Advertising Screens Hacked To Mine BitCoin

by @edent | # # # # | 1 comment | Read ~16,755 times.
The display shows a windows desktop with a variety of icons. There is a window open

Spotted in London, yesterday. A large, Microsoft Windows-powered advertising hoarding has been hijacked. It's not uncommon to see broken-down Windows displays - I run https://windowsisbroken.tumblr.com/ - which is dedicated to pointing and laughing at such mistakes. But this is the first time I've seen a display repurposed for profit! It appears to be running NiceHash […]

Continue reading

MailChimp leaks your email address

by @edent | # # # # | 6 comments | Read ~4,161 times.
Change email address page with obscured email address

An annoying privacy violation from leading email newsletter company MailChimp. Responsibly disclosed on 2017-12-04. When you click a link on a webpage or an email, your browser opens up that link and sends the newly visited webpage a Referer Header. (The misspelling is a historical artefact.) This says "Hello new site, I was referred here […]

Continue reading

There's no HTTPS for the Internet of Things

by @edent | # # # # | 8 comments | Read ~498 times.
An error message in the browser warning of an unsafe SSL connection

Me being grumpy and stupid again. I have an IP Camera on my LAN, I want to connect to it via HTTPS. I can't. Why is that? Why do this? I have a username and password to access my IP camera. And my TV. And my lightbulbs. And all my networked gadgets. If I try […]

Continue reading

Co-Op Bank - Making Banking Inaccessible

by @edent | # # # # # # | 2 comments | Read ~367 times.
Screenshot of the scope website showing a donation of £25

I've blogged before about how backward the Co-op bank is - sadly, they've not improved in the last few years. I needed to close down my business bank account. I hopped on to online banking, provided all my details, went through 2FA with a physical token, remembered my mother's maiden name and began searching the […]

Continue reading

Telnet and Root on the Sercomm iCamera2

by @edent | # # # # # | 2 comments | Read ~1,548 times.
A web browser displaying the message "Open Telnet Daemon successfully!"

tldr; URL http://[IP]/adm/file.cgi?todo=inject_telnetd Telnet username root Telnet password Aq0+0009 History Four years ago to the day, I wrote an exposé of the hideous security failings of Sercomm IP Cameras. The blog has since attracked 200 comments - as people try to unlock their cameras, and find out what flaws they have. Despite my best efforts […]

Continue reading

Don't Cover Your Webcam's LED

by @edent | # # | 3 comments | Read ~347 times.

Just a quick note on a mistake I see people making. Webcam covers are a cheap and easy way to prevent your laptop's camera from spying on you. But too many of the covers obscure the LED which indicates that the camera is on. If you cover your activation LED then you won't be able […]

Continue reading

A grumpy look at using a Yubico Neo NFC on Ubuntu & Android

by @edent | # # # # | 8 comments | Read ~2,419 times.
YubiKey Neo - a thumb sized USB device - on cardboard backing

Twenty One. I have 21 accounts which use Two-Factor Authentication. I use the Authy app to manage them all, but it is still a pain to scroll through and find the exact 2FA token I need. Encouraged by my friend Tom Morris's blog post, I picked up a YubiKey NEO for £50. It implements the […]

Continue reading

2FA using a postcard!

by @edent | # # # | 3 comments | Read ~6,031 times.

Upon joining the hyper-local social network "Nextdoor" - users are asked to verify their postal address. One option they offer is to have them send you a card in the post. So, I signed up, entered my address, and waited. A few days later, this popped through my letterbox. A few random thoughts... ✅ This […]

Continue reading

Training Customers To Be Stupid

by @edent | # # # # | 2 comments | Read ~1,330 times.

Companies face a complicated choice. Make things easy for the customers, or make things secure for them. Convenience seems to take priority most of the time. This forces companies to get their customers to risk their own security. In this example, we see Verizon Wireless asking their customers to type their passwords into Twitter for […]

Continue reading

Anatomy of an Amazon Phishing Attack

by @edent | # # # # | 3 comments | Read ~221 times.

Phishing is the devious practice of tricking users into giving away their usernames and passwords to fraudulent sites. It is big business, and the best defence against it is constant vigilance. I'm going to walk you, step-by-step, through a scam that targetted me today. Along the way we'll see how to avoid falling prey to […]

Continue reading