Clik here to view.
Should browsers remember 2FA codes?
In HTML, the autocomplete attribute is pretty handy. The HTML autocomplete attribute is available on <input> elements that take a text or numeric value as input, <textarea> elements,...
View ArticleClik here to view.
Full Disclosure: XSS in Getty Images
I've spent two months trying to report this issue to Getty images. They haven't responded to my emails, phone calls, Tweets, or LinkedIn messages. I've tried escalating through OpenBugBounty and...
View ArticleClik here to view.
ProctorU is dystopian spyware
As part of my MSc, I have to take an online exam. Obviously, this means I am highly likely to cheat by looking up things on Wikipedia or by having a bit of paper with notes on it. EVIL! So, the exam...
View ArticleResponsible Disclosure: Chrome security bug let tabs draw over each other...
Chrome for Android had a flaw which let one tab draw over another - even if the tabs were on completely different domains. A determined attacker might have been able to abuse this to convince a user to...
View ArticleShould you use Let's Encrypt for internal hostnames?
Julien Savoie has written a brilliant post explaining how you can enable https on your intranet. This is useful for several reasons. It means your employees aren't constantly fighting browser warnings...
View ArticleClik here to view.
Review: X-Sense Home Security Kit + LoRaWAN
Can you protect your home for £99? That's what this new X-Sense kit I've been sent claims to do. It's a LoRaWAN box with a claimed 2Km range for its variety of low-power sensors. The kit comes with two...
View ArticleClik here to view.
MSc Assignment 4 - Open Professional Practise - Cyber Security
I'm doing an apprenticeship MSc in Digital Technology. In the spirit of openness, I'm blogging my research and my assignments. This is my paper from the OPP module - where I can choose any subject. I...
View ArticleClik here to view.
Where are the U2F Rings?
The FIDO specification defines a form of Universal 2nd Factor (U2F) when users log in to a system. Rather than relying on one-time codes sent via SMS, or displayed on a phone screen, these are physical...
View ArticleClik here to view.
Book Review: Information Warfare and Security by Dorothy E. Denning
I found this book while following a citation trail for my MSc. Published before the 21st Century (fuck, I'm old) it's a run-down of this new-fangled thing called Information Warfare. It covers...
View ArticleClik here to view.
What's the risk from fake Yubikeys?
I found this on a security-related Slack (shared with permission). It launched an entertaining discussion about the risks of taking a potentially fake FIDO token. We all know the risks of taking a free...
View ArticleClik here to view.
Bitwarden's new username generator is brilliant
I've been using Bitwarden for years. It generates a unique password for every website I visit. There's only been one small problem - I want a unique username for each website. Let me explain. Sometimes...
View ArticleWhy is there no formal specification for otpauth URls?
Yes yes, Cunningham's law etc etc! I want to play around with 2FA codes. So, I started looking for the specification. Turns out, there isn't one. Not really. IANA has a provisional registration - but...
View ArticleClik here to view.
Strange Encoding Errors in TOTP QR Codes
Not really a security issue, but one which I thought was worth highlighting. It shows the peril of slightly vague specifications. When you scan a 2FA token into your authenticator app via QR code, you...
View ArticleClik here to view.
I've locked myself out of my digital life
Imagine… Last night, lightning struck our house and burned it down. I escaped wearing only my nightclothes. In an instant, everything was vaporised. Laptop? Cinders. Phone? Ashes. Home server? A...
View ArticleClik here to view.
Book Review: Rhetoric of InSecurity; The Language of Danger, Fear and Safety...
This would be a best seller if it had been entitled "Everything I learned about national security talks, I learned from Cicero". Preferably dumbed-down to accompany a Netflix series about sexy Romans....
View ArticleClik here to view.
(Nearly) An XSS in Star Wars .com
You remember that bit in Star Wars where the Rebels find the flaw in the Death Star plans and then completely fail to exploit it? Yeah, that's why they don't make movies about inept hackers like me…...
View ArticleHow does Shamir's Secret Sharing deal with the Murder on the Orient Express...
Shamir's Secret Sharing (henceforth "SSS") is clever. Far too clever for most people to understand - but let's give it a go. Suppose you have a super-secure password for a Really Important Thing....
View ArticleClik here to view.
Responsible Disclosure: An Exam Board Touting Dodgy PDFs
I hate academic tests. Wouldn't it be great if you could find the official answer papers? Oh, cool, the OCR Exam Board is hosting answer sheets for all my classes! What happens if I click it? Yeach! It...
View ArticleClik here to view.
Responsible Disclosure: XSS in Macmillan's Website
Another day, another unfiltered reflection of user-supplied content! You know how this goes by now. You type into a search box <em>test and the whole page suddenly turns italic. Luckily, the...
View ArticleClik here to view.
What's the optimal length for a 2FA code?
The other day, a company sent me a 2FA code which was only four digits long. I'll admit, this weirded me out. Surely 4 is just far too short. Right? I think almost every 2FA code I've seen has been 6...
View Article
