https://schneier.com

Schneier on SecuritySchneier on Security Schneier on Security Menu Blog Newsletter Books Essays News Talks Academic About Me Search Powered by DuckDuckGo Blog Essays Whole site Subscribe Clever Social Engineering Attack Using Captchas This is really interesting. It’s a phishing attack targeting GitHub users, tricking them to solve a fake Captcha that actually runs a script that is copied to the command line. Clever. Tags: captchas, malware, social engineering Posted on September 20, 2024 at 11:32 AM • 5 Comments Remotely Exploding Pagers Wow. It seems they all exploded simultaneously, which means they were triggered. Were they each tampered with physically, or did someone figure out how to trigger a thermal runaway remotely? Supply chain attack? Malicious code update, or natural vulnerability? I have no idea, but I expect we will all learn over the next few days. EDITED TO ADD: I’m reading nine killed and 2,800 injured. That’s a lot of collateral damage. (I haven’t seen a good number as to the number of pagers yet.) EDITED TO ADD: Reuters writes: “The pagers that detonated were the latest model brought in by Hezbollah in recent months, three security sources said.” That implies supply chain attack. And it seems to be a large detonation for an overloaded battery. This reminds me of the 1996 assassination of Yahya Ayyash using a booby trapped cellphone. EDITED TO ADD: I am deleting political comments. On this blog, let’s stick to the tech and the security ramifications of the threat. EDITED TO ADD (9/18): More explosions today, this time radios. Good New York Times explainer. And a Wall Street Journal article. Clearly a physical supply chain attack. EDITED TO ADD (9/18): Four more good articles. Tags: bombs, Hezbollah, terrorism Posted on September 17, 2024 at 11:54 AM • 95 Comments Legacy Ivanti Cloud Service Appliance Being Exploited CISA wants everyone—and government agencies in particular—to remove or upgrade an Ivanti Cloud Service Appliance (CSA) that is no longer being supported. Welcome to the security nightmare that is the Internet of Things. Tags: Internet of Things, patching Posted on September 16, 2024 at 10:49 AM • 4 Comments Friday Squid Blogging: Squid as a Legislative Negotiating Tactic This is an odd story of serving squid during legislative negotiations in the Philippines. Blog moderation policy. Tags: squid Posted on September 13, 2024 at 5:00 PM • Microsoft Is Adding New Cryptography Algorithms Microsoft is updating SymCrypt, its core cryptographic library, with new quantum-secure algorithms. Microsoft’s details are here. From a news article: The first new algorithm Microsoft added to SymCrypt is called ML-KEM. Previously known as CRYSTALS-Kyber, ML-KEM is one of three post-quantum standards formalized last month by the National Institute of Standards and Technology (NIST). The KEM in the new name is short for key encapsulation. KEMs can be used by two parties to negotiate a shared secret over a public channel. Shared secrets generated by a KEM can then be used with symmetric-key cryptographic operations, which aren’t vulnerable to Shor’s algorithm when the keys are of a sufficient size. The ML in the ML-KEM name refers to Module Learning with Errors, a problem that can’t be cracked with Shor’s algorithm. As explained here, this problem is based on a “core computational assumption of lattice-based cryptography which offers an interesting trade-off between guaranteed security and concrete efficiency.” ML-KEM, which is formally known as FIPS 203, specifies three parameter sets of varying security strength denoted as ML-KEM-512, ML-KEM-768, and ML-KEM-1024. The stronger the parameter, the more computational resources are required. The other algorithm added to SymCrypt is the NIST-recommended XMSS. Short for eXtended Merkle Signature Scheme, it’s based on “stateful hash-based signature schemes.” These algorithms are useful in very specific contexts such as firmware signing, but are not suitable for more general uses. Tags: cryptography, Microsoft, quantum computing Posted on September 12, 2024 at 11:42 AM • 10 Comments ← Earlier Entries Sidebar photo of Bruce Schneier by Joe MacInnis. Powered by WordPress Hosted by Pressable About Bruce SchneierI am a public-interest technologist, working at the intersection of security, technology, and people. I've been writing about security issues on my blog since 2004, and in my monthly newsletter since 1998. I'm a fellow and lecturer at Harvard's Kennedy School, a board member of EFF, and the Chief of Security Architecture at Inrupt, Inc. This personal website expresses the opinions of none of those organizations. Featured Essays The Value of EncryptionData Is a Toxic Asset, So Why Not Throw It Out?How the NSA Threatens National SecurityTerrorists May Use Google Earth, But Fear Is No Reason to Ban ItIn Praise of Security TheaterRefuse to be TerrorizedThe Eternal Value of PrivacyTerrorists Don't Do Movie Plots More EssaysBlog Archives Archive by Month100 Latest Comments Blog Tags3d printers9/11A Hacker's MindAaron Swartzacademicacademic papersaccountabilityACLUactivismAdobeadvanced persistent threatsadwareAESAfghanistanair marshalsair travelairgapsal QaedaalarmsalgorithmsalibisAmazonAndroidanonymityAnonymousantivirusApacheAppleApplied Cryptographyartificial intelligenceMore TagsLatest BookMore Books Blog Newsletter Books Essays News Talks Academic About Meenusen-US1727309480https://schneier.com

Modifier votre site ?

Que fais-tu?