New York Times Journalist Hacked with NSO Spyware
Citizen Lab is <a href="https://citizenlab.ca/2021/10/breaking-news-new-york-times-journalist-ben-hubbard-pegasus/"reporting that a New York Times journalist was hacked with the NSO Group’s spyware Pegasus, probably by the Saudis.
The world needs to do something about these cyberweapons arms manufacturers. This kind of thing isn’t enough;...
Friday Squid Blogging: Squid Eating Maine Shrimp
Squid are eating Maine shrimp, causing a collapse of the ecosystem. This seems to be a result of climate change.
Maine’s shrimp fishery has been closed for nearly a decade since the stock’s collapse in 2013. Scientists are now saying...
Nation-State Attacker of Telecommunications Networks
Someone has been hacking telecommunications networks around the world:
LightBasin (aka UNC1945) is an activity cluster that has been consistently targeting the telecommunications sector at a global scale since at least 2016, leveraging custom tools and an in-depth knowledge of...
Problems with Multifactor Authentication
Roger Grimes on why multifactor authentication isn’t a panacea:
The first time I heard of this issue was from a Midwest CEO. His organization had been hit by ransomware to the tune of $10M. Operationally, they were still recovering nearly...
Textbook Rental Scam
Here’s a story of someone who, with three compatriots, rented textbooks from Amazon and then sold them instead of returning them. They used gift cards and prepaid credit cards to buy the books, so there was no available balance...
Using Machine Learning to Guess PINs from Video
Researchers trained a machine-learning system on videos of people typing their PINs into ATMs:
By using three tries, which is typically the maximum allowed number of attempts before the card is withheld, the researchers reconstructed the correct sequence for 5-digit...
Ransomware Attacks against Water Treatment Plants
According to a report from CISA last week, there were three ransomware attacks against water treatment plants last year.
WWS Sector cyber intrusions from 2019 to early 2021 include:
In August 2021, malicious cyber actors used Ghost variant ransomware against a...
The Missouri Governor Doesn’t Understand Responsible Disclosure
The Missouri governor wants to prosecute the reporter who discovered a security vulnerability in a state’s website, and then reported it to the state.
The newspaper agreed to hold off publishing any story while the department fixed the problem and...
Friday Squid Blogging: New Giant Squid Video
New video of a large squid in the Red Sea at about 2,800 feet.
As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered.
Read my blog posting guidelines...
Security Risks of Client-Side Scanning
Even before Apple made their announcement, law enforcement shifted their battle for back doors to client-side scanning. The idea is that they wouldn’t touch the cryptography, but instead eavesdrop on communications and systems before encryption or after decryption. It’s...
Upcoming Speaking Engagements
This is a current list of where and when I am scheduled to speak:
I’ll be speaking at an Informa event on November 29, 2021. Details to come.
The list is maintained on this page.
Recovering Real Faces from Face-Generation ML System
New paper: “This Person (Probably) Exists. Identity Membership Attacks Against GAN Generated Faces.
Abstract: Recently, generative adversarial networks (GANs) have achieved stunning realism, fooling even human observers. Indeed, the popular tongue-in-cheek website http://thispersondoesnotexist.com, taunts users with GAN generated images that...
Suing Infrastructure Companies for Copyright Violations
It’s a matter of going after those with deep pockets. From Wired:
Cloudflare was sued in November 2018 by Mon Cheri Bridals and Maggie Sottero Designs, two wedding dress manufacturers and sellers that alleged Cloudflare was guilty of contributory copyright...
Airline Passenger Mistakes Vintage Camera for a Bomb
I feel sorry for the accused:
The “security incident” that forced a New-York bound flight to make an emergency landing at LaGuardia Airport on Saturday turned out to be a misunderstanding — after an airline passenger mistook another traveler’s camera...
The European Parliament Voted to Ban Remote Biometric Surveillance
It’s not actually banned in the EU yet — the legislative process is much more complicated than that — but it’s a step: a total ban on biometric mass surveillance.
To respect “privacy and human dignity,” MEPs said that EU...
China Telecom booted out of USA as Feds worry it could disrupt or spy on local networks
FCC urges more action against Huawei and DJI, too The US Federal Communications Commission (FCC) has terminated China Telecom's authority to provide communications services in the USA.…
150 People Arrested in US-Europe Darknet Drug Probe
Law enforcement officials in the U.S. and Europe have arrested 150 people and seized more than $31 million in an international drug trafficking investigation stemming from sales on the darknet, the Justice Department said Tuesday.
read more
Free Tool Helps Security Teams Measure Their API Attack Surface
Data Theorem's free API Attack Surface Calculator helps security teams understand potential API exposures.
SquirrelWaffle Loader Malspams, Packing Qakbot, Cobalt Strike
Say hello to what could be the next big spam player: SquirrelWaffle, which is spreading with increasing frequency via spam campaigns and infecting systems with a new malware loader.
North Korea's Lazarus Group Turns to Supply Chain Attacks
State-backed group is among a growing number of threat actors looking at supply chain companies as an entry point into enterprise networks.
