Security news that informs and inspires

All Articles

959 articles:

Efail Is Not a Death Knell For Encrypted Email

The Efail attacks on encrypted email clients implementing OpenPGP or S/MIME are serious, but there are mitigations and defenses available for users.

Encryption

Secure Data Act Bans Crypto Backdoors

A new bill would prevent government agencies from mandating backdoors in encrypted hardware or software products.

Encryption, Legislation

Don’t Try This at Home: Chip Decapsulation

Mikhail Davidov decided to see what it would take to develop a process to manually decapsulate chips. After months of work, experimentation, and trial and error, he succeeded.

Hardware

Georgia Hack Back Bill Vetoed

The bill in Georgia that would have legalized active defense measures and outlawed some security research was vetoed by the state's governor.

Legislation

Users Need More Than Minimal Breach Disclosure

Companies get away with disclosing just the bare minimum, or dribble out the bad news to the point where no one is paying attention. We need to hold companies to a higher set of expectations.

Data Breaches, Data Breach Notification

The Upside of the Twitter Password Bug

The Twitter password bug caused an uproar, but the company's handling of it shows the potential value of being transparent about security.

Twitter

Google Asylo Lets Devs Build Confidential Computing Apps

Protect the data at rest and in transit. How about while in use? Google’s open source framework Asylo helps developers use secure enclaves with their applications without having to know the specifics of how TEEs work or learning how to use specialized tools.

Google, Cloud, Appdev, Encryption, Tools

Updated NIST Cybersecurity Framework Emphasizes Access Control & Supply Chain Risk

The National Institute of Standards and Technology (NIST) released its version 1.1 update to the 1.0 version of their Framework for Improving Critical Infrastructure Cybersecurity, last updated in 2014.

Nist, Cybersecurity, Access Controls, Access Control Security, Supply Chain

Rowhammer, Android and the Future of Hardware Attacks

A team from a Dutch university have developed an attack that can remotely compromise some Android devices using the Rowhammer technique.

Rowhammer, Android

Find Phishing Sites in Certificate Transparency Logs

Mining Certificate Transparency logs can help uncover phishing sites using spoofed domain names, but it’s hard to do. Facebook has updated its Certificate Transparency Monitoring tool to notify website owners when their sites are being spoofed for malicious use.

Phishing, Certificate Authority, Ssl Certificates, Tools

Hack Back Bill Looms in Georgia

The Georgia governor may soon sign a bill that would legalize active cybersecurity defense measures.

Legislation

Amazon Joins Google in Shutting Down Domain Fronting

Recent changes by Google to Google App Engine and Amazon to Amazon CloudFront has shut down domain fronting. App developers will have to consider other options if they want to disguise their app’s network traffic to evade network blocks and government censors.

Internet, Networking

Privacy, Human Rights Groups Decry Russian Ban on Telegram

Russia's ban of Telegram, the encrypted messaging app, is drawing criticism from privacy and human rights groups.

Encryption

Key Escrow By Any Other Name is Still Key Escrow

Ray Ozzie's Clear key escrow proposal for decrypting devices relies on a secure processor that doesn't yet exist.

Encryption

Zero + Zero + Zero = Trusted?

There is renewed interest in the zero trust security model as everyone tries to make sense out of how to get better security through "no trust." CIOs and CISOs should be looking at thinking about how this security model relates to their organizations.

Ciso, Google Beyondcorp