: Schneier on Security

Friday Squid Blogging: Fishing for Jumbo Squid

Schneier on Security - Fri, 06/26/2020 - 4:57pm
Interesting article on the rise of the jumbo squid industry as a result of climate change. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here.... Bruce Schneier
Categories: Schneier on Security

The Unintended Harms of Cybersecurity

Schneier on Security - Fri, 06/26/2020 - 8:00am
Interesting research: "Identifying Unintended Harms of Cybersecurity Countermeasures": Abstract: Well-meaning cybersecurity risk owners will deploy countermeasures (technologies or procedures) to manage risks to their services or systems. In some cases, those countermeasures will produce unintended consequences, which must then be addressed. Unintended consequences can potentially induce harm, adversely affecting user behaviour, user inclusion, or the infrastructure itself (including other services... Bruce Schneier
Categories: Schneier on Security

Analyzing IoT Security Best Practices

Schneier on Security - Thu, 06/25/2020 - 8:09am
New research: "Best Practices for IoT Security: What Does That Even Mean?" by Christopher Bellman and Paul C. van Oorschot: Abstract: Best practices for Internet of Things (IoT) security have recently attracted considerable attention worldwide from industry and governments, while academic research has highlighted the failure of many IoT product manufacturers to follow accepted practices. We explore not the failure... Bruce Schneier
Categories: Schneier on Security

COVID-19 Risks of Flying

Schneier on Security - Wed, 06/24/2020 - 1:32pm
I fly a lot. Over the past five years, my average speed has been 32 miles an hour. That all changed mid-March. It's been 105 days since I've been on an airplane -- longer than any other time in my adult life -- and I have no future flights scheduled. This is all a prelude to saying that I have... Bruce Schneier
Categories: Schneier on Security

Cryptocurrency Pump and Dump Scams

Schneier on Security - Wed, 06/24/2020 - 7:30am
Really interesting research: "An examination of the cryptocurrency pump and dump ecosystem": Abstract: The surge of interest in cryptocurrencies has been accompanied by a proliferation of fraud. This paper examines pump and dump schemes. The recent explosion of nearly 2,000 cryptocurrencies in an unregulated environment has expanded the scope for abuse. We quantify the scope of cryptocurrency pump and dump... Bruce Schneier
Categories: Schneier on Security

Nation-State Espionage Campaigns against Middle East Defense Contractors

Schneier on Security - Tue, 06/23/2020 - 7:22am
Report on espionage attacks using LinkedIn as a vector for malware, with details and screenshots. They talk about "several hints suggesting a possible link" to the Lazarus group (aka North Korea), but that's by no means definite. As part of the initial compromise phase, the Operation In(ter)ception attackers had created fake LinkedIn accounts posing as HR representatives of well-known companies... Bruce Schneier
Categories: Schneier on Security

Identifying a Person Based on a Photo, LinkedIn and Etsy Profiles, and Other Internet Bread Crumbs

Schneier on Security - Mon, 06/22/2020 - 8:35am
Interesting story of how the police can identify someone by following the evidence chain from website to website. According to filings in Blumenthal's case, FBI agents had little more to go on when they started their investigation than the news helicopter footage of the woman setting the police car ablaze as it was broadcast live May 30. It showed the... Bruce Schneier
Categories: Schneier on Security

Friday Squid Blogging: Giant Squid Washes Up on South African Beach

Schneier on Security - Fri, 06/19/2020 - 5:15pm
Fourteen feet long and 450 pounds. It was dead before it washed up. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here.... Bruce Schneier
Categories: Schneier on Security

Security and Human Behavior (SHB) 2020

Schneier on Security - Fri, 06/19/2020 - 3:09pm
Today is the second day of the thirteenth Workshop on Security and Human Behavior. It's being hosted by the University of Cambridge, which in today's world means we're all meeting on Zoom. SHB is a small, annual, invitational workshop of people studying various aspects of the human side of security, organized each year by Alessandro Acquisti, Ross Anderson, and myself.... Bruce Schneier
Categories: Schneier on Security

New Hacking-for-Hire Company in India

Schneier on Security - Fri, 06/19/2020 - 7:38am
Citizen Lab has a new report on Dark Basin, a large hacking-for-hire company in India. Key Findings: Dark Basin is a hack-for-hire group that has targeted thousands of individuals and hundreds of institutions on six continents. Targets include advocacy groups and journalists, elected and senior government officials, hedge funds, and multiple industries. Dark Basin extensively targeted American nonprofits, including organisations... Bruce Schneier
Categories: Schneier on Security

Theft of CIA's "Vault Seven" Hacking Tools Due to Its Own Lousy Security

Schneier on Security - Thu, 06/18/2020 - 7:34am
The Washington Post is reporting on an internal CIA report about its "Vault 7" security breach: The breach -- allegedly committed by a CIA employee -- was discovered a year after it happened, when the information was published by WikiLeaks, in March 2017. The anti-secrecy group dubbed the release "Vault 7," and U.S. officials have said it was the biggest... Bruce Schneier
Categories: Schneier on Security

Zoom Will Be End-to-End Encrypted for All Users

Schneier on Security - Wed, 06/17/2020 - 2:55pm
Zoom is doing the right thing: it's making end-to-end encryption available to all users, paid and unpaid. (This is a change; I wrote about the initial decision here.) ...we have identified a path forward that balances the legitimate right of all users to privacy and the safety of users on our platform. This will enable us to offer E2EE as... Bruce Schneier
Categories: Schneier on Security

Pages