TicketMaster has joined the long list of companies to lose their customers' information. As is common, they sent out an email to warn poor sods like me who might have had our details snaffled. Their email is particularly poor and contains a delightful example of how not to communicate issues like this. See if you can spot it: In the same breath as warning their customers to look out for suspicious links in emails, they include two obfuscated Bit.ly links! Anyone can create a Bit.ly link…
Continue reading →
Over the last few weeks, I've had several people ask me about the recent hack on the NHS. A ransomware attack has meant that several hospitals have cancelled operations and there is now an urgent demand for blood donors. What does it say about the state of NHS IT that this attack has happened? Nothing. Because the NHS was not hacked. Instead, a company they use to perform blood tests was attacked. Synnovis is the company responsible - they're the ones who have fallen prey to an attacker.…
Continue reading →
Everyone loves Dark Mode. It is kinder on the eyes, less energy intensive, and looks hecking cool. *5 seconds later* We regret to inform you that Dark Mode causes security bugs. (With apologies to Ben Ward) OK, OK. This isn't a particularly severe security bug, but I found it interesting. The Matrix messaging app "Element" lets you sign in to your account on multiple devices. In order to prove those devices are controlled by you, the app asks you to verify the other sessions. This is…
Continue reading →
You receive a call on your phone. The polite call centre worker on the line asks for you by name, and gives the name of your bank. They say they're calling from your bank's fraud department. "Yeah, right!" You think. Obvious scam, isn't it? You tell the caller to do unmentionable things to a goat. They sigh. "I can assure you I'm calling from Chase bank. I understand you're sceptical. I'll send a push notification through the app so you can see this is a genuine call." Your phone buzzes.…
Continue reading →
It is tempting to think that users are to blame for their own misfortune. If only they'd had a stronger password! If only they didn't re-use credentials! If only they had perfect OpSec! If only...! Yes, users should probably take better care of their digital credentials and bury them in a digital vault. But there are some things which are simply impossible for a user to protect against. Take, for example, a SIM-swap attack. You probably have your phone-number tied to all sorts of important…
Continue reading →
It's never great to find out you're wrong, but that's how learning and personal growth happens. HTTP Message Signatures are hard. There are lots of complex parts and getting any aspect wrong means certain death. In a previous post, I wrote A simple(ish) guide to verifying HTTP Message Signatures in PHP. It turns out that it was too simple. And far too trusting. An HTTP Message Signature is a header which is separate to the message it signs. You might receive a JSON message like this: { …
Continue reading →
It's always fun keeping your network inspector tab open. While looking around the O2 UK website, I found this page all about eSIMs. For some reason, it wants to know the user's phone number. I put in a random number, and it refused to let me in. Putting in a genuine O2 number let me through. So what is it doing to validate numbers? It is making an API call to this URl: https://www.o2.co.uk/o/customer/mods/lookup/447700900123 After a bit of testing, this is how I think it works. If you …
Continue reading →
I'm trying to get my head round HTTP Signatures as they're used extensively in the Fediverse. Conceptually, they're relatively straightforward. You send me a normal HTTP request. For example, you want to POST something to https://example.com/data You send me these headers: POST /data Host: example.com Date: Sat, 24 Feb 2024 14:43:48 GMT Accept-Encoding: gzip Digest: SHA-256=aaC57TDzM0Wq+50We2TkCsdMDvdqON92edg7KI+Hk8M= Content-Type: application/activity+json Signature:…
Continue reading →
You type in to your browser's address bar example.com and it automatically redirects you to the https:// version. How does your browser know that it needed to request the more secure version of a website? The answer is... A big list. The HTTP Strict Transport Security (HSTS) list is a list of domain names which have told Google that they always want their website served over https. If the user tries to manually request the insecure version, the browser won't let them. This means that a…
Continue reading →
I've responsibly disclosed a small security issue with Mastodon (GHSA-8982-p7pm-7mqw). It allows a sufficiently determined attacker to use any Mastodon instance to redirect unwary users to a malicious site. What do you think happens if you visit: https://mastodon.social/@PasswordReset/111285045683598517/admin? If you aren't logged in to that instance, it will redirect you to a 3rd party site. Try opening it in a private browser window. Here's another, less convincing, demo: …
Continue reading →
Quite often websites will encourage you to copy and paste commands into your terminal. There are a variety of reasons why this is bad - not least because someone could hide malicious code. That's usually done with a bit of CSS to make the evil command invisible, or using Javascript to inject something unwanted into your keyboard. Here's method that I hadn't seen before. Copy this code and paste it into your terminal to see your external IP address: Notice anything weird about it? Depending …
Continue reading →
The other day, my HP M140w printer stopped working. The day before, it printed fine. This time, nothing. I rebooted, reset, updated, and performed all the modern rituals associated with uncooperative hardware. I logged into to the printer's webserver and clicked around the admin panel. On one page, I found an error message. So, like any self-respecting geek, I ignored what it said and Googled the text. The first result on Google looked hopeful. I clicked on it and, somehow, ended up back on…
Continue reading →
