Who can I hire to hack me?

by @edent | # # # | Read ~5,362 times.
GitHub screenshot "Insert your security key Press the button on your security key device to finish signing in. If it does not have a button, just re-insert it."

I use a password manager. I have 2FA set up on everything. When an organisation asks me to set a recovery question, I generate a 32 character passphrase. I don't use my mother's maiden name or my first pet's birthday on anything sensitive. I monitor my email addresses for breaches, and I regularly check my… Continue reading →

Episode 23 - Sixty Second Security with Dan Raywood

by @edent | # #
Dan Raywood holding a microphone.

How can you quickly tune up your computer security? Dan Raywood - Contributing Editor at Infosecurity Magazine shares his wisdom with us. If you're interested in an open source password manager, I'm happy to personally recommend BitWarden https://shkspr.mobi/blog/wp-content/uploads/2019/03/Dan-Security.mp3Podcast: Download (Duration: 1:24 — 853.4KB)Subscribe: Android Google Podcasts RSS

I have Thirty-One 2FA codes

by @edent | # # # # | 2 comments | Read ~165 times.
A long list of 2FA tokens.

Last week I wrote about how I had 800 passwords in my password manager. It was intended to highlight the ridiculous proliferation of online services, and how redecentralising identity comes with a manageability problem. I now want to talk about 2FA - Two-Factor Authentication - the random codes you have to type in every time… Continue reading →

I have 800 passwords

by @edent | # # # # | 10 comments | Read ~7,513 times.
Bitwarden vault showing 795 login details.

I've started using BitWarden - the open source password manager. As I've been binge-watching Marie Kondo, I thought it was about time that I deleted all the accounts that I no longer user. I got rid of dozens related to previous employers. I hope the passwords wouldn't work after I left but 🤷‍♂️. I scanned… Continue reading →

Hidden Data in NFC Tags

by @edent | # # # # | 1 comment | Read ~281 times.
Various NFC icons.

I've just got a set of wearable NFC tags, and I've discovered something interesting about the way data is stored on them. tl;dr Overwriting a tag can leave old data intact, and still readable. Here's the decoded memory layout of a tag with data written to it. In this case, a (failed) experiment at storing… Continue reading →

Harvesting phone numbers and email addresses from GitHub

by @edent | # # # | 2 comments | Read ~136 times.
A user's email signature - the phone number has been blurred out.

Code-sharing site GitHub automatically sends email notifications to users. If you've commented on an issue, you'll get an email each time there's an update. That's pretty handy. It also allows users to reply by email. The reply is then automatically posted in the issue thread. Also handy. But a little dangerous. Lots of people have… Continue reading →

€100 Bug Bounty from Intigriti - please stop tracking your confirmation emails!

by @edent | # # # # # | 1 comment | Read ~208 times.
Weird confrimation address.

There's a new bug bounty provider in town! The Belgian company Intigriti. This is a quick write-up of how I found a trivial bug in their own system. The EU has announced that it is providing funding for bug bounties on critical open source projects. They've split the programme between HackerOne and Intigriti. I signed… Continue reading →

$3k Bug Bounty - Twitter's OAuth Mistakes

by @edent | # # # # # | 4 comments | Read ~13,868 times.
A Twitter login screen. Highlighted is the information that it cannot access your DMs.

Imagine the scenario. You're trying out some cool new Twitter app. It asks you to sign in via OAuth as per usual. You look through the permissions - phew - it doesn't want to access your Direct Messages. You authorise it - whereupon it promptly leaks to the world all your sexts, inappropriate jokes, and… Continue reading →

Major sites running unauthenticated JavaScript on their payment pages

by @edent | # # # # # # | 9 comments | Read ~26,440 times.
HTML code from Spotify.

A few months ago, British Airways' customers had their credit card details stolen. How was this possible? The best guess goes something like this: BA had 3rd party JS on its payment page <script src="https://example.com/whatever.js"></script> The 3rd party's site was hacked, and the JS was changed. BA's customers ran the script, which then harvested their… Continue reading →

Should you use SRI for self-hosted scripts?

by @edent | # # # | 2 comments | Read ~234 times.

Here's a curiosity which I found while stumbling through the Sony PlayStation store. The website loads internally hosted scripts using SRI (SubResource Integrity). Why? Does your work require you to swipe an ID card to access the building? That seems pretty normal. Does your work also remind you to keep your badge visible, and to… Continue reading →