The leaders of several huge corporations have issued statements saying that their companies do not allow the US Government to illegally spy on their users. I'm sure they believe that. I'd even go so far as to say that I'm sure the entire board and top management genuinely have no knowledge of any malfeasance. Why would they? We're talking about spies - experts in the art of subterfuge and…
Continue reading →
There's a nasty WordPress hack doing the rounds at the moment. Essentially, it looks for WordPress blogs and then tries to log in to them using common username / password combinations. If you're still using "admin" and "secret" - now is the time to change them! I've started using Better WP Security on my blogs. It automatically takes care of securing WordPress against the most common forms of …
Continue reading →
More bad news for Android owners. A huge Russian malware operation is infecting Android apps in the the Google Play Store. The malware - hopefully now removed - hijacks your personal details, and sends premium rate text messages to drive profits for its owners. Nasty. This is the price we pay for Android's open access policy. iPhone users can smirk all they want - but I like being able to…
Continue reading →
In 2010 I wrote a blog post called "Why Aren't Terrorists Bombing the Queues?" - but I chickened out of publishing it. Bombing a plane is hard, you have to buy a ticket, get past airport security, detonate it at just the right time, etc. By comparison, anyone can walk into a busy airport - say during the school holidays - wait for the shear number of people to build up, and then... But it…
Continue reading →
I have discovered another security flaw in Samsung Android phones. It is possible to completely disable the lock screen and get access to any app - even when the phone is "securely" locked with a pattern, PIN, password, or face detection. Unlike another recently released flaw, this doesn't rely quite so heavily on ultra-precise timing. Video. Of course, if you are unable to download a…
Continue reading →
Here's a rather nifty security flaw I discovered on Samsung's Android 4.1.2. It allows you - in limited circumstances - to run apps and dial numbers even when the device is locked. Video: This attack works against Pattern Lock, PIN, Password, and Face Unlock. There is no way to secure your phone against your home screen being accessed. Notes HOWTO Lock the device with a "secure"…
Continue reading →
For the last few years, I've been using Y-Cam security cameras to guard my home. I've stuck a couple up around the house. I can monitor what's happening, get email alerts when movement is detected, and can stream the video to my phone. The latest versions also upload photos and videos directly to my server so - in the event that they detect anything interesting, I have a backed up copy. They …
Continue reading →
Yesterday afternoon, I received a call from an unknown number. I answered it, and a heavily accented voice said "Hello, can I speak to mister..." there was a pause while she tried to figure out the intricacies of my surname, "Ehdan?" I asked who was calling, and she said, "I am calling from American Express with important information about your card. Please can I take you through security?" …
Continue reading →
We all know that if you ask people to choose incredibly complex passwords which frequently change, they will write them down on a Post-It note. I've recently discovered another way in which increasing perceived security reduces actual security. On one of my Android phones, I use pattern unlock. If I want access to my phone, I have to draw a squiggly gesture in order to get in. It's like a…
Continue reading →
Did you know that you can to link to a specific Tweet on Twitter? The URL looks like this: https://twitter.com/#!/edent/status/197967209459499008 Pretty obviously, that's the user's name and the ID of their tweet. Simple, right? Not really, click on that link and you'll see this: That's my name in the URL bar - but the Number 10 Press Office's tweet on the page. What's Going On? Have I…
Continue reading →
OAuth was designed to combat an anti-pattern. Typing your username and password into a third party site is bad idea. A really bad idea. I mean, you may think it's a bad idea to give your bank details to a Nigerian prince but that's just peanuts compared to giving away your password to an untrusted site! So, that's why we use OAuth. Rather than handing details to a random site, we authenticate…
Continue reading →
I'm trying out the new Android app for Path - the new social networking service. I've discovered something rather troubling... Most of the app's communication with the Path servers is over SSL. This means that no-one can see the data you're sending and receiving. If there are snoops on your network, they will only be able to see the encrypted data flowing back and forth. In general, this is…
Continue reading →
