Nov 142018
 

There has been an increase in the number of e-mails and text messages that are landing in my spam folders recently. I am not sure why the upturn is happening, but some of the e-mails are getting very convincing.

It was not long ago that I would get badly spelled, poorly constructed e-mails that were easy to spot,

Subject: Yuor Natwast account has ten tnarsactions pending.

Now, not only do I not have a Natwest account, but the typo’s in the subject line made it super obvious.

Yesterday I got an e-mail.

Subject: Lloyds Bank Fraud Alert. Continue reading “Anatomy of a brilliant Phishing attack” »

 Posted by at 8:00 am
Nov 262017
 

Can of BeansIn this ever connected world, it is pretty easy for anyone to say anything or to be anybody.

In the real world, you can tell a lie and as long as the person that you told it to does not have the ability to easily debunk it, you can get away with it for a very long time.

‘Oh yeah, I met so-and-so at $vague-venue in vague-year’  is pretty much impossible to prove or disprove and in general the onus lies on the recipient to prove or disprove, or to just accept and wonder.

Obviously the liar has to remember all of these lies and this requires either a brilliant recall of the lies that have been told to who, or it required that liar to simply not care.

In the real world a liar has just the stories to bolster their ego.

Of course there are some famous cases of people telling lies and getting away with it for year, but in general it is pretty easy to catch out a liar in real life.

The on-line world though makes it way more difficult and potentially a whole lot more dangerous, but I would like to propose a system that helps to catch people out.

Continue reading “The growing need for proof….” »

Nov 082016
 

Open DoorThe news is full of the US elections today, but yesterday there was a different headline.

‘Thousands of Tesco Bank Customers lose money’

Or similar to that.

Immediately the security world started to look into the reports. Within minutes links to previous issues were being pointed out, within hours a big old game of ‘join the dots’ was mostly complete.

So, what happened ?

Well quite a few things it would appear. Mostly, from guess work and taking the odd peak at the defences that Tesco put up is looks like this.

  • The main web site – tescobank.com still supports TLS v1.0 – this is utterly stupid. TLS 1.0 is long deprecated due to the ease with with a malicious actor can perform a ‘Man in the Middle’ attack.
  • There are literally hundreds of phishing sites that appear to be aimed at tesco. A simply search using a database of domains logged 214 domains added within the last six months that contain ‘tesco’, of which 12 of them appear to refer to bank or other financial products. None of these are owned by Tesco.
  • The password requirements appear to be rather dumb – 6-10 characters, mix of letters and numbers, no special characters and upper/lower case treated the same.
  • Getting the password wrong many times does not appear to lock out the account.
  • There does not seem to be any place for multi-factor authentication (MFA)

Actually figuring out which of these vectors a malicious actor actually took is quite difficult.

Continue reading “The (Tesco) Bank Job” »

 Posted by at 2:45 pm
Aug 012016
 

Passwords are rubbish.

They are an inherently flawed method of securing your information.

Don’t believe me ?

If your password is less than seven characters long, it can be cracked in minutes using cheap off-the-shelf computing hardware.

If it is longer than seven, but still a word that appears on a word list, even if you substitute e’s with 3’s and sprinkle capital letters in there, again it is rubbish.

There are wordlists out in the real word that have  60 billion words on it, while that number might seem high, a dedicated pawed cracking machine that costs less than $5000 will check 6 billion combinations per second. Continue reading “Even with a password manager….” »