<h2>Cory Doctorow on &lt;i&gt;The Age of Surveillance Capitalism&lt;/i&gt;</h2>

<a href="https://www.schneier.com/blog/archives/2020/08/cory_doctorow_o_2.html"><strong>[2020.08.27]</strong></a> Cory Doctorow has <a href="https://onezero.medium.com/how-to-destroy-surveillance-capitalism-8135e6744d59">writtten an extended rebuttal</a> of <a href="https://www.publicaffairsbooks.com/titles/shoshana-zuboff/the-age-of-surveillance-capitalism/9781610395694/"><i>The Age of Surveillance Capitalism</i></a> by Shoshana Zuboff. He <a href="https://twitter.com/doctorow/status/1298631104983740417">summarized the argument</a> on Twitter. Shorter summary: it’s not the surveillance part, it’s the fact that these companies are monopolies. I think it’s both. Surveillance capitalism has some unique properties that make it particularly unethical and incompatible with a free society, and Zuboff makes them clear in her book. But the current acceptance of monopolies in our society is also extremely damaging — which Doctorow makes clear.

<h2>US Postal Service Files Blockchain Voting Patent</h2>

<a href="https://www.schneier.com/blog/archives/2020/08/us_postal_servi.html"><strong>[2020.08.28]</strong></a> The US Postal Service has filed a <a href="https://pdfaiw.uspto.gov/.aiw?PageNum=0&docid=20200258338">patent</a> on a blockchain voting method: <blockquote><b>Abstract:</b> A voting system can use the security of blockchain and the mail to provide a reliable voting system. A registered voter receives a computer readable code in the mail and confirms identity and confirms correct ballot information in an election. The system separates voter identification and votes to ensure vote anonymity, and stores votes on a distributed ledger in a blockchain</blockquote> I wasn’t going to bother blogging this, but I’ve received enough emails about it that I should comment. As is pretty much <a href="https://www.schneier.com/blog/archives/2019/02/blockchain_and_.html">always the case</a>, blockchain adds nothing. The security of this system has nothing to do with blockchain, and would be better off without it. For voting in particular, blockchain adds to the insecurity. Matt Blaze is <a href="https://twitter.com/mattblaze/status/1034486679925678080">most succinct</a> on that point: <blockquote>Why is blockchain voting a dumb idea? Glad you asked. For starters: <ul><li>It doesn’t solve any problems civil elections actually have. <li>It’s basically incompatible with “software independence”, considered an essential property. <li>It can make ballot secrecy difficult or impossible.</ul></blockquote> Both <a href="https://benlog.com/2017/12/28/blockchain-and-voting/">Ben Adida</a> and <a href="https://twitter.com/matthew_d_green/status/1034549236535152641?ref_src=twsrc%5Etfw">Matthew Green</a> have written longer pieces on blockchain and voting. <a href="https://fortune.com/2020/08/17/usps-patent-voting-by-phone/">News</a> <a href="https://www.digitaltrends.com/news/usps-mail-in-voting-blockchain-election/">articles</a>.

<h2>Seny Kamara on &quot;Crypto for the People&quot;</h2>

<a href="https://www.schneier.com/blog/archives/2020/08/seny_kamara_on_.html"><strong>[2020.08.31]</strong></a> Seny Kamara gave an excellent <a href="https://www.youtube.com/watch?v=Ygq9ci0GFhA">keynote talk</a> this year at the (online) <a href="https://crypto.iacr.org/2020/">CRYPTO Conference</a>. He talked about solving real-world crypto problems for marginalized communities around the world, instead of crypto problems for governments and corporations. Well worth watching and listening to.

<h2>North Korea ATM Hack</h2>

<a href="https://www.schneier.com/blog/archives/2020/09/north_korea_atm.html"><strong>[2020.09.01]</strong></a> The US Cybersecurity and Infrastructure Security Agency (CISA) published a long and technical <a href="https://us-cert.cisa.gov/ncas/alerts/aa20-239a">alert</a> describing a North Korea hacking scheme against ATMs in a bunch of countries worldwide: <blockquote>This joint advisory is the result of analytic efforts among the Cybersecurity and Infrastructure Security Agency (CISA), the Department of the Treasury (Treasury), the Federal Bureau of Investigation (FBI) and U.S. Cyber Command (USCYBERCOM). Working with U.S. government partners, CISA, Treasury, FBI, and USCYBERCOM identified malware and indicators of compromise (IOCs) used by the North Korean government in an automated teller machine (ATM) cash-out scheme­ — referred to by the U.S. Government as “FASTCash 2.0: North Korea’s BeagleBoyz Robbing Banks.”</blockquote> The level of detail is impressive, as seems to be common in CISA’s <a href="https://us-cert.cisa.gov/ncas/alerts">alerts</a> and <a href="https://us-cert.cisa.gov/ncas/analysis-reports">analysis reports</a>.

<h2>Insider Attack on the Carnegie Library</h2>

<a href="https://www.schneier.com/blog/archives/2020/09/insider_attack_3.html"><strong>[2020.09.02]</strong></a> Greg Priore, the person in charge of the rare book room at the Carnegie Library, <a href="https://www.smithsonianmag.com/arts-culture/theft-carnegie-library-books-maps-artworks-180975506/">stole from it</a> for almost two decades before getting caught. It’s a perennial problem: trusted insiders have to be trusted.

<h2>2017 Tesla Hack</h2>

<a href="https://www.schneier.com/blog/archives/2020/09/2017_tesla_hack.html"><strong>[2020.09.03]</strong></a> Interesting <a href="https://electrek.co/2020/08/27/tesla-hack-control-over-entire-fleet/">story</a> of a class break against the entire Tesla fleet.

<h2>Hacking AI-Graded Tests</h2>

<a href="https://www.schneier.com/blog/archives/2020/09/hacking_ai-grad.html"><strong>[2020.09.04]</strong></a> The company Edgenuity sells AI systems for grading tests. Turns out that they <a href="https://www.theverge.com/2020/9/2/21419012/edgenuity-online-class-ai-grading-keyword-mashing-students-school-cheating-algorithm-glitch">just search for keywords</a> without doing any actual semantic analysis.

<h2>Schneier.com is Moving</h2>

<a href="https://www.schneier.com/blog/archives/2020/09/schneiercom_is_.html"><strong>[2020.09.05]</strong></a> I’m switching my website software from Movable Type to WordPress, and moving to a new host. The migration is expected to last from approximately 3 AM EST Monday until 4 PM EST Tuesday. The site will still be visible during that time, but comments will be disabled. (This is to prevent any new comments from disappearing in the move.) This is not a site redesign, so you shouldn’t notice many differences. Even the commenting system is pretty much the same, though you’ll be able to use Markdown instead of HTML if you want to. The conversion to WordPress was done by Automattic, who did an amazing job of getting all of the site’s customizations and complexities — this website is 17 years old — to work on a new platform. Automattic is also providing the new hosting on their Pressable service. I’m not sure I could have done it without them. Hopefully everything will work smoothly.

<h2>More on NIST's Post-Quantum Cryptography</h2>

<a href="https://www.schneier.com/blog/archives/2020/09/more_on_nists_p.html"><strong>[2020.09.08]</strong></a> Back in July, NIST <a href="https://www.schneier.com/blog/archives/2020/07/update_on_nists.html">selected third-round algorithms</a> for its post-quantum cryptography standard. Recently, Daniel Apon of NIST gave a <a href="https://www.scribd.com/document/474476570/PQC-Overview-Aug-2020-NIST">talk</a> detailing the selection criteria. Interesting stuff. NOTE: We’re in the process of moving this blog to WordPress. Comments will be disabled until the move is complete. The management thanks you for your cooperation and support.

<h2>US Space Cybersecurity Directive</h2>

<a href="https://www.schneier.com/blog/archives/2020/09/us-space-cybersecurity-directive.html"><strong>[2020.09.09]</strong></a> The Trump Administration just published “<a href="https://www.whitehouse.gov/wp-content/uploads/2020/09/2020SPD5.mem_.pdf">Space Policy Directive – 5</a>“: “Cybersecurity Principles for Space Systems.” It’s pretty general: <blockquote>Principles. (a) Space systems and their supporting infrastructure, including software, should be developed and operated using risk-based, cybersecurity-informed engineering. Space systems should be developed to continuously monitor, anticipate,and adapt to mitigate evolving malicious cyber activities that could manipulate, deny, degrade, disrupt,destroy, surveil, or eavesdrop on space system operations. Space system configurations should be resourced and actively managed to achieve and maintain an effective and resilient cyber survivability posture throughout the space system lifecycle. (b) Space system owners and operators should develop and implement cybersecurity plans for their space systems that incorporate capabilities to ensure operators or automated control center systems can retain or recover positive control of space vehicles. These plans should also ensure the ability to verify the integrity, confidentiality,and availability of critical functions and the missions, services,and data they enable and provide.</blockquote> These unclassified directives are typically so general that it’s hard to tell whether they actually matter. News <a href="https://www.theverge.com/2020/9/4/21423087/space-policy-directive-5-cybersecurity-threats-satellites">article</a>.

<h2>The Third Edition of Ross Anderson's &lt;i&gt;Security Engineering&lt;/i&gt;</h2>

<a href="https://www.schneier.com/blog/archives/2020/09/the_third_editi.html"><strong>[2020.09.10]</strong></a> Ross Anderson’s fantastic textbook, <a href="https://www.amazon.com/Security-Engineering-Building-Dependable-Distributed/dp/0470068523/"><i>Security Engineering</i></a>, will have a <a href="https://www.amazon.com/Security-Engineering-Building-Dependable-Distributed-dp-1119642787/dp/1119642787/ref=dp_ob_title_bk">third edition</a>. The book won’t be published until December, but Ross has been making drafts of the chapters <a href="https://www.cl.cam.ac.uk/~rja14/book.html">available online</a> as he finishes them. Now that the book is completed, I expect the publisher to make him take the drafts off the Internet. I personally find both the electronic and paper versions to be incredibly useful. Grab an electronic copy now while you still can.

<h2>Ranking National Cyber Power</h2>

<a href="https://www.schneier.com/blog/archives/2020/09/ranking-national-cyber-power.html"><strong>[2020.09.11]</strong></a> Harvard Kennedy School’s Belfer Center published the “<a href="https://www.belfercenter.org/sites/default/files/2020-09/NCPI_2020.pdf">National Cyber Power Index 2020: Methodology and Analytical Considerations</a>.” The rankings: 1. US, 2. China, 3. UK, 4. Russia, 5. Netherlands, 6. France, 7. Germany, 8. Canada, 9. Japan, 10. Australia, 11. Israel. More countries are in the document. We could — and should — argue about the criteria and the methodology, but it’s good that someone is starting this conversation. <blockquote><b>Executive Summary</b>: The Belfer National Cyber Power Index (NCPI) measures 30 countries’ cyber capabilities in the context of seven national objectives, using 32 intent indicators and 27 capability indicators with evidence collected from publicly available data. In contrast to existing cyber related indices, we believe there is no single measure of cyber power. Cyber Power is made up of multiple components and should be considered in the context of a country’s national objectives. We take an all-of-country approach to measuring cyber power. By considering “all-of-country” we include all aspects under the control of a government where possible. Within the NCPI we measure government strategies, capabilities for defense and offense, resource allocation, the private sector, workforce, and innovation. Our assessment is both a measurement of proven power and potential, where the final score assumes that the government of that country can wield these capabilities effectively. The NCPI has identified seven national objectives that countries pursue using cyber means. The seven objectives are: <ol><li>Surveilling and Monitoring Domestic Groups; <li>Strengthening and Enhancing National Cyber Defenses; <li>Controlling and Manipulating the Information Environment; <li>Foreign Intelligence Collection for National Security; <li>Commercial Gain or Enhancing Domestic Industry Growth; <li>Destroying or Disabling an Adversary’s Infrastructure and Capabilities; and, <li>Defining International Cyber Norms and Technical Standards.</ol> In contrast to the broadly held view that cyber power means destroying or disabling an adversary’s infrastructure (commonly referred to as offensive cyber operations), offense is only one of these seven objectives countries pursue using cyber means.</blockquote>

<h2>Interesting Attack on the EMV Smartcard Payment Standard</h2>

<a href="https://www.schneier.com/blog/archives/2020/09/interesting-attack-on-the-emv-smartcard-payment-standard.html"><strong>[2020.09.14]</strong></a> It’s <a href="https://arxiv.org/pdf/2006.08249.pdf">complicated</a>, but it’s basically a man-in-the-middle attack that involves two smartphones. The first phone reads the actual smartcard, and then forwards the required information to a second phone. That second phone actually conducts the transaction on the POS terminal. That second phone is able to convince the POS terminal to conduct the transaction without requiring the normally required PIN. From a <a href="https://techxplore.com/news/2020-09-outsmarting-pin-code.html">news article</a>: <blockquote>The researchers were able to demonstrate that it is possible to exploit the vulnerability in practice, although it is a fairly complex process. They first developed an Android app and installed it on two NFC-enabled mobile phones. This allowed the two devices to read data from the credit card chip and exchange information with payment terminals. Incidentally, the researchers did not have to bypass any special security features in the Android operating system to install the app. To obtain unauthorized funds from a third-party credit card, the first mobile phone is used to scan the necessary data from the credit card and transfer it to the second phone. The second phone is then used to simultaneously debit the amount at the checkout, as many cardholders do nowadays. As the app declares that the customer is the authorized user of the credit card, the vendor does not realize that the transaction is fraudulent. The crucial factor is that the app outsmarts the card’s security system. Although the amount is over the limit and requires PIN verification, no code is requested.</blockquote> The paper: “<a href="https://arxiv.org/pdf/2006.08249.pdf">The EMV Standard: Break, Fix, Verify</a>.” <blockquote><b>Abstract:</b> EMV is the international protocol standard for smartcard payment and is used in over 9 billion cards worldwide. Despite the standard’s advertised security, various issues have been previously uncovered, deriving from logical flaws that are hard to spot in EMV’s lengthy and complex specification, running over 2,000 pages. We formalize a comprehensive symbolic model of EMV in Tamarin, a state-of-the-art protocol verifier. Our model is the first that supports a fine-grained analysis of all relevant security guarantees that EMV is intended to offer. We use our model to automatically identify flaws that lead to two critical attacks: one that defrauds the cardholder and another that defrauds the merchant. First, criminals can use a victim’s Visa contact-less card for high-value purchases, without knowledge of the card’s PIN. We built a proof-of-concept Android application and successfully demonstrated this attack on real-world payment terminals. Second, criminals can trick the terminal into accepting an unauthentic offline transaction, which the issuing bank should later decline, after the criminal has walked away with the goods. This attack is possible for implementations following the standard, although we did not test it on actual terminals for ethical reasons. Finally, we propose and verify improvements to the standard that prevent these attacks, as well as any other attacks that violate the considered security properties.The proposed improvements can be easily implemented in the terminals and do not affect the cards in circulation.</blockquote>

<h2>Upcoming Speaking Engagements</h2>

<a href="https://www.schneier.com/blog/archives/2020/09/upcoming-speaking-engagements.html"><strong>[2020.09.14]</strong></a> This is a current list of where and when I am scheduled to speak: <ul> <li>I’m speaking at the <a href="https://www.law.umn.edu/events/cybersecurity-law-policy-scholars-virtual-conference">Cybersecurity Law &amp; Policy Scholars Virtual Conference</a> on September 17, 2020.</li> <li>I’m keynoting the Canadian Internet Registration Authority’s online symposium, <a href="https://member.cira.ca/Events/CanadiansConnected/Events/About.aspx">Canadians Connected</a>, on Wednesday, September 23, 2020.</li> <li>I’m giving a webinar as part of the <a href="https://one-conference.nl/">Online One Conference 2020</a> on September 29, 2020.</li> <li>I’m speaking at the <a href="https://www.isc2.org/Congress">(ISC)² Security Congress 2020</a>, November 16-18, 2020.</li> </ul> The list is maintained on <a href="https://www.schneier.com/events/">this page</a>.

<h2>Privacy Analysis of Ambient Light Sensors</h2>

<a href="https://www.schneier.com/blog/archives/2020/09/privacy-analysis-of-ambient-light-sensors.html"><strong>[2020.09.15]</strong></a> Interesting <a href="https://lukaszolejnik.com/SheddingLightWebPrivacyImpactAssessmentIWPE20.pdf">privacy analysis</a> of the Ambient Light Sensor API. And a <a href="https://blog.lukaszolejnik.com/shedding-light-on-designing-web-features-with-privacy-risks-impact-assessments-case-study/">blog post</a>. Especially note the “Lessons Learned” section.

<h2>How the FIN7 Cybercrime Gang Operates</h2>

<a href="https://www.schneier.com/blog/archives/2020/09/how-the-fin7-cybercrime-gang-operates.html"><strong>[2020.09.16]</strong></a> The Grugq has written an <a href="https://sec.okta.com/articles/2020/08/crimeops-operational-art-cyber-crime">excellent essay</a> on how the Russian cybercriminal gang FIN7 operates. An excerpt: <blockquote>The secret of FIN7’s success is their <b>operational art of cyber crime.</b> They managed their resources and operations effectively, allowing them to successfully attack and exploit hundreds of victim organizations. FIN7 was not the most elite hacker group, but they developed a number of fascinating innovations. Looking at the process triangle (people, process, technology), their technology wasn’t sophisticated, but their people management and business processes were. Their business… is crime! And every business needs business goals, so I wrote a mock FIN7 mission statement: <blockquote><i>Our mission is to proactively leverage existing long-term, high-impact growth strategies so that we may deliver the kind of results on the bottom line that our investors expect and deserve.</i></blockquote> How does FIN7 actualize this vision? This is CrimeOps: <ul><li>Repeatable business process <li>CrimeBosses manage workers, projects, data and money. <li>CrimeBosses don’t manage technical innovation. They use incremental improvement to TTP to remain effective, but no more <li>Frontline workers don’t need to innovate (because the process is repeatable)</ul></blockquote>

<h2>New Bluetooth Vulnerability</h2>

<a href="https://www.schneier.com/blog/archives/2020/09/new-bluetooth-vulnerability.html"><strong>[2020.09.17]</strong></a> There’s a new unpatched <a href="https://gizmodo.com/bluetooth-unveils-its-latest-security-issue-with-no-se-1845013709">Bluetooth vulnerability</a>: <blockquote>The issue is with a protocol called Cross-Transport Key Derivation (or CTKD, for short). When, say, an iPhone is getting ready to pair up with Bluetooth-powered device, CTKD’s role is to set up two separate authentication keys for that phone: one for a “Bluetooth Low Energy” device, and one for a device using what’s known as the “Basic Rate/Enhanced Data Rate” standard. Different devices require different amounts of data — and battery power — from a phone. Being able to toggle between the standards needed for Bluetooth devices that take a ton of data (like a Chromecast), and those that require a bit less (like a smartwatch) is more efficient. Incidentally, it might also be less secure. According to the researchers, if a phone supports both of those standards but doesn’t require some sort of authentication or permission on the user’s end, a hackery sort who’s within Bluetooth range can use its CTKD connection to derive its own competing key. With that connection, according to the researchers, this sort of erzatz authentication can also allow bad actors to weaken the encryption that these keys use in the first place — which can open its owner up to more attacks further down the road, or perform “man in the middle” style attacks that snoop on unprotected data being sent by the phone’s apps and services.</blockquote> Another <a href="https://www.zdnet.com/article/blurtooth-vulnerability-lets-attackers-overwrite-bluetooth-authentication-keys/">article</a>: <blockquote>Patches are not immediately available at the time of writing. The only way to protect against BLURtooth attacks is to control the environment in which Bluetooth devices are paired, in order to prevent man-in-the-middle attacks, or pairings with rogue devices carried out via social engineering (tricking the human operator). However, patches are expected to be available at one point. When they’ll be, they’ll most likely be integrated as firmware or operating system updates for Bluetooth capable devices. The timeline for these updates is, for the moment, unclear, as device vendors and OS makers usually work on different timelines, and some may not prioritize security patches as others. The number of vulnerable devices is also unclear and hard to quantify.</blockquote> Many Bluetooth devices can’t be patched. Final note: this seems to be another example of simultaneous discovery: <blockquote>According to the Bluetooth SIG, the BLURtooth attack was discovered independently by two groups of academics from the École Polytechnique Fédérale de Lausanne (EPFL) and Purdue University.</blockquote>

<h2>Matt Blaze on OTP Radio Stations</h2>

<a href="https://www.schneier.com/blog/archives/2020/09/matt-blaze-on-otp-radio-stations.html"><strong>[2020.09.18]</strong></a> Matt Blaze <a href="https://www.mattblaze.org/blog/neinnines/">discusses</a> (also <a href="https://twitter.com/mattblaze/status/1303769018411757569">here</a>) an interesting mystery about a Cuban one-time-pad radio station, and a random number generator error that probably helped arrest a pair of Russian spies in the US.

<h2>Nihilistic Password Security Questions</h2>

<a href="https://www.schneier.com/blog/archives/2020/09/nihilistic-password-security-questions.html"><strong>[2020.09.18]</strong></a> Posted three years ago, but definitely <a href="https://www.mcsweeneys.net/articles/nihilistic-password-security-questions/">appropriate for the times</a>.

<h2>Former NSA Director Keith Alexander Joins Amazon's Board of Directors</h2>

<a href="https://www.schneier.com/blog/archives/2020/09/former-nsa-director-keith-alexander-joins-amazons-board-of-directors.html"><strong>[2020.09.21]</strong></a> This sounds like a <a href="https://www.zerohedge.com/political/longtime-nsa-chief-who-oversaw-illegal-domestic-surveillance-joins-amazon-board-directors">bad idea</a>.

<h2>Amazon Delivery Drivers Hacking Scheduling System</h2>

<a href="https://www.schneier.com/blog/archives/2020/09/amazon-delivery-drivers-hacking-scheduling-system.html"><strong>[2020.09.22]</strong></a> Amazon drivers — all gig workers who don’t work for the company — are <a href="https://www.bloomberg.com/news/articles/2020-09-01/amazon-drivers-are-hanging-smartphones-in-trees-to-get-more-work">hanging cell phones in trees</a> near Amazon delivery stations, fooling the system into thinking that they are closer than they actually are: <blockquote>The phones in trees seem to serve as master devices that dispatch routes to multiple nearby drivers in on the plot, according to drivers who have observed the process. They believe an unidentified person or entity is acting as an intermediary between Amazon and the drivers and charging drivers to secure more routes, which is against Amazon’s policies. The perpetrators likely dangle multiple phones in the trees to spread the work around to multiple Amazon Flex accounts and avoid detection by Amazon, said Chetan Sharma, a wireless industry consultant. If all the routes were fed through one device, it would be easy for Amazon to detect, he said. “They’re gaming the system in a way that makes it harder for Amazon to figure it out,” Sharma said. “They’re just a step ahead of Amazon’s algorithm and its developers.”</blockquote>

<h2>Interview with the Author of the 2000 Love Bug Virus</h2>

<a href="https://www.schneier.com/blog/archives/2020/09/interview-with-the-author-of-the-2000-love-bug-virus.html"><strong>[2020.09.22]</strong></a> No real surprises, but we finally have <a href="https://www.wired.com/story/the-20-year-hunt-for-the-man-behind-the-love-bug-virus/">the story</a>. <blockquote>The story he went on to tell is strikingly straightforward. De Guzman was poor, and internet access was expensive. He felt that getting online was almost akin to a human right (a view that was ahead of its time). Getting access required a password, so his solution was to steal the passwords from those who’d paid for them. Not that de Guzman regarded this as stealing: He argued that the password holder would get no less access as a result of having their password unknowingly “shared.” (Of course, his logic conveniently ignored the fact that the internet access provider would have to serve two people for the price of one.) De Guzman came up with a solution: a password-stealing program. In hindsight, perhaps his guilt should have been obvious, because this was almost exactly the scheme he’d mapped out in a thesis proposal that had been rejected by his college the previous year.</blockquote>

<h2>Documented Death from a Ransomware Attack</h2>

<a href="https://www.schneier.com/blog/archives/2020/09/documented-death-from-a-ransomware-attack.html"><strong>[2020.09.23]</strong></a> A Dusseldorf woman <a href="https://www.securityweek.com/german-hospital-hacked-patient-taken-another-city-dies">died</a> when a ransomware attack against a hospital forced her to be taken to a different hospital in another city. I think this is the first documented case of a cyberattack causing a fatality. UK hospitals had to redirect patients during the <a href="https://www.theverge.com/2017/5/12/15630354/nhs-hospitals-ransomware-hack-wannacry-bitcoin">2017 WannaCry ransomware attack</a>, but there were no documented fatalities from that event. The police are treating this as a <a href="https://www.bbc.com/news/technology-54204356">homicide</a>.

<h2>Iranian Government Hacking Android</h2>

<a href="https://www.schneier.com/blog/archives/2020/09/iranian-government-hacking-android.html"><strong>[2020.09.24]</strong></a> <i>The New York Times</i> <a href="https://www.nytimes.com/2020/09/18/world/middleeast/iran-hacking-encryption.html">wrote about</a> a still-unreleased report from Chckpoint and the Miaan Group: <blockquote>The reports, which were reviewed by The New York Times in advance of their release, say that the hackers have successfully infiltrated what were thought to be secure mobile phones and computers belonging to the targets, overcoming obstacles created by encrypted applications such as Telegram and, according to Miaan, even gaining access to information on WhatsApp. Both are popular messaging tools in Iran. The hackers also have created malware disguised as Android applications, the reports said.</blockquote> It looks like the standard technique of getting the victim to open a document or application.

<h2>CEO of NS8 Charged with Securities Fraud</h2>

<a href="https://www.schneier.com/blog/archives/2020/09/ceo-of-ns8-charged-with-securities-fraud.html"><strong>[2020.09.25]</strong></a> The founder and CEO of the Internet security company <a href="https://www.ns8.com/en-us">NS8</a> has been <a href="https://www.justice.gov/usao-sdny/pr/founder-and-ceo-cyberfraud-prevention-company-arrested-and-charged-securities-fraud">arrested</a> and “charged in a Complaint in Manhattan federal court with securities fraud, fraud in the offer and sale of securities, and wire fraud.” I admit that I’ve never even heard of the company before.