Virgin Media are trying to resell your internet access. Worse still, they appear to be doing it without users' permission. A brief recap: Back in 2015, Virgin Media announced plans for a WiFi sharing network. A user's router would broadcast a separate WiFi network and other Virgin customers could roam on to it via an app. By default, all customers were opted-in to this service. Like most of …
Continue reading →
There are rarely new ideas in cryptography - and I doubt this idea is particularly innovative - but I thought it would be worth discussing. When I want to log in to a system on the web, I have to send that system my password. It is (one hopes) encrypted in transmission, but once it arrives at the server there is a brief window where the server holds my password in plaintext. It then hashes it…
Continue reading →
If you have a TingTag, your location is being broadcast without encryption! Earlier this year I purchased and reviewed the TinTag. I've spent the last month trying to get hold of the company to report a serious privacy problem with their Android app. I've not received an adequate response, so I'm publishing this post to let affected users know about the issue. The TinTag is a BLE tracker. …
Continue reading →
There has been a terrible natural disaster in Italy. A huge quake has broken a city. Rescue teams race to the scene to try to save lives and stabilise the situation. During the rescue efforts, the Italian Red Cross sends this tweet: Croce Rossa Italiana@crocerossa#Terremoto, per favorire comunicazioni e operazioni di soccorso vi invitiamo a togliere la password della rete wi-fi…
Continue reading →
We've all been faced with this screen, right? You haven't logged in to a website for a while, so it prompts you to change your password. sigh Annoying but probably necessary. The problem was, every time I tried to change my password, it told me that my old password was invalid. The one that I'd just used to log in. I use the incredible LastPass Password Manager - so I knew I wasn't typing…
Continue reading →
Remember when PayPal was a cool new company dedicated to radically improving online payments? Seems like it was ages ago. Now PayPal is little better than then bloated banks it sought to overthrow. Arcane bureaucracy, impenetrable fees, and a lamentable approach to security. I was minded recently to switch on 2-Factor-Authentication (2FA) for all my accounts. Whenever I want to log in, I give …
Continue reading →
I love my Lifx Bulbs. They're a quick and easy way to retrofit Internet connected goodies into a smart-home. One of the best things about them is their open API. Sure, you can use IFTTT if you want something easy - but us 1337 hax0rs want an API and Lifx provides it. The API is pretty secure - good use of OAuth and tokens to make sure whatever you're building is resistant to infiltration. I…
Continue reading →
I've written before about just how many Internet connected gadgets I have. I've also blogged about my dodgy WiFi lightswitches which send data back to China. Every IoT device you put in your home brings a certain level of risk to the other devices in your network. For example, my Smart TV and my Lifx don't require a password to access. Any device on my network can control them. That's…
Continue reading →
Update! I now have an XSS which is only 18 characters! Here's a fun little game for all the family! What is the minimum number of characters required to perform a successful XSS attack? Let's take an entirely theoretical example - suppose we have a site which echos back user input without sanitising it. So a search for " <em>" turns the whole page italic. ahem A hacker might think, "Hurrah! …
Continue reading →
The BMW i3 is an amazing electric car - let down by very shoddy software. That's a huge problem - software runs our lives and, if it is defective, it can ruin us. We used to have separate categories of device: washing machines, VCRs, phones, cars, but now we just have computers in different cases. For example, modern cars are computers we put our bodies in and Boeing 747s are flying Solaris…
Continue reading →
The UK's official web infrastructure is in a shockingly poor state. I've been doing some light digging into the security of UK Schools' websites. As I've written about ad nauseum, the Government takes almost no interest in the way some of its official websites are managed. The Department for Education is particularly inept when it comes to technology which - given that our country's future…
Continue reading →
I don't particularly like picking on the security of Government websites. I do it a lot - but I always feel guilty about besmirching the good name of the many talented people who work in the Civil Service. Today's flaw, however, is a particularly basic mistake which simply shouldn't be allowed to happen by any competent site owner. What Is An Open Redirect? A redirector is a small web service …
Continue reading →
