Critical Windows Vulnerability Discovered by NSA

Yesterday’s Microsoft Windows patches included a fix for a critical vulnerability in the system’s crypto library. A spoofing vulnerability exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates. An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source. The user would have no way of knowing the file…

January 15, 2020
Read More >>

5G Security

5G Security The security risks inherent in Chinese-made 5G networking equipment are easy to understand. Because the companies that make the equipment are subservient to the Chinese government, they could be forced to include backdoors in the hardware or software to give Beijing remote access. Eavesdropping is also a risk, although efforts to listen in would almost certainly be detectable. More insidious is the possibility that Beijing could use its…

January 14, 2020
Read More >>

Artificial Personas and Public Discourse

Presidential-campaign season is officially, officially, upon us now, which means it’s time to confront the weird and insidious ways in which technology is warping politics. One of the biggest threats on the horizon: Artificial personas are coming, and they’re poised to take over political debate. The risk arises from two separate threads coming together: artificial-intelligence-driven text generation and social-media chatbots. These computer-generated “people” will drown out actual human discussions on…

January 13, 2020
Read More >>

Police Surveillance Tools from Special Services Group

Special Services Group, a company that sells surveillance tools to the FBI, DEA, ICE, and other US government agencies, has had its secret sales brochure published. Motherboard received the brochure as part of a FOIA request to the Irvine Police Department in California. “The Tombstone Cam is our newest video concealment offering the ability to conduct remote surveillance operations from cemeteries,” one section of the Black Book reads. The device…

January 10, 2020
Read More >>

New SHA-1 Attack

New SHA-1 Attack There’s a new, practical, collision attack against SHA-1: In this paper, we report the first practical implementation of this attack, and its impact on real-world security with a PGP/GnuPG impersonation attack. We managed to significantly reduce the complexity of collisions attack against SHA-1: on an Nvidia GTX 970, identical-prefix collisions can now be computed with a complexity of 261.2rather than264.7, and chosen-prefix collisions with a complexity of263.4rather…

January 8, 2020
Read More >>

USB Cable Kill Switch for Laptops

BusKill is designed to wipe your laptop (Linux only) if it is snatched from you in a public place: The idea is to connect the BusKill cable to your Linux laptop on one end, and to your belt, on the other end. When someone yanks your laptop from your lap or table, the USB cable disconnects from the laptop and triggers a udev script [1, , 3] that executes a…

January 7, 2020
Read More >>

Mailbox Master Keys

Mailbox Master Keys Here’s a physical-world example of why master keys are a bad idea. It’s a video of two postal thieves using a master key to open apartment building mailboxes. Changing the master key for physical mailboxes is a logistical nightmare, which is why this problem won’t be fixed anytime soon. Tags: keys, mail, operational security, USPS Posted on January 6, 2020 at 6:20 AM • 0 Comments Source:…

January 6, 2020
Read More >>

Friday Squid Blogging: Giant Squid Video from the Gulf of Mexico

Fantastic video: Scientists had used a specialized camera system developed by Widder called the Medusa, which uses red light undetectable to deep sea creatures and has allowed scientists to discover species and observe elusive ones. The probe was outfitted with a fake jellyfish that mimicked the invertebrates’ bioluminescent defense mechanism, which can signal to larger predators that a meal may be nearby, to lure the squid and other animals to…

January 4, 2020
Read More >>

Chrome Extension Stealing Cryptocurrency Keys and Passwords

A malicious Chrome extension surreptitiously steals Ethereum keys and passwords: According to Denley, the extension is dangerous to users in two ways. First, any funds (ETH coins and ERC0-based tokens) managed directly inside the extension are at risk. Denley says that the extension sends the private keys of all wallets created or managed through its interface to a third-party website located at erc20wallet[.]tk. Second, the extension also actively injects malicious…

January 3, 2020
Read More >>