Facebook fails to curb coronavirus misinformation
As Facebook furloughs its human content moderators, coronavirus misinformation surges on the social media platform. Experts say it could be doing more to stop it.
Features
Secure contact tracing needs more transparent development
Experts worry that without proper planning, today's decisions about developing contact tracing apps could have unforeseen consequences in the years to come.
Phishers target oil and gas industry amid Covid-19 downturn
While a massive flood of attacks has yet to hit the oil and gas industry, cybersecurity experts say this could be the calm before the storm.
Hydroxychloroquine misinformation makes way for political disinformation
Besides putting people’s lives at risk, Trump’s promotion of anti-malarials for Covid-19 patients could pave the way for a coordinated disinformation campaign to take root, experts say.
CanSecWest, the last tech conference standing in the face of the coronavirus
What if someone threw a hacker conference, and nobody showed up?As I boarded a United flight at SFO on March 17, the first day of San Francisco’... Read More...
To protect a political campaign, re-read the Mueller Report
Three things campaigns should learn from Mueller investigation, says Chime’s head of application and infrastructure security: Protect accounts with two-factor authentication, use “least privilege,” and beware of Mimikatz.
Kr00k Wi-Fi flaw exposes a billion devices to hackers
A newly-revealed vulnerability dubbed Kr00k affects more than one billion devices with Broadcom Wi-Fi chips. It's been patched for some but not all of them, and could let hackers steal Wi-Fi passwords and read your data.
Android’s facial-recognition future could rely on skin detection
Trinamix can tell the difference between a living human, a deceased one, a photograph, and a mask—and it could be coming to your next smartphone.
Why stopping stalkerware confounds cybersecurity experts
Stopping stalkerware isn’t easy, say cybersecurity experts, because it challenges legal and social ideas of what malware is.
New Crypto Wars: Hard questions, no answers
The Crypto Wars are back: Top cryptography experts debate the history of data encryption, and how law enforcement fears are driving a demand for backdoors.
Not dead yet: Is browser privacy poised for comeback?
Although it hasn't been a major focus of their time so far, browser privacy is poised to be become prime territory for feature development. Here's what Google, Microsoft, Mozilla, and Brave have to say about themselves and their competition.
How conscious companies can thread IoT’s security and privacy needles
Australian motorcycle helmet maker Forcite is trying to balance utility, safety, and privacy. Here’s a look at today’s challenges in securing connected devices, from Washington to Sydney.
‘If you compromise the bootloader, you pwn the whole phone’
More than two dozen zero-day vulnerabilities revealed in bootloaders of popular devices ranging from Androids to Linksys routers to Samsung TVs strike at the core of digital insecurity.
RCS delivers new texting features—and old security vulnerabilities
RCS brings a feature boost to the 30-year-old texting standard. Google and networks are pushing it hard. But their implementations aren’t ready for prime time, security researchers say.
Poor security, not just password reuse, to blame for Disney+ breach
“Disney did not use any of the best practices that can protect users,” GroupSense’s CEO says. It’s largely to blame for Disney+ credentials selling on the Dark Web at a premium.
Have a Tesla Model 3? This app can track its location
Determined to convince Tesla to add encryption to its Phone Key feature, an Austrian security researcher built an app called Tesla Radar that gamifies Model 3 tracking.
Pwned Android, Chromium devices drive winnings at Tokyo hacker contest
Devices hacked at the Mobile Pwn2Own contest include the Samsung S10, Amazon Echo Show 5, Sony and Samsung smart TVs, and TP-Link and Netgear routers. Total winnings: $315,000.
Amid disinformation campaign take-downs, Facebook employees, execs clash on how to handle political ads
Facebook needs to do more to stem the spread of disinformation on its platforms, employees said in an internal letter, including vetting and labeling political ads. Experts agree.
SafeBreach discloses vulnerabilities in Avast, AVG, Avira
Exploiting the vulnerabilities in the popular antivirus programs requires a hacker to have administrator privileges. This “provides the attacker the ability to run its own malicious code.”
Harris poll backs Google plan to improve password security
Results from a survey of 3,419 respondents in 12 U.S. states supports the implementation of a new password security feature expected in all Google accounts next week.
How bug bounties are fueling hacker entrepreneurs
As the bug bounty business matures, the bounties themselves present opportunities for hacker entrepreneurs to pocket profits while developing an important blend of business skills.
Aviation security is taking off—and taking after car security
At DefCon’s Aviation Village, experts convene to explore planes’ burgeoning hacking vulnerabilities and highlight a need for proactive collaboration to protect their systems.
Colombian loan firm leaks thousands of customer service calls
More than 54,000 leaked customer service calls of Colombian financial-services provider Filialcoop variably include customer names, addresses, and numbers said in confidence.
Biohackers chase Johnny Mnemonic with ‘Pegleg’ implanted hard drive
Using off-the-shelf parts and the help of a nurse enthusiast, a biohacking group designed, built, and subcutaneously implanted three networked hard drives. We inquired and watched.
A hacker’s fall fashion line features faux license plates. Here’s why
LAS VEGAS—Are you too sexy for your license plate? Hacker and fashion designer Kate Rose thinks not. Until now, most antisurveillance fashion has surrounded... Read More...
Trump’s tariffs just about killed DefCon #badgelife
Alongside key U.S. businesses, the desktop manufacturers of unofficial conference badges explain how the president’s trade war against China has put their razor-thin margins at risk.
Privacy impact of Big Tech breakup far from clear
As a chorus of voices pursuing antitrust action against Big Tech grows louder, it’s important to note that even using regulations to protect consumer privacy is far from a simple endeavor.
Android Q adds privacy, fragmentation
A slow spread of privacy- and security-focused updates included in the upcoming version of Google’s mobile operating system will undoubtedly add to criticism of version fragmentation.
This hack could take control of your Ford
Security researcher Dale “Woody” Wooden explains how a hacker could manipulate Ford key fob radio frequency signals to unlock, manipulate, or start the engine of at least two newer Ford models.
Chernobyl’s lessons for critical-infrastructure cybersecurity
Are the nuclear-power industry’s collective responses to the 1986 disaster enough to stave off clever nation-state cyberattacks? The Parallax visits the toxic site and takes a closer look.
6 cybersecurity revelations from the redacted Mueller report
From vulnerability exploits to encrypted messaging, the report outlines tech Russia and Trump associates used to interfere in U.S. elections and stymie Mueller’s investigation.
Meet ‘misinfosec’: Fighting fake news like it’s malware
Whether spreading malware or disinformation, attackers study their targets, create artifacts, and get the artifacts in front of their targets. So why not combat fake news like malware?
WikiLeaks questions remain after London arrest of ‘houseguest from hell’
Security experts worry that U.S. charges against WikiLeaks publisher Assange could scare whistleblowers—or cloud the nature of his relationships with Russia and Trump associates.
‘Memsad’ software rot threatens to leak your digital secrets
IOActive’s director of penetration testing says memsad causes software to expose passwords, keys, and tokens we use to protect our data. And the rot has spread far and wide.
With Backstory, business security takes a page from Google search
Unlike its competitors, the Backstory security data platform, built on Google’s robust infrastructure, is built to retain and surface even years-old Internet traffic data by default.
Why tech still can’t explain its own requests for your data
App functionality or commercial demands sometimes require access to calendars, cameras, or contacts. Here, a basic, if crassly capitalistic, explanation is appropriate.
How Wi-Fi router security has deteriorated since 2003
It’s no secret that few Wi-Fi routers have strong security. It might be alarming, however, to hear that many of today’s high-rated routers have fewer protections than those of 15 years ago, says the CITL research lab at ShmooCon.
What happens to your data when a company dies?
When a company goes under or gets sold, its customer data is often the most valuable asset it holds—one it can usually sell or transfer to another entity, depending on the terms of its privacy policy.
Despite ruling, pro-privacy biometric laws still face long road to change in U.S.
A California judge’s ruling might give weight to privacy advocates’ arguments in future cases regarding forced device log-ins. But it isn’t expected to change much in the near term.
How cybersecurity forecasts got 2018 wrong
Three patterns surface from a look at expectations for the year that turned out wrong: We got lucky, we expected too much, or we were looking in the wrong direction.
Here’s what Facebook shared about you in its latest scandal
Facebook might not sell user data. But it has been trading deep access to it with tech powerhouses Amazon, Netflix, Huawai, and others, according to a New York Times report.
For $3,900, DriveSavers says it can open locked smartphones
DriveSavers isn’t divulging what its “proprietary technology” is or how it works. It is saying, however, that it won’t use its tech to help law enforcement agencies carry out search warrants.
What you need to know about the Marriott breach
Over four years, Marriott hackers accessed millions of guest records, including names, mailing and email addresses, passport numbers, and birth dates. Here’s what we’re learning.
How experts plan to secure the 2020 election
High midterm voter turnout highlighted vulnerabilities in dated voting systems. But new machines aren’t the ticket to a smoother and more secure presidential election, experts say.
Primer: What new DMCA exemptions mean for hackers
New exemptions to the controversial copyright law cover hacks of both software and hardware controlled by code. But they stop short of giving security researchers a free pass.
Open source the secret sauce in secure, affordable voting tech
At the Context Conversations event on election security, veteran software engineer Ben Adida explains how he plans to “build open-source voting machines on commodity hardware.”
7 simple reasons to vote
In a column for The Parallax, Gary McGraw outlines why his band wrote a song that passionately encourages every eligible voter to fill out and submit a ballot.
Funding fights lead to vulnerable votes
Despite knowing that current voting systems are highly vulnerable, lawmakers’ inaction on providing badly needed funding for updates has thus far resulted in maintaining the status quo.
Experts disagree on how to secure absentee votes
Ensuring the integrity and security of a ballot submitted from overseas has long been challenging, and only 7 percent of eligible voters even attempt it. Can technology help?
Context Conversations preview: Election security
At our second event, on November 5, we’ll discuss voting-machine vulnerabilities, effective social-engineering tactics, and how to secure elections while respecting democratic values.
Facebook was breached. Here’s what we know (and don’t)
Like last week’s Kavanaugh hearings, Facebook’s acknowledgment of a cyberattack that led to a mass account reset alarmed officials and left key questions unanswered.
New botnet Torii showcases next stage of IoT abuse, researchers say
Torii, named after the Japanese word for “gate,” uses Tor and its network of anonymously linked computers to both obscure Internet traffic and steal data, Avast researchers say.
Tech execs to senators: Regulate us, but not too much
Tech firms would like one privacy law to cover all U.S. communications—as long as it’s not as strict as the GDPR and also supersedes any pesky state regulations like the CCPA.
Why health care cybersecurity is in ‘critical condition’
Without regulatory pressure to enforce a federal health care cybersecurity task force’s recommendations, involved experts acknowledge, industry progress will remain slow.
Who foots the bill for medical IoT security?
For implanted medical devices, where a faulty update could harm or even kill a patient, a doctor’s office visit is in order. With no billing code, hospitals have been eating the costs.
To prevent EHR breaches, stop using them (Q&A)
Cluttered EHRs are reducing doctors’ ability to make good decisions for their patients while decreasing patient privacy, argues Twila Brase, author of Big Brother in the Exam Room.
How weak IoT gadgets can sicken a hospital’s network
Default device authentication settings, insufficient patches, and internal networks that assume all participants are trusted can lead to health care operations-thwarting infections.
How to recover from a health care data breach
You can’t personally prevent a data breach, nor someone from attempting to defraud your insurance provider. But you can take steps to minimize how much a breach can affect you.
Triaging modern medicine’s cybersecurity issues
As technology has become the lifeblood of the health care industry, hospitals and patient care clinics are often ill-equipped to confront a Hydra-headed cybersecurity monstrosity.
Ransomware attacks against hospitals: A timeline
To get a clearer picture of how pervasive ransomware attacks against hospitals and patient care clinics have become, check out the publicly acknowledged cases since 2016.
Remember Stasi spying to understand the GDPR
There’s no understanding trans-Atlantic privacy politics, nor policy, without recognizing Germany’s pre-1989 memories of the Stasi regime, which enforced conformity through spying.
Please stop sending sensitive messages via Slack
So-called private channels and encryption aren’t necessarily enough to keep our chats private. How each messaging service sends and stores our data is confusingly inconsistent.
Context Conversations preview: Medsec with Jacki Monson and Josh Corman
Medical-security researchers are having a harder time getting people to take flaws seriously than discovering serious flaws. We’ll discuss the most pressing issues at Context Conversations.
NSA leader to hackers: Cybersecurity’s a team sport
On stage at DefCon, veteran NSA leader Rob Joyce says the agency’s ability to monitor and counteract international cyberattacks relies on recruiting—and working well—with hackers.
How a European Commission antitrust ruling could impact Android privacy
European regulators fined Google for abusing power and demanded that it relaxes restrictions on Android vendors. What could a privacy-focused phone maker do with this new latitude?
There’s more to election integrity than secure voting machines
Registration, tabulation, social media—there are other aspects of elections we need to better secure, say experts who examined eight notoriously insecure Winvote machines.
In post-massacre Vegas, security policies clash with privacy values
Following the massacre from the Mandalay Bay, hotel security personnel began routinely checking rooms. They’re now clashing with privacy advocates attending security conferences.
Black Hat attendees are surprisingly lax about encryption
There might be no better way to reveal just how lax we still are about encryption than to highlight security professionals’ own unprotected communications.
Google’s ‘Security Princess’ calls for stronger collaboration
Parisa Tabriz, head of Chrome security and leader of Project Zero, calls out Google’s leadership approach in Internet security as a combination of muscle and joint efforts.
App nutrition labels? Hackers disagree on software bill of materials
Hackers are divided on the prospects of SBOM standards. Some say they could reduce many patching obstacles. Others worry that they could do more harm than good.
Get an extortion scam email? Here’s what to do
The extortion scam email looks legitimate because it contains accurate personal information. It says it has webcam evidence of online porn consumption and demands thousands of dollars in bitcoin.
Verizon’s VPN: security boon or privacy boondoggle?
As VPN services face increasing obstacles across the globe, the key to their success is in the details. And Verizon is lacking in details about its data collection practices.
Bletchley Park’s WWII lessons for today’s hackers
Touring the British wartime relic, one might hear: Keep your team focused. Educate and motivate. Be wary of your enemies’ mutual tools. And use deception to keep them off your trail.
Primer: Why Google is pushing HTTPS
In updating its dominant Chrome browser to red-flag sites lacking HTTPS as insecure, Google completes a two-year project to strong-arm site owners into more safely transmitting data.
When hackers target a conference code of conduct
A lackluster response to speaker harassment by attendees wearing MAGA gear underscores an ongoing struggle among conference organizers to enforce codes of conduct.
Biohacker’s latest answer to health care hurdles: Homebrew meds
At the HOPE hacker conference, a talk about turning oxycodone into its overdose antidote prompts a broader look at the expanding definition—and increasing relevance—of biohacking.
Mueller’s indictment of election hackers a cybersecurity ‘wake-up call’
The technically detailed indictment of 12 Russian GRU officers implies a struggle to find appropriate and effective cybersecurity deterrents to geopolitical hacking, experts say.
On doctors’ orders, Israel plans a health care CERT
“A CERT is like FEMA for cyber,” one expert says. Post-WannaCry, Israel is following the Netherlands, England, and Norway in creating a health care CERT.
Four things to note about the Supreme Court’s location privacy ruling
In its 5-4 decision that police need a search warrant to obtain a target’s location data, the Supreme Court says in Carpenter vs. United States that carrying a phone is “indispensable to participation in modern society.”
Meet WeChat, the app that’s ‘everything’ in China
A billion-plus people use WeChat to chat, pay, and shop. But while its walled-garden success puts Facebook and Apple’s messaging apps to shame, the success comes with only-in-China costs.
FBI’s router reboot call reminds us why to check for updates
The VPNFilter botnet could collect information and block network traffic, the FBI said. Beyond rebooting our routers, we should be keeping their firmware up-to-date. Here’s how.
Primer: What DDoS attacks could mean for IoT
Distributed denial-of-service (DDoS) attacks, which hackers have used for decades to pester online organizations, are expected to plague the Internet of Things. Here’s why.
Apple’s Safari to Facebook’s Like and Share buttons: Dislike
The 12th version of Apple’s browser will expand its Intelligent Tracking Prevention to shield users from tracking related to social networks’ commenting systems. Here’s why.
How updated privacy policies could make GDPR the global standard
While the privacy regulations focus on protecting EU residents, regulators like the FTC could force major companies to abide by their GDPR-compliant policies around the world.
20 years on, L0pht hackers return to D.C. with dire warnings
Two decades after presenting at the Senate’s first cybersecurity hearing, veteran L0pht hackers Kingpin, Mudge, Weld Pond, and Space Rogue reflect on progress and urge for much more.
IoT regulation is coming, regardless of what Washington does
The state of Internet of Things security stinks, experts say. And while device manufacturers and lawmakers aren’t anxious to address it, there are clear signs of influence from other actors. IoT regulation is likely on its way.
Fragmentation likely to hinder Android P’s security chops
As Google prepares to release Android P, which is packed with security features, experts note that efforts to address the mobile OS’ version fragmentation “plague” can only go so far.
Industrial systems need to prepare for the ‘big one’—but they’re not
You can’t prevent a major earthquake or critical-infrastructure hack, but you can prepare for one. So are industrial-security experts focused on seismic retrofits and post-hack kits?
What ‘EFail’ means for your email privacy
Despite the legitimacy of the findings in new security research report EFail, experts caution that calls to abandon PGP- and S/MIME-protected email for Signal are irresponsible.
With .app, Google plans to build a safer Web
The top-level domain, which Google bought in 2015, is designed to host the Web presence of mobile apps. One key .app security feature that sets it apart: HTTPS is turned on by default.
Even North Korea has an antivirus program—but it’s used for spying
When researchers inspected the ingredients of SiliVaccine, North Korea-developed Windows antivirus software, they found a mix of spyware and old stolen Trend Micro code.
Twitter politely requests: Please reset your password
In revealing that it had been storing unencrypted user passwords, the social media company requests, but doesn’t force, Twitter password resets of its 330 million users—the “bare minimum for doing right” by them, one expert says.
After Russia warning, hole found in leading industrial-control software
Industrial facilities ranging from oil rigs to breweries use Schneider software to monitor and control their machines. Hacks could have serious commercial or safety implications.
Primer: What’s a zero-day?
They’re key to advanced persistent threats. They’re increasingly simple. And they’re called zero-days because there’s essentially no time to patch them before a potential cybercriminal exploit.
How Facebook fights fake news with machine learning and human insights
Fighting the spread of fake news bears similarities to fighting spam. Using tech and human insights, Facebook is essentially filtering it via flagging, fact checking, and feed demotion.
Backing WebAuthn, tech giants inch closer to killing passwords
The WebAuthn authentication protocol, backed by Google, Microsoft, PayPal, and others (but notably not Apple), uses physical second factors like phones, and supports biometrics.
For critical systems, “just patch it” is a paradox
Software updates and security patches for critical-infrastructure systems like those of hospitals, 911 dispatchers, and power plants aren’t easy or cheap. But there’s no excuse, experts say, for neglecting them.
Bug bounties have bugs of their own
At BSides and RSA, bug bounty experts Amit Elazari and Katie Moussouris say today’s programs lack adequate "safe harbor" hacker protections and vulnerability-patching requirements.
Most phishers using Gmail are actually Nigerians targeting Americans
About 40 percent of Gmail accounts used to phish for log-ins were recently operating out of Nigeria, Google researchers say, and half of them were targeting people in the United States.
Bills targeting sex trafficking to lead to crackdown on anonymous posts?
FOSTA and SESTA remove legal protections from online services that “knowingly” facilitate prostitution. Critics say ambiguity over liability may lead sites to major site changes.