Newest posts are at the top.
Date is date posted here in Internet Salmagundi, not date originally published.
Cybersecurity
The Pegasus Project (4/30/2022) Tagged: Pegasus, NSO | Working with new data from the journalism nonprofit Forbidden Stories and human rights group Amnesty International, OCCRP and 16 media partners around the world worked to uncover who might have fallen victim to Pegasus, and tell their stories.
Cyber Realism in a Time of War (3/28/2022) Tagged: Cyber Warfare, Russia, CyberConflict, Ukraine | “For all the talk about ‘cyber war’, today shows that when conflict escalates to this point it is secondary. If you want to take out infrastructure then missiles are more straightforward than using computer code. Cyber’s main role now is perhaps to sow confusion about events.”
Quantum-Safe Trust for Vehicles: The Race Is Already On (12/5/2021) Tagged: Quantum CyberSecurity, Quantum Vulnerability | Now that it seems quantum-computing capabilities could become commercially available within the next decade or two—likely in the form of cloud-based services—security professionals have turned with an intensified sense of urgency to the challenge of how to respond to the threat of quantum-powered attacks. One domain where this is particularly true is in the automotive industry, where cars now coming off assembly lines are sometimes referred to as "rolling datacenters" in acknowledgment of all the entertainment and communications capabilities they contain.
The Worsening State of Ransomware (10/23/2021) Tagged: Ransomware | Suddenly, you have people with limited ability using powerful software to discover, exfiltrate, and encrypt files. They wind up with many of the same capabilities that sophisticated cybercriminals have.
Implementing Insider Defenses (10/19/2021) Tagged: Insider Threats, Trustworthy Behavior, Human Psychology | Classical approaches to cyber-security—isolation, monitoring, and the like—are a good starting point for defending against attacks, regardless of perpetrator. But implementations of those approaches in hardware and/or software can invariably be circumvented by insiders, individuals who abuse privileges and access their trusted status affords.
Fixing the Internet (10/9/2021) Tagged: Route Origin Validation (ROV), Internet Architecture, Internet Security, Border Gateway Protocol (BGP), Resource Public Key Infrastructure (RPKI) | Aftab Siddiqui, senior manager of Internet technology at the Internet Society, says the initial BGP protocol was conceived by experts at research institutions, defense organizations, and equipment vendors. "When they designed [BGP], it was based on the premise that everybody trusts each other," Siddiqui says. "Fast-forward 30 years, I'm pretty sure we cannot claim that anymore."
Oh Behave! The Annual Cybersecurity Attitudes and Behaviors Report 2021 (10/8/2021) Tagged: Identity Theft, Psychology and Usability, Multi-factor Authentication, Cybersecurity Knowledge, Cybersecurity Risk, Password Managers, Cyber Crime, Psychology and UX, Internet of Things (IoT) | In honor of Cybersecurity Awareness Month 2021, the National Cyber Security Alliance and CybSafe have launched the world’s first Cybersecurity Attitudes & Behaviors Report. The research report is the first of its kind. It examines cybersecurity attitudes and behaviors of the general public, shedding light on one of the most important aspects of cyber risk - the human factor.
We Have Root: Even More Advice from Schneier on Security (7/11/2021) Tagged: Leaks (Disclosure of Information), Privacy, National Security Agency, Hackers & Hacking, Security Economics, CyberSecurity, Human Aspects of Security, Cyber Crime, Surveillance - Online, National Security (US), Terrorism - Prevention, Internet of Things (IoT), Law & Policy, Election Security, Surveillance | We Have Root: Even More Advice from Schneier on Security By Bruce Schneier Published by John Wiley & Sons, Inc., September 2019. ISBN: 978-1-119-64301-2 “A collection of popular essays from security guru Bruce Schneier ” In his latest collection of …
Cybersecurity: Is It Worse than We Think? (7/10/2021) Tagged: Prioritizing Cybersecurity | [In this article, we] seek to complement the myriad security research notes by investigating specific cybersecurity practices within organizations to evaluate where organizations are showing improvement, where they are stagnant, and what may be influencing these changes. Our results confirm that cyber-security continues to receive attention on the surface, but when looking beyond surface-level impressions a surprising lack of progress is being made.
The Dark Triad and Insider Threats in Cyber Security (7/9/2021) Tagged: Human Psychology, Insider Threats, Personality Traits, Insider Cyber Sabotage | In this article, we focus on a set of pathological personality traits known as the dark triad. Evidence from recent insider threat cases leads us to believe these traits may correlate with intentions to engage in malicious behavior.23 After discussing insider threats and the dark triad traits, we present results from an empirical study that illustrate the relationship between the dark triad traits and malicious intent. We then discuss the importance of these results and make recommendations for security managers and practitioners based on our findings.
Security Analysis of SMS as a Second Factor of Authentication (7/8/2021) Tagged: Multi-factor Authentication, SMS (Short Message Service) | This article provides some insight into the security challenges of SMS-based multifactor authentication: mainly cellular security deficiencies, exploits in the SS7 (Signaling System No. 7) protocol, and the dangerously simple yet highly efficient fraud method known as SIM (subscriber identity module) swapping. Based on these insights, readers can gauge whether SMS tokens should be used for their online accounts. This article is not an actual analysis of multifactor authentication methods and what can be considered a second (or third, fourth, and so on) factor of authentication; for such a discussion, the author recommends reading security expert Troy Hunt's report on the topic.
Cybersecurity Research for the Future (5/29/2021) Tagged: Artificial Intelligence Research, Cybersecurity Research and Development | Nonetheless, while the dark side is daunting, emerging research, development, and education across interdisciplinary topics addressing cybersecurity and privacy are yielding promising results. The shift from R&D on siloed add-on security, to new fundamental research that is interdisciplinary, and positions privacy, security, and trustworthiness as principal defining objectives, offer opportunities to achieve a shift in the asymmetric playing field.
Security Engineering: A Guide to Building Dependable Distributed Systems, 3rd Ed. (6/7/2020) Tagged: Multilevel Security, Network Attack & Defense, Physical Protection, Psychology and Usability, Side Channels, Economics, Distributed Computing / Distributed Systems, Biometrics, Security Economics, Security Engineering, Cryptography, Copyright and Digital Rights Management, Electronic and Information Warfare | Cambridge University professor Ross Anderson updates his classic textbook and teaches readers how to design, implement, and test systems to withstand both error and attack. The third edition brings it up to date for 2020. As people now go online from phones more than laptops, most servers are in the cloud, online advertising drives the Internet and social networks have taken over much human interaction, many patterns of crime and abuse are the same, but the methods have evolved. Ross Anderson explores what security engineering means in 2020.
The Hacker and the State: Cyber Attacks and the New Normal of Geopolitics (6/6/2020) Tagged: Cyber Intelligence, North Korea, Cyber Warfare, China, Hackers & Hacking, National Security (US), Cyber Terrorism, Cyberspace Operations, Russia, Geopolitics | Few national-security threats are as potent—or as nebulous—as cyber attacks. Ben Buchanan reveals how hackers are transforming spycraft and statecraft, catching us all in the crossfire, whether we know it or not.
The COVID Catalyst (4/29/2020) Tagged: CyberSecurity | Progress in [environmental protection, education, and global health research], however, is wholly dependent upon robust cybersecurity. Without a solid virtual foundation, the ability to move forward in any of these areas will always be held at risk.
Fuzzing: Hack, Art, and Science (4/25/2020) Tagged: Software Security, Security Testing | Fuzzing, or fuzz testing, is the process of finding security vulnerabilities in input-parsing code by repeatedly testing the parser with modified, or fuzzed, inputs. Fuzzing is commonly used as a shorthand for security testing because the vast majority of its applications is for finding security vulnerabilities.
How the Iranian Government Shut Off the Internet (12/22/2019) Tagged: Internet Censorship | Amid widespread demonstrations over rising gasoline prices, Iranians began experiencing internet slowdowns over the past few days that became a near-total internet and mobile data blackout on Saturday. The government is apparently seeking to silence protesters and quell unrest. So how does a country like Iran switch off internet access to a population of more than 80 million? It's not an easy thing to do.
The Privacy Project (12/19/2019) Tagged: Ethics, Internet - Government Policy, Privacy - Right of, Surveillance - Electronic, Surveillance - Mass, Privacy, Social Control, Social Media | The boundaries of privacy are in dispute, and its future is in doubt. Citizens, politicians and business leaders are asking if societies are making the wisest tradeoffs. The Times is embarking on this monthslong project to explore the technology and where it’s taking us, and to convene debate about how it can best help realize human potential.
Schneier on Security – “Crypto-Gram” Newsletter (12/14/2019) Tagged: Computer Security, Cyber Terrorism, Surveillance - Electronic, Books, Privacy, CyberSecurity News, Internet - Government Policy, Classics, Internet Safety, CyberSecurity, Cryptography, Internet Security, Computer Crimes | I am a public-interest technologist, working at the intersection of security, technology, and people. I’ve been writing about security issues on my blog since 2004, and in my monthly newsletter since 1998. I’m a Special Advisor to IBM Security, a fellow and lecturer at Harvard’s Kennedy School, and a board member of EFF. This personal website expresses the opinions of none of those organizations.
CyberScoop (12/14/2019) Tagged: CyberSecurity News, Security News | CyberScoop is the leading public sector media company reaching top cybersecurity leaders both online and in-person through breaking news, newsletters, events, radio and TV.
Thou Shalt Not Depend on Me (12/14/2019) Tagged: Coding Security, JavaScript Libraries | “Most websites use JavaScript libraries, and many of them are known to be vulnerable. Understanding the scope of the problem, and the many unexpected ways that libraries are included, are only the first steps toward improving the situation. The goal here is that the information included in this article will help inform better tooling, development practices, and educational efforts for the community.”
CyberLaw Podcast (12/14/2019) Tagged: Privacy, Security, Government Policy, Government Regulation | The Cyberlaw Podcast is a weekly interview series and discussion on the latest events in technology, security, privacy, and government. The podcast is hosted by Steptoe & Johnson LLP partner Stewart Baker, who is joined by a wide variety of guests including academics, politicians, authors, and reporters. You can subscribe to the podcast here. It is also available on iTunes, Google Play, Spotify and other podcast platforms.
Lawfare Blog – Cybersecurity (12/14/2019) Tagged: Cyber Crime, Law & Policy, CyberSecurity News, Law of Armed Conflict, International Governance, Espionage - Cyber, CyberSecurity | As our lives become increasingly dependent upon computer systems and cyber technologies grow ever more sophisticated, the internet has emerged as the new battleground of the 21st century. From criminals' stealing credit card and social security number information to foreign governments' hacking into American companies’ information systems, cyber attacks can take on myriad forms, prompting the government to formulate new measures to protect online security. Since cyberwarfare knows no territorial bounds, ensuring cybersecurity will also require international cooperation and an updated understanding of jus ad bellum, as it applies to cyber attacks.
DayZero: Cybersecurity Law and Policy (12/13/2019) Tagged: Cyber Crime, Podcast, Vulnerabilities, Law & Policy, Espionage - Cyber | DayZero dives deep in cybersecurity vulnerabilities, and the crime, espionage, and warfare taking place on networked computers. We look at legislation, practice, and litigation over how to keep our networks and critical infrastructure secure; new and emerging threats and how the policy process responds to them; the relationship between cybersecurity other security goods; and cybersecurity in American relations with foreign adversaries and allies.
Protecting Against Ransomware (12/13/2019) Tagged: Ransomware, Guidance, CISA Security Tip | Ransomware is a type of malware threat actors use to infect computers and encrypt computer files until a ransom is paid. If the threat actor’s ransom demands are not met, the files or encrypted data will usually remain encrypted and unavailable to the victim.
Krebs’s 3 Basic Rules for Online Safety (12/13/2019) Tagged: Guidance, Personal Security | “Yes, I realize that’s an ambitious title for a blog post about staying secure online, but there are a handful of basic security principles that — if followed religiously — can blunt the majority of malicious threats out there today.”
Security Event Primer – Malware (12/13/2019) Tagged: Guidance, Security Tips, Malware, Computer Security | “While this is beyond the scope of the average daily home-user, it nonetheless provides good information about what you can do to minimize your chances of your computer becoming infected. You can benefit from it even if you don’t understand everything in it.” —WWD Webmaster
Cyber Safety for Students (12/12/2019) Tagged: Guidance, Children - Protecting | “Children present unique security risks when they use a computer—not only do you have to keep them safe, you have to protect the data on your computer. By taking some simple steps, you can dramatically reduce the threats. ”
Mindf*ck: Cambridge Analytica and the Plot to Break America (11/18/2019) Tagged: Behavioral Futures Markets, Social Control, Behavioral Modification, Disinformation (Coordinated Inauthentic Behavior), Propaganda, Social Media, Human Psychology | For the first time, the Cambridge Analytica whistleblower tells the inside story of the data mining and psychological manipulation behind the election of Donald Trump and the Brexit referendum, connecting Facebook, WikiLeaks, Russian intelligence, and international hackers.
The Myth of Consumer-Grade Security (10/5/2019) Tagged: Security Engineering, Government Policy, Encryption, Going Dark, National Security Policy | Schneier on Security, August 28, 2019
By Bruce Schneier
“The Department of Justice wants access to encrypted consumer devices but promises not to infiltrate business products or affect critical infrastructure. Yet that's not possible, because there is no longer any difference between those categories of devices. Consumer devices are critical infrastructure. They affect national security. And it would be foolish to weaken them, even at the request of law enforcement.”
Permanent Record (9/30/2019) Tagged: Surveillance - Mass, Privacy, Surveillance - Electronic | Permanent Record
By Edward Snowden
Published by Metropolitan Books, September 17, 2019
“Edward Snowden, the man who risked everything to expose the US government’s system of mass surveillance, reveals for the first time the story of his life, including how he helped to build that system and what motivated him to try to bring it down.”
Before You Use a Password Manager (9/8/2019) Tagged: Password Managers, Passwords | Medium.. June 5, 2019
By Stuart Schechter
“I cringe when I hear self-proclaimed experts implore everyone to “use a password manager for all your passwords” and “turn on two-factor authentication for every site that offers it.” As most of us who perform user research in security quickly learn, advice that may protect one individual may harm another. Each person uses technology differently, has a unique set of skills, and faces different risks.”
The Internet Has Made Dupes—and Cynics—of Us All (8/31/2019) Tagged: Social Control, Propaganda | Wired, June 24, 2019
By Zeynep Tufekci
“Online fakery runs wide and deep, but you don’t need me to tell you that. New species of digital fraud and deception come to light almost every week, if not every day: Russian bots that pretend to be American humans. American bots that pretend to be human trolls. Even humans that pretend to be bots. Yep, some “intelligent assistants,” promoted as advanced conversational AIs, have turned out to be little more than digital puppets operated by poorly paid people. ”
National CyberSecurity Awareness Month – October 2019 (8/29/2019) Tagged: Internet Safety | National Cyber Security Alliance
“Under the overarching theme of ‘Own IT. Secure IT. Protect IT.’, the 16th annual National Cybersecurity Awareness Month (NCSAM) is focused on encouraging personal accountability and proactive behavior in security best practices and digital privacy. It is also focused on drawing attention to careers in cybersecurity. ”
Fully Device Independent Quantum Key Distribution (8/15/2019) Tagged: Device-Independent Quantum Key Distribution, Quantum Cryptography | Communications of the ACM, April 2019
Research Highlights : "Technical Perspective: Was Edgar Allan Poe Wrong After All?"
By Gilles Brassard
Research Highlights : "Fully Device Independent Quantum Key Distribution"
By Umesh Vazirani, Thomas Vidick
“Artur Ekert realized as early as 1991 that a different kind of quantum cryptography was possible by harnessing entanglement, which is arguably the most nonclassical manifestation of quantum theory. Even though Ekert's original protocol did not offer any security above and beyond my earlier invention with Bennett, he had planted the seed for a revolution. It was realized by several researchers in the mid-2000s that entanglement-based protocols could lead to unconditional security even if they are imperfectly implemented—even if the QKD apparatus is built by the eavesdropper, some argued. For a decade, these purely theoretical ideas remained elusive and seemed to require unreasonable hardware, such as an apparatus the size of the galaxy! Vazirani and Vidick's paper provides an unexpectedly simple and elegant solution, indeed one that is almost within reach of current technology. Once it becomes reality, codemakers will have won the definitive battle, Poe's prophecy notwithstanding.”
Cyber Security in the Quantum Era (8/15/2019) Tagged: Cybersecurity Research and Development, Quantum Computing, Quantum CyberSecurity, Quantum Technologies | Communications of the ACM, April 2019
By Petros Wallden, Elham Kashefi
“The ability to communicate securely and compute efficiently is more important than ever to society. The Internet and increasingly the Internet of Things, has had a revolutionary impact on our world. Over the next 5-10 years, we will see a flux of new possibilities, as quantum technologies become part of this mainstream computing and communicating landscape. Future networks will certainly consist of both classical and quantum devices and links, some of which are expected to be dishonest, with functionalities of various sophistication, ranging from simple routers to servers executing universal quantum algorithms. The realization of such a complex network of classical and quantum communication must rely on a solid novel foundation that, nevertheless, is able to foresee and handle the intricacies of real-life implementations and novel applications.”
DoD Cyber Strategy – 2018 (4/28/2019) Tagged: Cyber Warfare, Government Policy, China, Russia, North Korea, Iran | Cyber Strategy: Summary, 2018
U.S. Department of Defense
“American prosperity, liberty, and security depend upon open and reliable access to information. The Internet empowers us and enriches our lives by providing ever-greater access to new knowledge, businesses, and services. Computers and network technologies underpin U.S. military warfighting superiority by enabling the Joint Force to gain the information advantage, strike at long distance, and exercise global command and control.”
Security Engineering: A Guide to Building Dependable Distributed Systems, 2nd Ed. (4/17/2019) Tagged: Security Engineering, Cryptography, Copyright and Digital Rights Management, Electronic and Information Warfare, Multilevel Security, Network Attack & Defense, Physical Protection, Psychology and Usability, Distributed Computing / Distributed Systems, Economics, Biometrics | “The world has changed radically since the first edition of this book was published in 2001. Spammers, virus writers, phishermen, money launderers, and spies now trade busily with each other in a lively online criminal economy and as they specialize, they get better. In this indispensable, fully updated guide, Ross Anderson reveals how to build systems that stay dependable whether faced with error or malice. Here's straight talk on critical topics such as technical engineering basics, types of attack, specialized protection mechanisms, security psychology, policy, and more."
The Market for Stolen Account Credentials (4/13/2019) Tagged: Cyber Crime | Krebs on Security, December 18, 2017
By Brian Krebs
“Today’s post looks at the price of stolen credentials for just about any e-commerce, bank site or popular online service, and provides a glimpse into the fortunes that an enterprising credential thief can earn selling these accounts on consignment.”
The Value of a Hacked Email Account (4/13/2019) Tagged: Cyber Crime, Krebs-The Value of Series | Krebs on Security, July 10, 2013
By Brian Krebs
“This post aims to raise awareness about the street value of a hacked email account, as well as all of the people, personal data, and resources that are put at risk when users neglect to properly safeguard their inboxes. ”
The Value of a Hacked Company (4/13/2019) Tagged: Cyber Crime, Krebs-The Value of Series | Krebs on Security, July 14, 2016
By Brian Krebs
“If you help run an organization, consider whether the leadership is investing enough to secure everything that’s riding on top of all that technology powering your mission: Chances are there’s a great deal more at stake than you realize.”
The Big Picture (4/5/2019) Tagged: Secure Systems, Trustworthy Systems | Communications of the ACM, November 2018
By Steven M. Bellovin, Peter G. Neumann
"Cryptography is an enormously useful concept for achieving trustworthy systems and networks; unfortunately, its effectiveness can be severely limited if it is not implemented in systems with sufficient trustworthiness.
It is time to get serious about the dearth of trustworthy systems and the lack of deeper understanding of the risks that result from continuing on a business-as-usual course.”
Deception, Identity, and Security: The Game Theory of Sybil Attacks (4/4/2019) Tagged: Privacy, Cyber Identity, Cyber-Social Systems, Game Theory | Communications of the ACM, January 2019
By William Casey, Ansgar Kellner, et al.
"Along with the low cost of minting and maintaining identities, a lack of constraints on using identities is a primary factor that facilitates adversarial innovations that rely on deception. With these factors in mind, we study the following problem: Will it be possible to engineer a decentralized system that can enforce honest usage of identity via mutual challenges and costly consequences when challenges fail?"
The End of Encryption? NSA & FBI Seek New Backdoors Against Advice from Leading Security Experts (4/4/2019) Tagged: Privacy, Encryption, National Security (US) | Democracy Now!, July 8, 2015
By Juan González & Amy Goodman
Guest: Bruce Schneier
"FBI Director James Comey is set to testify against encryption before the Senate Intelligence Committee today, as the United States and Britain push for “exceptional access” to encrypted communications. Encryption refers to the scrambling of communications so they cannot be read without the correct key or password. The FBI and GCHQ have said they need access to encrypted communications to track criminals and terrorists. Fourteen of the world’s pre-eminent cryptographers, computer scientists and security specialists have issued a paper arguing there is no way to allow the government such access without endangering all confidential data, as well as the broader communications infrastructure. We speak with one of the authors of the paper, leading security technologist Bruce Schneier.."
The Perfect Weapon: War, Sabotage, and Fear in the Cyber Age (3/6/2019) Tagged: Cyber Warfare, China, National Security (US), Cyber Weapons, Russia, North Korea, Iran | Published by Penguin Random House, June 19, 2018
By David E. Sanger
"The Perfect Weapon is the startling inside story of how the rise of cyberweapons transformed geopolitics like nothing since the invention of the atomic bomb. Cheap to acquire, easy to deny, and usable for a variety of malicious purposes—from crippling infrastructure to sowing discord and doubt—cyber is now the weapon of choice for democracies, dictators, and terrorists."
Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice (3/1/2019) Tagged: Cryptography, Internet Security | Communications of the ACM, January 2019, Vol. 62 No. 1, Pages 106-114
Research Highlights: “Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice”
By David Adrian, Karthikeyan Bhargavan, et al.
"We investigate the security of Diffie-Hellman key exchange as used in popular Internet protocols and find it to be less secure than widely believed."
Zucked: Waking Up to the Facebook Catastrophe (2/24/2019) Tagged: Zuckerberg (Mark) - Influence, Privacy, Security, Disinformation (Coordinated Inauthentic Behavior), Propaganda, Facebook, Online Social Networks, United States - Politics & Government | "The New York Times bestseller about a noted tech venture capitalist, early mentor to Mark Zuckerberg, and Facebook investor, who wakes up to the serious damage Facebook is doing to our society – and sets out to try to stop it. "
Roger McNamee has been a Silicon Valley investor for 35 years. He co-founded successful funds in venture, crossover and private equity. His most recent fund, Elevation, included U2’s Bono as a co-founder. He holds a B.A. from Yale University and…
Secrets & Lies: Digital Security in a Networked World (2/23/2019) Tagged: Computer Security, Computer Networks - Security | Welcome to the businessworld.com. It's digital: Information is more readily accessible than ever. It's inescapably connected: businesses are increasingly--if not totally--dependent on digital communications. But our passion for technology has a price: increased exposure to security threats. Companies around the world need to understand the risks associated with doing business electronically. The answer starts here.
Applied Cryptography: Protocols, Algorithms, and Source Code in C (2/23/2019) | This second edition of the cryptography classic provides you with a comprehensive survey of modern cryptography. The book details how programmers and electronic communications professionals can use cryptography -- the technique of enciphering and deciphering messages -- to maintain the privacy of computer data. It describes dozens of cryptography algorithms, gives practical advice on how to implement them in cryptographic software, and shows how they can be used to solve security problems. Covering the latest developments in practical cryptographic techniques, this new edition shows programmers who design computer applications, networks, and storage systems how they can build security into their software and systems.