Schneier on Security

Subscribe to Schneier on Security feed
A blog covering security and security technology. Movable Type Pro
Updated: 16 hours 57 min ago

Security Vulnerabilities in Android Firmware

Mon, 11/18/2019 - 06:33
Researchers have discovered and revealed 146 vulnerabilities in various incarnations of Android smartphone firmware. The vulnerabilities were found by scanning the phones of 29 different Android makers, and each is unique to a particular phone or maker. They were found using automatic tools, and it is extremely likely that many of the vulnerabilities are not exploitable -- making them bugs... Bruce Schneier
Categories: Security News

Friday Squid Blogging: Planctotuethis Squid

Fri, 11/15/2019 - 16:13
Neat video, and an impressive-looking squid. I can't figure out how long it is. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here.... Bruce Schneier
Categories: Security News

TPM-Fail Attacks Against Cryptographic Coprocessors

Fri, 11/15/2019 - 09:36
Really interesting research: TPM-FAIL: TPM meets Timing and Lattice Attacks, by Daniel Moghimi, Berk Sunar, Thomas Eisenbarth, and Nadia Heninger. Abstract: Trusted Platform Module (TPM) serves as a hardware-based root of trust that protects cryptographic keys from privileged system and physical adversaries. In this work, we per-form a black-box timing analysis of TPM 2.0 devices deployed on commodity computers. Our... Bruce Schneier
Categories: Security News

Upcoming Speaking Engagements

Thu, 11/14/2019 - 13:17
This is a current list of where and when I am scheduled to speak: I'm speaking on "Securing a World of Physically Capable Computers" at the Indian Institute of Science in Bangalore, India on December 12, 2019. The list is maintained on this page.... Bruce Schneier
Categories: Security News

Technology and Policymakers

Thu, 11/14/2019 - 07:04
Technologists and policymakers largely inhabit two separate worlds. It's an old problem, one that the British scientist CP Snow identified in a 1959 essay entitled The Two Cultures. He called them sciences and humanities, and pointed to the split as a major hindrance to solving the world's problems. The essay was influential -- but 60 years later, nothing has changed.... Bruce Schneier
Categories: Security News

NTSB Investigation of Fatal Driverless Car Accident

Wed, 11/13/2019 - 06:16
Autonomous systems are going to have to do much better than this. The Uber car that hit and killed Elaine Herzberg in Tempe, Ariz., in March 2018 could not recognize all pedestrians, and was being driven by an operator likely distracted by streaming video, according to documents released by the U.S. National Transportation Safety Board (NTSB) this week. But while... Bruce Schneier
Categories: Security News

Identifying and Arresting Ransomware Criminals

Tue, 11/12/2019 - 06:15
The Wall Street Journal has a story about how two people were identified as the perpetrators of a ransomware scheme. They were found because -- as generally happens -- they made mistakes covering their tracks. They were investigated because they had the bad luck of locking up Washington, DC's video surveillance cameras a week before the 2017 inauguration.... Bruce Schneier
Categories: Security News

Fooling Voice Assistants with Lasers

Mon, 11/11/2019 - 06:14
Interesting: Siri, Alexa, and Google Assistant are vulnerable to attacks that use lasers to inject inaudible­ -- and sometimes invisible­ -- commands into the devices and surreptitiously cause them to unlock doors, visit websites, and locate, unlock, and start vehicles, researchers report in a research paper published on Monday. Dubbed Light Commands, the attack works against Facebook Portal and a... Bruce Schneier
Categories: Security News

Friday Squid Blogging: 80-Foot Steel Kraken Deliberately Sunk

Fri, 11/08/2019 - 16:20
The headline gives the story: "An 80-Foot Steel Kraken Will Create an Artificial Coral Reef Near the British Virgin Islands." As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here.... Bruce Schneier
Categories: Security News

xHelper Malware for Android

Fri, 11/08/2019 - 06:10
xHelper is not interesting because of its infection mechanism; the user has to side-load an app onto his phone. It's not interesting because of its payload; it seems to do nothing more than show unwanted ads. it's interesting because of its persistence: Furthermore, even if users spot the xHelper service in the Android operating system's Apps section, removing it doesn't... Bruce Schneier
Categories: Security News

Eavesdropping on SMS Messages inside Telco Networks

Thu, 11/07/2019 - 06:05
Fireeye reports on a Chinese-sponsored espionage effort to eavesdrop on text messages: FireEye Mandiant recently discovered a new malware family used by APT41 (a Chinese APT group) that is designed to monitor and save SMS traffic from specific phone numbers, IMSI numbers and keywords for subsequent theft. Named MESSAGETAP, the tool was deployed by APT41 in a telecommunications network provider... Bruce Schneier
Categories: Security News

Details of an Airbnb Fraud

Wed, 11/06/2019 - 06:19
This is a fascinating article about a bait-and-switch Airbnb fraud. The article focuses on one particular group of scammers and how they operate, using the fact that Airbnb as a company doesn't do much to combat fraud on its platform. But I am more interested in how the fraudsters essentially hacked the complex sociotechnical system that is Airbnb. The whole... Bruce Schneier
Categories: Security News

Obfuscation as a Privacy Tool

Tue, 11/05/2019 - 06:15
This essay discusses the futility of opting out of surveillance, and suggests data obfuscation as an alternative. We can apply obfuscation in our own lives by using practices and technologies that make use of it, including: The secure browser Tor, which (among other anti-surveillance technologies) muddles our Internet activity with that of other Tor users, concealing our trail in that... Bruce Schneier
Categories: Security News