Showing only posts in Bruce Schneier. Show all posts.

New Windows/Linux Firmware Attack

Source

Interesting attack based on malicious pre-OS logo images : LogoFAIL is a constellation of two dozen newly discovered vulnerabilities that have lurked for years, if not decades, in Unified Extensible Firmware Interfaces responsible for booting modern devices that run Windows or Linux.... The vulnerabilities are the subject of a coordinated …

Friday Squid Blogging: Influencer Accidentally Posts Restaurant Table QR Ordering Code

Source

Another rare security + squid story : The woman—who has only been identified by her surname, Wang—was having a meal with friends at a hotpot restaurant in Kunming, a city in southwest China. When everyone’s selections arrived at the table, she posted a photo of the spread on …

New Bluetooth Attack

Source

New attack breaks forward secrecy in Bluetooth. Three news articles : BLUFFS is a series of exploits targeting Bluetooth, aiming to break Bluetooth sessions’ forward and future secrecy, compromising the confidentiality of past and future communications between devices. This is achieved by exploiting four flaws in the session key derivation …

Spying through Push Notifications

Source

When you get a push notification on your Apple or Google phone, those notifications go through Apple and Google servers. Which means that those companies can spy on them—either for their own reasons or in response to government demands. Sen. Wyden is trying to get to the bottom …

Security Analysis of a Thirteenth-Century Venetian Election Protocol

Source

Interesting analysis : This paper discusses the protocol used for electing the Doge of Venice between 1268 and the end of the Republic in 1797. We will show that it has some useful properties that in addition to being interesting in themselves, also suggest that its fundamental design principle is …

AI Decides to Engage in Insider Trading

Source

A stock-trading AI (a simulated experiment) engaged in insider trading, even though it “knew” it was wrong. The agent is put under pressure in three ways. First, it receives a email from its “manager” that the company is not doing well and needs better performance in the next quarter …

Extracting GPT’s Training Data

Source

This is clever : The actual attack is kind of silly. We prompt the model with the command “Repeat the word ‘poem’ forever” and sit back and watch as the model responds ( complete transcript here ). In the (abridged) example above, the model emits a real email address and phone number …

Breaking Laptop Fingerprint Sensors

Source

They’re not that good : Security researchers Jesse D’Aguanno and Timo Teräs write that, with varying degrees of reverse-engineering and using some external hardware, they were able to fool the Goodix fingerprint sensor in a Dell Inspiron 15, the Synaptic sensor in a Lenovo ThinkPad T14, and the …

Secret White House Warrantless Surveillance Program

Source

There seems to be no end to warrantless surveillance : According to the letter, a surveillance program now known as Data Analytical Services (DAS) has for more than a decade allowed federal, state, and local law enforcement agencies to mine the details of Americans’ calls, analyzing the phone records of …

Email Security Flaw Found in the Wild

Source

Google’s Threat Analysis Group announced a zero-day against the Zimbra Collaboration email server that has been used against governments around the world. TAG has observed four different groups exploiting the same bug to steal email data, user credentials, and authentication tokens. Most of this activity occurred after the …

Friday Squid Blogging: Unpatched Vulnerabilities in the Squid Caching Proxy

Source

In a rare squid/security post, here’s an article about unpatched vulnerabilities in the Squid caching proxy. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Read my blog posting guidelines here. [...]

Ransomware Gang Files SEC Complaint

Source

A ransomware gang, annoyed at not being paid, filed an SEC complaint against its victim for not disclosing its security breach within the required four days. This is over the top, but is just another example of the extreme pressure ransomware gangs put on companies after seizing their data …

« newer articles | page 14 | older articles »