Building a Legal Botnet in the Cloud
Two researchers have built a botnet using free anonymous accounts. They only collected 1,000 accounts, but there’s no reason this can’t scale to much larger numbers.
Page 410
Security Vulnerability in the Tails OS
I’d like more information on this.
EDITED TO ADD (8/13): Response from Tails.
Securing the Nest Thermostat
A group of hackers are using a vulnerability in the Nest thermostat to secure it against Nest’s remote data collection.
Fingerprinting Computers By Making Them Draw Images
Here’s a new way to identify individual computers over the Internet. The page instructs the browser to draw an image. Because each computer draws the image slightly differently, this can be used to uniquely identify each computer. This is a big deal, because there’s no way to block this right now.
EDITED TO ADD (7/22): This technique was first described in 2012. And it seems that NoScript blocks this. Privacy Badger probably blocks it, too.
EDITED TO ADD (7/23): EFF has a good post on who is using this tracking system—the White House is—and how to defend against it.
And a good story on BoingBoing.
Friday Squid Blogging: Squid Dissection
A six-hour video of a giant squid dissection from Auckland University of Technology.
As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered.
NASDAQ Hack
Long article on a sophisticated hacking of the NASDAQ stock exchange.
US National Guard is Getting Into Cyberwar
The Maryland Air National Guard needs a new facility for its cyberwar operations:
The purpose of this facility is to house a Network Warfare Group and ISR Squadron. The Cyber mission includes a set of capabilities, expertise to enable the cyber operational need for an always-on, net-speed awareness and integrated operational response with global reach. It enables operators to drive upstream in pursuit of cyber adversaries, and is informed 24/7 by intelligence and all-source information.
Is this something we want the Maryland Air National Guard to get involved in?
Hackers Steal Personal Information of US Security-Clearance Holders
The article says they were Chinese but offers no evidence:
The intrusion at the Office of Personnel Management was particularly disturbing because it oversees a system called e-QIP, in which federal employees applying for security clearances enter their most personal information, including financial data. Federal employees who have had security clearances for some time are often required to update their personal information through the website.
This is a big deal. If I were a government, trying to figure out who to target for blackmail, bribery, and other coercive tactics, this would be a nice database to have.
Security Against Traffic Analysis of Cloud Data Access
Here’s some interesting research on foiling traffic analysis of cloud storage systems.
Risks of Keyloggers on Public Computers
Brian Krebs is reporting that:
The U.S. Secret Service is advising the hospitality industry to inspect computers made available to guests in hotel business centers, warning that crooks have been compromising hotel business center PCs with keystroke-logging malware in a bid to steal personal and financial data from guests.
It’s actually a very hard problem to solve. The adversary can have unrestricted access to the computer, especially hotel business center computers that are often tucked away where no one else is looking. I assume that if someone has physical access to my computer, he can own it. This is doubly true if he has hardware access.
Sidebar photo of Bruce Schneier by Joe MacInnis.