Strange Encoding Errors in TOTP QR Codes


A QR code.

Not really a security issue, but one which I thought was worth highlighting. It shows the peril of slightly vague specifications. When you scan a 2FA token into your authenticator app via QR code, you get presented with a bunch of information about your account. This lets you store things like the issuer and the…

Continue reading →

Why is there no formal specification for otpauth URls?


A QR code.

Yes yes, Cunningham's law etc etc! I want to play around with 2FA codes. So, I started looking for the specification. Turns out, there isn't one. Not really. IANA has a provisional registration - but no spec. It links to an archived Google Wiki which, as we'll come on to, isn't sufficient. There's some documentation…

Continue reading →

Bitwarden's new username generator is brilliant


Screenshot of Bitwarden generating a username.

I've been using Bitwarden for years. It generates a unique password for every website I visit. There's only been one small problem - I want a unique username for each website. Let me explain. Sometimes websites sell or leak your email address to spammers. If you're using yourname@example.com for every site, you'll never know who…

Continue reading →

What's the risk from fake Yubikeys?


Meme in the style of "You Wouldn't Download A Car" saying "You wouldn't take a free USB stick.

I found this on a security-related Slack (shared with permission). It launched an entertaining discussion about the risks of taking a potentially fake FIDO token. We all know the risks of taking a free USB drive and shoving it in our computer, right? USB sticks can install software, act as a keylogger, transmit data over…

Continue reading →

Book Review: Information Warfare and Security by Dorothy E. Denning


Book cover showing a CRT monitor behind barbed wire.

I found this book while following a citation trail for my MSc. Published before the 21st Century (fuck, I'm old) it's a run-down of this new-fangled thing called Information Warfare. It covers electronic attacks, espionage, computer security and more. In the last 20 years, depressingly little has changed. If you removed the mentions of ActiveX…

Continue reading →

Where are the U2F Rings?


Photo of an NFC ring, taken by Rain Ashford.

The FIDO specification defines a form of Universal 2nd Factor (U2F) when users log in to a system. Rather than relying on one-time codes sent via SMS, or displayed on a phone screen, these are physical hardware tokens which are used to supplement passwords. When used with websites, this technology is also known as WebAuthn.…

Continue reading →

MSc Assignment 4 - Open Professional Practise - Cyber Security


A padlock engraved into a circuit board.

I'm doing an apprenticeship MSc in Digital Technology. In the spirit of openness, I'm blogging my research and my assignments. This is my paper from the OPP module - where I can choose any subject. I picked Cybersecurity. You can read my Digital Leadership paper, my Data Analytics Paper, and my Business and Technology essay.…

Continue reading →

Review: X-Sense Home Security Kit + LoRaWAN


X-Sense products - a hub, two motion sensors, and four open / closed sensors. All in white.

Can you protect your home for £99? That's what this new X-Sense kit I've been sent claims to do. It's a LoRaWAN box with a claimed 2Km range for its variety of low-power sensors. The kit comes with two Infrared motion sensors, and four door / window sensors. Here's what it looks like: What's in…

Continue reading →

Should you use Let's Encrypt for internal hostnames?


A padlock engraved into a circuit board.

Julien Savoie has written a brilliant post explaining how you can enable https on your intranet. This is useful for several reasons. It means your employees aren't constantly fighting browser warnings when trying to submit stuff internally. All your http traffic is encrypted. You don't need to install a self-generated root certificate on devices. Lovely!…

Continue reading →

Responsible Disclosure: Chrome security bug let tabs draw over each other ($1k bounty)


The Google Logo.

Chrome for Android had a flaw which let one tab draw over another - even if the tabs were on completely different domains. A determined attacker might have been able to abuse this to convince a user to download and installed a spoofed app. See Chrome Bug #1242315 for details. Demo Here's a video of…

Continue reading →