Category: cybersecurity

Auto Added by WPeMatico

CVE Program Almost Unfunded

Posted on By infossl
cybersecurity, dhs, national security policy, Security technology, Uncategorized, vulnerabilities

Mitre’s CVE’s program—which provides common naming and other informational resources about cybersecurity vulnerabilities—was about to be cancelled, as the US Department of Homeland Security failed to renew the contact. It was funded for eleven more months at the last minute. This is a big deal. The CVE program is one of those pieces of common … Read More “CVE Program Almost Unfunded” »

Arguing Against CALEA

Posted on By infossl
CALEA, cybersecurity, eavesdropping, national security policy, Security technology, telecom, Uncategorized

At a Congressional hearing earlier this week, Matt Blaze made the point that CALEA, the 1994 law that forces telecoms to make phone calls wiretappable, is outdated in today’s threat environment and should be rethought: In other words, while the legally-mandated CALEA capability requirements have changed little over the last three decades, the infrastructure that … Read More “Arguing Against CALEA” »

Rational Astrologies and Security

Posted on By infossl
cybersecurity, psychology of security, Security technology, security theater, Uncategorized

John Kelsey and I wrote a short paper for the Rossfest Festschrift: “Rational Astrologies and Security“: There is another non-security way that designers can spend their security budget: on making their own lives easier. Many of these fall into the category of what has been called rational astrology. First identified by Randy Steve Waldman [Wal12], … Read More “Rational Astrologies and Security” »

Python Developers Targeted with Malware During Fake Job Interviews

Posted on By infossl
cybersecurity, malware, North Korea, Security technology, social engineering, threat models, Uncategorized

Interesting social engineering attack: luring potential job applicants with fake recruiting pitches, trying to convince them to download malware. From a news article These particular attacks from North Korean state-funded hacking team Lazarus Group are new, but the overall malware campaign against the Python development community has been running since at least August of 2023, … Read More “Python Developers Targeted with Malware During Fake Job Interviews” »

On the Cyber Safety Review Board

Posted on By infossl
computer security, cybersecurity, hacking, Security technology, Uncategorized

When an airplane crashes, impartial investigatory bodies leap into action, empowered by law to unearth what happened and why. But there is no such empowered and impartial body to investigate CrowdStrike’s faulty update that recently unfolded, ensnarling banks, airlines, and emergency services to the tune of billions of dollars. We need one. To be sure, … Read More “On the Cyber Safety Review Board” »

Providing Security Updates to Automobile Software

Posted on By infossl
books, cars, cybersecurity, Security technology, software, Uncategorized

Auto manufacturers are just starting to realize the problems of supporting the software in older models: Today’s phones are able to receive updates six to eight years after their purchase date. Samsung and Google provide Android OS updates and security updates for seven years. Apple halts servicing products seven years after they stop selling them. … Read More “Providing Security Updates to Automobile Software” »

Using LLMs to Exploit Vulnerabilities

Posted on By infossl
academic papers, artificial intelligence, cyberattack, cybersecurity, LLM, Security technology, Uncategorized, vulnerabilities, zero-day

Interesting research: “Teams of LLM Agents can Exploit Zero-Day Vulnerabilities.” Abstract: LLM agents have become increasingly sophisticated, especially in the realm of cybersecurity. Researchers have shown that LLM agents can exploit real-world vulnerabilities when given a description of the vulnerability and toy capture-the-flag problems. However, these agents still perform poorly on real-world vulnerabilities that are … Read More “Using LLMs to Exploit Vulnerabilities” »

Security and Human Behavior (SHB) 2024

Posted on By infossl
conferences, cybersecurity, security conferences, Security technology, Uncategorized

This week, I hosted the seventeenth Workshop on Security and Human Behavior at the Harvard Kennedy School. This is the first workshop since our co-founder, Ross Anderson, died unexpectedly. SHB is a small, annual, invitational workshop of people studying various aspects of the human side of security. The fifty or so attendees include psychologists, economists, … Read More “Security and Human Behavior (SHB) 2024” »