Latest Essays

How Long Until Hackers Start Faking Leaked Documents?

There’s nothing stopping attackers from manipulating the data they make public.

  • Bruce Schneier
  • The Atlantic
  • September 13, 2016

In the past few years, the devastating effects of hackers breaking into an organization's network, stealing confidential data, and publishing everything have been made clear. It happened to the Democratic National Committee, to Sony, to the National Security Agency, to the cyber-arms weapons manufacturer Hacking Team, to the online adultery site Ashley Madison, and to the Panamanian tax-evasion law firm Mossack Fonseca.

This style of attack is known as organizational doxing. The hackers, in some cases individuals and in others nation-states, are out to make political points by revealing proprietary, secret, and sometimes incriminating information.

Read More →

Someone Is Learning How to Take Down the Internet

  • Bruce Schneier
  • Lawfare
  • September 13, 2016

Over the past year or two, someone has been probing the defenses of the companies that run critical pieces of the Internet. These probes take the form of precisely calibrated attacks designed to determine exactly how well these companies can defend themselves, and what would be required to take them down. We don't know who is doing this, but it feels like a large a large nation state. China and Russia would be my first guesses.

Read More →

Stop Trying to Fix the User

  • Bruce Schneier
  • IEEE Security & Privacy
  • September/October 2016

Every few years, a researcher replicates a security study by littering USB sticks around an organization's grounds and waiting to see how many people pick them up and plug them in, causing the autorun function to install innocuous malware on their computers. These studies are great for making security professionals feel superior. The researchers get to demonstrate their security expertise and use the results as "teachable moments" for others. "If only everyone was more security aware and had more security training," they say, "the Internet would be a much safer place."

Enough of that.

Read More →

New Leaks Prove It: The NSA Is Putting Us All at Risk to Be Hacked

  • Bruce Schneier
  • Vox
  • August 24, 2016

The National Security Agency is lying to us. We know that because of data stolen from an NSA server was dumped on the internet. The agency is hoarding information about security vulnerabilities in the products you use, because it wants to use it to hack others' computers. Those vulnerabilities aren't being reported, and aren't getting fixed, making your computers and networks unsafe.

Read More →

Hackers Are Putting U.S. Election at Risk

  • Bruce Schneier
  • CNN
  • July 28, 2016

Russia has attacked the U.S. in cyberspace in an attempt to influence our national election, many experts have concluded. We need to take this national security threat seriously and both respond and defend, despite the partisan nature of this particular attack.

There is virtually no debate about that, either from the technical experts who analyzed the attack last month or the FBI which is analyzing it now.

Read More →

By November, Russian Hackers Could Target Voting Machines

If Russia really is responsible, there's no reason political interference would end with the DNC emails.

  • Bruce Schneier
  • The Washington Post
  • July 27, 2016

Russia was behind the hacks into the Democratic National Committee's computer network that led to the release of thousands of internal emails just before the party's convention began, U.S. intelligence agencies have reportedly concluded.

The FBI is investigating. WikiLeaks promises there is more data to come.

Read More →

The Internet of Things Will Turn Large-Scale Hacks into Real World Disasters

  • Bruce Schneier
  • Motherboard
  • July 25, 2016

Disaster stories involving the Internet of Things are all the rage. They feature cars (both driven and driverless), the power grid, dams, and tunnel ventilation systems. A particularly vivid and realistic one, near-future fiction published last month in New York Magazine, described a cyberattack on New York that involved hacking of cars, the water system, hospitals, elevators, and the power grid. In these stories, thousands of people die.

Read More →

Credential Stealing as Attack Vector

  • Bruce Schneier
  • Xconomy
  • April 20, 2016

Portuguese translation

Traditional computer security concerns itself with vulnerabilities. We employ antivirus software to detect malware that exploits vulnerabilities. We have automatic patching systems to fix vulnerabilities. We debate whether the FBI should be permitted to introduce vulnerabilities in our software so it can get access to systems with a warrant.

Read More →

The Value of Encryption

  • Bruce Schneier
  • The Ripon Forum
  • April 2016

In today's world of ubiquitous computers and networks, it's hard to overstate the value of encryption. Quite simply, encryption keeps you safe. Encryption protects your financial details and passwords when you bank online. It protects your cell phone conversations from eavesdroppers.

Read More →

Can You Trust IRS to Keep Your Tax Data Secure?

  • Bruce Schneier
  • CNN
  • April 13, 2016

Monday is Tax Day. Many of us are thinking about our taxes. Are they too high or too low? What's our money being spent on? Do we have a government worth paying for?

Read More →

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Resilient, an IBM Company.