A decade ago, I appeared on the 361 Podcast to give my advice about mobile security. This was the era of the iPhone 5 and Android KitKat. BlackBerry was trying to have (yet another) resurgence and Nokia was desperately trying to keep Windows Phone alive. What advice did I give then, and is it still relevant? Stay Sceptical In at number five is just stay sceptical. I mean, quite often, lots of mobile viruses and mobile scams spread by text message, by email, by Twitter. And these are all…
Continue reading →
You receive a call on your phone. The polite call centre worker on the line asks for you by name, and gives the name of your bank. They say they're calling from your bank's fraud department. "Yeah, right!" You think. Obvious scam, isn't it? You tell the caller to do unmentionable things to a goat. They sigh. "I can assure you I'm calling from Chase bank. I understand you're sceptical. I'll send a push notification through the app so you can see this is a genuine call." Your phone buzzes.…
Continue reading →
This has to be the most infuriating bug report I've ever submitted. I went to type in my 2FA code on a website - but no numbers appeared on screen. Obviously, I was an idiot and had forgotten to press the NumLock button. D'oh! I toggled it on and typed again. No numbers appeared. I switched to another tab, my numbers appeared when I typed them. So I was reasonably confident that my keyboard was working. I swapped back to the 2FA entry and tried again. Still nothing. Then I tried typing the…
Continue reading →
One of my most memorable experiences in the Civil Service was discussing link shortening services with a very friendly person from the Foreign and Commonwealth Office. I was trying to explain why link shortners like bit.ly and ow.ly weren't sensible for Government use. They didn't seem to particularly care about the privacy implications or the risk of phishing. I needed to take a different tack. "So, you know how .uk is the UK and .de is Germany, right?" "Yes." "What country do you think .ly …
Continue reading →
It's never great to find out you're wrong, but that's how learning and personal growth happens. HTTP Message Signatures are hard. There are lots of complex parts and getting any aspect wrong means certain death. In a previous post, I wrote A simple(ish) guide to verifying HTTP Message Signatures in PHP. It turns out that it was too simple. And far too trusting. An HTTP Message Signature is a header which is separate to the message it signs. You might receive a JSON message like this: { …
Continue reading →
It's always fun keeping your network inspector tab open. While looking around the O2 UK website, I found this page all about eSIMs. For some reason, it wants to know the user's phone number. I put in a random number, and it refused to let me in. Putting in a genuine O2 number let me through. So what is it doing to validate numbers? It is making an API call to this URl: https://www.o2.co.uk/o/customer/mods/lookup/447700900123 After a bit of testing, this is how I think it works. If you …
Continue reading →
Mastodon makes heavy use of HTTP Message Signatures. They're a newish almost-standard which allows a server to verify that a request made to it came from the person who sent it. This is a quick example to show how to verify these signatures using PHP. I don't claim that it covers every use-case, and it is no-doubt missing some weird edge cases. But it successfully verifies messages sent by multiple Fediverse servers. Let's step through it with an example of a message sent from Mastodon to my…
Continue reading →
Sometimes a client asks me a question and I'm a little stunned by their mental model of the world. A few weeks ago, we were discussing the need for better cybersecurity in their architecture. We spoke about several aspects of security, then they asked an outstanding question. "What should I buy to be secure?" It took a few moments to tease out exactly what they thought they were asking. In their mental model they could just buy a box which did what they needed. Want to print from any…
Continue reading →
You type in to your browser's address bar example.com and it automatically redirects you to the https:// version. How does your browser know that it needed to request the more secure version of a website? The answer is... A big list. The HTTP Strict Transport Security (HSTS) list is a list of domain names which have told Google that they always want their website served over https. If the user tries to manually request the insecure version, the browser won't let them. This means that a…
Continue reading →
I've responsibly disclosed a small security issue with Mastodon (GHSA-8982-p7pm-7mqw). It allows a sufficiently determined attacker to use any Mastodon instance to redirect unwary users to a malicious site. What do you think happens if you visit: https://mastodon.social/@PasswordReset/111285045683598517/admin? If you aren't logged in to that instance, it will redirect you to a 3rd party site. Try opening it in a private browser window. Here's another, less convincing, demo: …
Continue reading →
Last night I received a call from my bank. They'd detected an unusual transaction and wanted to make sure that it was legitimate. Had I recently purchased £10,000 worth of crypto in the Maldives? What?!!? No! ARGH! I started to panic. All my apes money gone! No. Wait. The other thing. I knew it was a scam from the moment "James from your bank's fraud team" started his patter. You see, I have multiple phone numbers. And "James" called me on a number which isn't tied to my bank. So I strung …
Continue reading →
My CDN just asked me for all my Twitter API keys... WTF? This would give them complete access to my app's Twitter account, the ability to send and receive messages, and anything else that my API key allows. Giving them - or anyone - the entire set of credentials would be a very bad idea. What's going on? Twitter's slow-motion collapse and hostility to developers is causing a whole bunch of second-order effects. Lots of services let people log in to them using Twitter. It is (was?!) a…
Continue reading →
