I’m often heard saying it’s quite easy to MITM HTTPS (also called SSL/TLS) and decided that maybe I should list all the methods I know of (there are quite a few).
The attacker has many options to try and get in the middle between the user and web server/API
The pure technical approaches rely on attacks that don’t require users to make any mistakes and anyone can be vulnerable.
Continue readingTo continue my MITM attacks theme - someone has just release a nice USB key that ransacks your PC - Ars Technica has a good write up.
This kind of thing is very dangerous as it’s really easy to get people to put USB keys into computers! I’m currently writing a longer article on the (many) ways to MITM TLS to help explain how easy it is!
I’m often heard worrying about the state of HTTPS and the ease to get users to do things that make it basically not function - but I’ll admit evidence of real world attacks is thin on the ground. There is a systematic reason for the lack of information - if a hacker uses a Man-In-The-Middle (MITM) technique to hack HTTPS there is very little evidence left and all thart will happen is the stolen data will turn up in a list at some point in the future. It’s nearly impossible to correlete the HTTPS hack and the stolen data - as it could have been stolen in dozens of places.
Continue readingThe Register are reporting a browser extension for web of trust has been caught stealing and harvesting browser history.
This underlines the risk browser plugins carry - they often can ‘see’ everything you’re browsing on the web and can send that data back to their developers. Most plugins are harmless and do what they say - but there is very little stopping ‘bad actors’ adding malicious code.
Another potential risk is a 3rd party ‘buying’ an existing plugin, imagine how many developers would happily sell their plugin for a few thousand dollars, they can then ‘update’ the plugin with malicious code and most users would never note.
Continue readingIt’s become fashionable to give security defects ‘cool’ names like Heartbleed, the latest is Linux’s ‘Dirty Cow’. This is quite a major bug as it allows any user/app on a linux device to get ‘root’. Linux has now got a patch, but interestingly Google have delayed the patch for Android by a month.
It’s worth thinking a bit about what that ‘could’ mean…
So all those apps you use on your phone are now vulnerable - even the best software security can only hinder an attacker with ‘root’ permissions on Android. That means if any developer, of any app on your phone, decides they want to do things like capture your online banking passwords, pretend to be in you in any app or engage in any mischief they want.
Continue readingRecently I was at a Trade Show (Money 2020 in Las Vegas) and was wondering how effective the booth designs were at getting people’s attention. There seem to be a number of apporaches people try
What’s not clear to me is which of these actually work. Annecdotially you can watch people go buy and see what they look at, and then observe who engages. But it struck me that it should be possible to do this more scientifically.
Continue readingWhy in 2016 are people still shipping software and devices with default passwords? The recent IOT/Botnet that broke large chunks of the internet was entirely avoidable if the devices had been shipped without default passwords.
This is perfectly within the capability of a device manufactuer - even British Telecom (who have many many issues) have been shipping their devices with randomized passwords printed on a sticker on the device for years. It’s not hard to do that! With software it’s even easier you just force the user to pick a password and don’t ship them with admin/password or whatever you’ve decided is good enough.
Continue reading