New White House Announcement on the Vulnerability Equities Process

The White House has released a new version of the Vulnerabilities Equities Process (VEP). This is the inter-agency process by which the US government decides whether to inform the software vendor of a vulnerability it finds, or keep it secret and use it to eavesdrop on or attack other systems. You can read the new policy or the fact sheet, but the best place to start is Cybersecurity Coordinator Rob…

November 17, 2017
Read More >>

Motherboard Digital Security Guide

This digital security guide by Motherboard is very good. I put alongside EFF’s “Surveillance Self-Defense” and John Scott-Railton’s “Digital Security Low Hanging Fruit.” There’s also “Digital Security and Privacy for Human Rights Defenders.” There are too many of these…. Source: https://www.schneier.com

November 16, 2017
Read More >>

Apple FaceID Hacked

It only took a week: On Friday, Vietnamese security firm Bkav released a blog post and video showing that — by all appearances — they’d cracked FaceID with a composite mask of 3-D-printed plastic, silicone, makeup, and simple paper cutouts, which in combination tricked an iPhone X into unlocking. The article points out that the hack hasn’t been independently confirmed, but I have no doubt it’s true. I don’t think…

November 15, 2017
Read More >>

Long Article on NSA and the Shadow Brokers

The New York Times just published a long article on the Shadow Brokers and their effects on NSA operations. Summary: it’s been an operational disaster, the NSA still doesn’t know who did it or how, and NSA morale has suffered considerably. This is me on the Shadow Brokers from last May. Source: https://www.schneier.com

November 14, 2017
Read More >>

Google’s Data on Login Thefts

This is interesting research and data: With Google accounts as a case-study, we teamed up with the University of California, Berkeley to better understand how hijackers attempt to take over accounts in the wild. From March 2016 to March 2017, we analyzed several black markets to see how hijackers steal passwords and other sensitive data. […] Our research tracked several black markets that traded third-party password breaches, as well as…

November 13, 2017
Read More >>

New Research in Invisible Inks

It’s a lot more chemistry than I understand: Invisible inks based on “smart” fluorescent materials have been shining brightly (if only you could see them) in the data-encryption/decryption arena lately…. But some of the materials are costly or difficult to prepare, and many of these inks remain somewhat visible when illuminated with ambient or ultraviolet light. Liang Li and coworkers at Shanghai Jiao Tong University may have come up with…

November 10, 2017
Read More >>

Hacking a Fingerprint Biometric

Embedded in this story about infidelity and a mid-flight altercation, there’s an interesting security tidbit: The woman had unlocked her husband’s phone using his thumb impression when he was sleeping… Source: https://www.schneier.com

November 9, 2017
Read More >>

Facebook Fingerprinting Photos to Prevent Revenge Porn

This is a pilot project in Australia: Individuals who have shared intimate, nude or sexual images with partners and are worried that the partner (or ex-partner) might distribute them without their consent can use Messenger to send the images to be “hashed.” This means that the company converts the image into a unique digital fingerprint that can be used to identify and block any attempts to re-upload that same image….

November 9, 2017
Read More >>