Thames Water don't get password security

by @edent | # # | 1 comment | Read ~2,781 times.

Thames Water seem to love giving me a new account number each month. That would be fine, but each time they do, I have to manually add that number to my online account. I'm bored of being their data-entry monkey. So, when they rang today, I told them that I expected them to update my…

Continue reading →

Responsible Disclosure: SVG injection in Three.co.uk

by @edent | # # # # # # | 4 comments | Read ~366 times.
The website has a circle drawn on it.

Here's a quick write-up of a minor XSS (Cross Site Scripting) vulnerability on the website of Three.co.uk - one of the UK's mobile providers. A brief recap... Most websites have a search function. If you search for something which cannot be found, the site will often say "No results found for XYZ." If we can…

Continue reading →

Is LogMeIn leaking email addresses?

by @edent | # # | 2 comments | Read ~292 times.
Fraud alert warning signs.

Like all security minded people, I use a unique email address for every service I sign up to. This week, I noticed I had started receiving spam to an email address associated with my Join.me account. Join.me is a screen sharing service now owned by LogMeIn. I signed up for a trial of Join.me back…

Continue reading →

Who can I hire to hack me?

by @edent | # # # | Read ~5,497 times.
GitHub screenshot "Insert your security key Press the button on your security key device to finish signing in. If it does not have a button, just re-insert it."

I use a password manager. I have 2FA set up on everything. When an organisation asks me to set a recovery question, I generate a 32 character passphrase. I don't use my mother's maiden name or my first pet's birthday on anything sensitive. I monitor my email addresses for breaches, and I regularly check my…

Continue reading →

Episode 23 - Sixty Second Security with Dan Raywood

by @edent | # #
Dan Raywood holding a microphone.

How can you quickly tune up your computer security? Dan Raywood - Contributing Editor at Infosecurity Magazine shares his wisdom with us. If you're interested in an open source password manager, I'm happy to personally recommend BitWarden https://shkspr.mobi/blog/wp-content/uploads/2019/03/Dan-Security.mp3Podcast: Download (Duration: 1:24 — 853.4KB)Subscribe: Android Google Podcasts RSS

Continue reading →

I have Thirty-One 2FA codes

by @edent | # # # # | 3 comments | Read ~340 times.
A long list of 2FA tokens.

Last week I wrote about how I had 800 passwords in my password manager. It was intended to highlight the ridiculous proliferation of online services, and how redecentralising identity comes with a manageability problem. I now want to talk about 2FA - Two-Factor Authentication - the random codes you have to type in every time…

Continue reading →

I have 800 passwords

by @edent | # # # # | 10 comments | Read ~7,939 times.
Bitwarden vault showing 795 login details.

I've started using BitWarden - the open source password manager. As I've been binge-watching Marie Kondo, I thought it was about time that I deleted all the accounts that I no longer user. I got rid of dozens related to previous employers. I hope the passwords wouldn't work after I left but 🤷‍♂️. I scanned…

Continue reading →

Hidden Data in NFC Tags

by @edent | # # # # | 1 comment | Read ~393 times.
Various NFC icons.

I've just got a set of wearable NFC tags, and I've discovered something interesting about the way data is stored on them. tl;dr Overwriting a tag can leave old data intact, and still readable. Here's the decoded memory layout of a tag with data written to it. In this case, a (failed) experiment at storing…

Continue reading →

Harvesting phone numbers and email addresses from GitHub

by @edent | # # # | 2 comments | Read ~184 times.
A user's email signature - the phone number has been blurred out.

Code-sharing site GitHub automatically sends email notifications to users. If you've commented on an issue, you'll get an email each time there's an update. That's pretty handy. It also allows users to reply by email. The reply is then automatically posted in the issue thread. Also handy. But a little dangerous. Lots of people have…

Continue reading →

€100 Bug Bounty from Intigriti - please stop tracking your confirmation emails!

by @edent | # # # # # | 1 comment | Read ~455 times.
Weird confrimation address.

There's a new bug bounty provider in town! The Belgian company Intigriti. This is a quick write-up of how I found a trivial bug in their own system. The EU has announced that it is providing funding for bug bounties on critical open source projects. They've split the programme between HackerOne and Intigriti. I signed…

Continue reading →