infosec Archive

After being outed for massive hack and installing an NSA "rootkit," Yahoo cancels earnings call

What do you do if your ailing internet giant has been outed for losing, and then keeping silent about, 500 million user accounts, then letting American spy agencies install a rootkit on its mail service, possibly scuttling its impending, hail-mary acquisition by a risk-averse, old economy phone company? Just cancel your investor call and with it, any chance of awkward, on-the-record questions. (via /.)  …

Joi Ito interviews Barack Obama for Wired: machine learning, neurodiversity, basic research and Star Trek

Joi Ito (previously) — director of MIT Media Lab, former Creative Commons chief, investor, entrepreneur, and happy mutant — interviewed Barack Obama for a special, Obama-edited issue of Wired. The two covered the ethical implications of machine learning, diversity in tech, neurodiversity, the collapse of funding for basic research, precision medicine, high-speed trading, cybersecurity, robots taking our jobs, internet regulation, space travel, and …

The clumsy, amateurish IoT botnet has now infected devices in virtually all of the world's countries

Mirai, the clumsily written Internet of Things virus that harnessed so many devices in an attack on journalist Brian Krebs that it overloaded Akamai, has now spread to devices in either 164 or 177 countries — that is, pretty much everywhere with reliable electricity and internet access. Imperva, a company that provides protection to websites against Distributed Denial of Service …

Johnson & Johnson says people with diabetes don't need to worry about potentially lethal wireless attacks on insulin pumps

Rapid7 security researcher Jay Radcliffe (previously) has Type I diabetes, and has taken a personal interest in rooting out vulnerabilities in the networked, wireless-equipped blood-sugar monitors and insulin-pumps marketed to people with diabetes, repeatedly discovering potentially lethal defects in these devices. Recently, Radcliffe revealed that Johnson & Johnson’s 2008 Animas Onetouch Ping insulin pump did not encrypt communications between it and its remote …

Electronic voting machines suck, the comprehensive 2016 election edition

It’s been thirteen years since we started writing here about the shenanigans of the electronic voting machine industry, who were given a gift when, after the contested 2000 elections, Congress and the Supreme Court signaled that elections officials had to go and buy new machines. Over the past decade-plus, it’s only gotten worse. There was that time that Diebold sent thousands of …

Your next DDoS attack, brought to you courtesy of the IoT

The internet is reeling under the onslaught of unprecedented denial-of-service attacks, the sort we normally associate with powerful adversaries like international criminal syndicates and major governments, but these attacks are commanded by penny-ante crooks who are able to harness millions of low-powered, insecure Internet of Things devices like smart lightbulbs to do their bidding. Symantec reports on the rising trend in …

EFF to court: don't let US government prosecute professor over his book about securing computers

In July, the Electronic Frontier Foundation filed a federal lawsuit on behalf of Dr Matthew Green, a Johns Hopkins Information Security Institute Assistant Professor of Computer Science; now the US government has asked a court to dismiss Dr Green’s claims. A brief from EFF explains what’s at stake here: the right of security experts to tell us which computers are vulnerable to attack, and …

Didi Chuxing makes information security push with new U.S. research lab and hires

Didi Chuxing, China’s largest ride-hailing company, has hired two distinguished security experts to lead a new U.S.-based research center as part of a major push to increase its data security efforts. Dr Fengmin Gong, whose 30 year work history includes starting Palo Alto networks and selling it to FireEye, and Zheng Bu, who worked with Gong at FireEye and spent time with McAfee among employers, have taken key positions at the company, Didi announced today. …

The democratization of censorship: when anyone can kill as site as effective as a government can

On the eve of the Stuxnet attacks, half a decade ago, I found myself discussing what it all meant with William Gibson (I’d just interviewed him on stage in London), and I said, “I think the most significant thing about any of these sophisticated, government-backed attacks is that they will eventually turn into a cheap and easy weapon that technically unskilled people can deploy …

HTML standardization group calls on W3C to protect security researchers from DRM

The World Wide Web Consortium has embarked upon an ill-advised project to standardize Digital Rights Management (DRM) for video at the behest of companies like Netflix; in so doing, they are, for the first time, making a standard whose implementations will be covered under anti-circumvention laws like Section 1201 of the DMCA, which makes it a potential felony to reveal defects in products without the …