Shamir's Secret Sharing (henceforth "SSS") is clever. Far too clever for most people to understand - but let's give it a go. Suppose you have a super-secure password for a Really Important Thing. Th15IsMyP4s5w0rd!123 You can remember this - because you're awesome. But it might be a good idea to share the password with someone else, just in case. Of course, if you share it with one person, they'll be able to use it. No good! So you split the password into several overlapping pieces and give…
Continue reading →
You remember that bit in Star Wars where the Rebels find the flaw in the Death Star plans and then completely fail to exploit it? Yeah, that's why they don't make movies about inept hackers like me… Anyway, the website https://play.starwars.com/html5/starwars_crawlcreator/ allows users to create their own "Star Wars" style crawl. It's a fun little site - but it has a few flaws. Whenever you let people enter content which is displayed back on the screen, there's a possibility that they'll be a…
Continue reading →
This would be a best seller if it had been entitled "Everything I learned about national security talks, I learned from Cicero". Preferably dumbed-down to accompany a Netflix series about sexy Romans. Instead, it is a scholarly work which takes the reader through the art of rhetoric and how it is used and abused by modern speech-makers. It specifically looks at things through a National Security (including Cyber Security) lens. And it expertly steps through how to write in order to convince. …
Continue reading →
Imagine… Last night, lightning struck our house and burned it down. I escaped wearing only my nightclothes. In an instant, everything was vaporised. Laptop? Cinders. Phone? Ashes. Home server? A smouldering wreck. Yubikey? A charred chunk of gristle. This presents something of a problem. In order to recover my digital life, I need to be able to log in to things. This means I need to know my usernames (easy) and my passwords (hard). All my passwords are stored in a Password Manager. I can r…
Continue reading →
Not really a security issue, but one which I thought was worth highlighting. It shows the peril of slightly vague specifications. When you scan a 2FA token into your authenticator app via QR code, you get presented with a bunch of information about your account. This lets you store things like the issuer and the account name. I recently scanned a code, and it displayed my name as Terence+Eden. Which was a bit weird. Try it yourself: Checking the raw output of the code, shows the…
Continue reading →
Yes yes, Cunningham's law etc etc! I want to play around with 2FA codes. So, I started looking for the specification. Turns out, there isn't one. Not really. IANA has a provisional registration - but no spec. It links to an archived Google Wiki which, as we'll come on to, isn't sufficient. There's some documentation from Yubico which is mostly a copy of the Google wiki with some incompatible tweaks. The Internet Initiative Japan has a subtly different spec which includes an icon parameter…
Continue reading →
I've been using Bitwarden for years. It generates a unique password for every website I visit. There's only been one small problem - I want a unique username for each website. Let me explain. Sometimes websites sell or leak your email address to spammers. If you're using yourname@example.com for every site, you'll never know who leaked your details. Bitwarden can fix that! Bitwarden@BitwardenWhy use a #username generator? Let's talk about it. pic.x.com/0o6d4cmhnj❤️ 202💬 17♻️ 016:36 - Thu 28 …
Continue reading →
I found this on a security-related Slack (shared with permission). It launched an entertaining discussion about the risks of taking a potentially fake FIDO token. We all know the risks of taking a free USB drive and shoving it in our computer, right? USB sticks can install software, act as a keylogger, transmit data over WiFi, and even physically damage the electronics! So a USB Yubikey could do all those things - but could it do anything malicious as an MFA token? And - at the risk of …
Continue reading →
I found this book while following a citation trail for my MSc. Published before the 21st Century (fuck, I'm old) it's a run-down of this new-fangled thing called Information Warfare. It covers electronic attacks, espionage, computer security and more. In the last 20 years, depressingly little has changed. If you removed the mentions of ActiveX and floppy disks, it'd still be 90% relevant. It sets out in clear detail why information warfare is the new frontier - and some practical takes on how…
Continue reading →
The FIDO specification defines a form of Universal 2nd Factor (U2F) when users log in to a system. Rather than relying on one-time codes sent via SMS, or displayed on a phone screen, these are physical hardware tokens which are used to supplement passwords. When used with websites, this technology is also known as WebAuthn. I use a USB thumb-drive sized hardware token and they're nifty - but a little impractical. Since the great working from home experiment, I don't have my keys on me at…
Continue reading →I'm doing an apprenticeship MSc in Digital Technology. In the spirit of openness, I'm blogging my research and my assignments. This is my paper from the OPP module - where I can choose any subject. I picked Cybersecurity. You can read my Digital Leadership paper, my Data Analytics Paper, and my Business and Technology essay. I've previously written about the Art of Hacking course. The middle two parts of this paper are about that - why I chose it and how I put it into practice. The first and …
Continue reading →
Can you protect your home for £99? That's what this new X-Sense kit I've been sent claims to do. It's a LoRaWAN box with a claimed 2Km range for its variety of low-power sensors. The kit comes with two Infrared motion sensors, and four door / window sensors. Here's what it looks like: What's in the box? The base station is an anonymous white box, with a small speaker grille at the back and a USB-C charging port. It connects to your network via WiFi - I would have preferred Ethernet for …
Continue reading →
