Nov 082016

Open DoorThe news is full of the US elections today, but yesterday there was a different headline.

‘Thousands of Tesco Bank Customers lose money’

Or similar to that.

Immediately the security world started to look into the reports. Within minutes links to previous issues were being pointed out, within hours a big old game of ‘join the dots’ was mostly complete.

So, what happened ?

Well quite a few things it would appear. Mostly, from guess work and taking the odd peak at the defences that Tesco put up is looks like this.

  • The main web site – still supports TLS v1.0 – this is utterly stupid. TLS 1.0 is long deprecated due to the ease with with a malicious actor can perform a ‘Man in the Middle’ attack.
  • There are literally hundreds of phishing sites that appear to be aimed at tesco. A simply search using a database of domains logged 214 domains added within the last six months that contain ‘tesco’, of which 12 of them appear to refer to bank or other financial products. None of these are owned by Tesco.
  • The password requirements appear to be rather dumb – 6-10 characters, mix of letters and numbers, no special characters and upper/lower case treated the same.
  • Getting the password wrong many times does not appear to lock out the account.
  • There does not seem to be any place for multi-factor authentication (MFA)

Actually figuring out which of these vectors a malicious actor actually took is quite difficult.

Continue reading “The (Tesco) Bank Job” »

 Posted by at 2:45 pm
Nov 012016

I am not going to get an iPhone 7.

This is weird for me, because almost every year since the very first iPhone came out, I have caved in and bought one within a few weeks/days/hours of its release. Worse still my entire personal computing infrastructure is built around Apple products. I have a MacBook Air, an iPad, iPhone and even an Apple watch.

So, I hear you ask, why not an iPhone 7 if you have had near all of the predecessors ? Continue reading “The iPhone 7” »

 Posted by at 6:00 pm
Aug 102016

A Squid

In motorcycling terms, a squid is the name given to bad rider that wears minimal protective clothing and rides a bike way beyond their abilities.

The term ‘squid’ refers to the way that they look after they have been scraped up off the road.

Sadly, motorcycle licensing in the US is very bad. A license is obtained simply by completing a safety course which contains no street riding and no speeds beyond about 25mph.

Other than a small insurance discount for having passed a test, there is pretty much no incentive. You can simply walk into a dealer and buy the fastest bike on the planet and ride out. Obviously a riding buddy can teach you all you need to know in a few minutes because riding a motorcycle is dirt easy. Right ???

Sometime a wannabe rider will ask experienced bikers for their opinion on a good starter bike. Almost without fail the conversation goes like this.

Q. Hey guys I’m looking to start riding, I’m thinking about getting a Kawaduci 1000RRR as a first bike, is there anything (sic)  I need to know ?

editors note: The more R’s in a bike model name, the more it is aimed at racing use rather than street use. Additionally, 1000cc bikes make 150-200hp and are absolute spaceships, our wannabe rider here is aiming way too high.

Continue reading “Squidly Mc.Squidface” »

Aug 012016

Passwords are rubbish.

They are an inherently flawed method of securing your information.

Don’t believe me ?

If your password is less than seven characters long, it can be cracked in minutes using cheap off-the-shelf computing hardware.

If it is longer than seven, but still a word that appears on a word list, even if you substitute e’s with 3’s and sprinkle capital letters in there, again it is rubbish.

There are wordlists out in the real word that have  60 billion words on it, while that number might seem high, a dedicated pawed cracking machine that costs less than $5000 will check 6 billion combinations per second. Continue reading “Even with a password manager….” »

May 252016

As regular readers will know, on August 1st 2014, an errant driver in a Toyota Aygo hit me while I was riding my bicycle.

The crash was pretty brutal, I broke my collarbone.

The break was a bad one, three surgeries later I am still not fixed.

Today I was seen by the medical assessor who will create the report for the insurance company that will be looking to settle my compensation claim.

This is the final opinion, it has been close to two years, it is time to put this to bed once and for all.  Continue reading “Crash – the last update ?” »

 Posted by at 6:32 pm
Mar 242016

I used to think that the next American civil war would be caused by an uprising of the great unwashed. The red-necks, the cowboys, the NRA nut jobs and their ilk.

I believed that one day they would all jump in their good old boy F150 pick-ups, loaded up with more ammunition than the average third world militia owned and head to Washington to teach the ‘guvmint’ a lesson.

I imagined that it would be a fairly short, but incredibly bloody confrontation, resulting in perhaps thousands of casualties, perhaps a lot more if the red-necks managed to make a few bombs.

I suspect that the red-necks would become domestic terrorists, protesting government over-reach, protesting laws that protect those that they hate – basically everyone that is not a  white heterosexual male and that the civil war would probably all be over fairly fast.

That was before Trump.

I see now that this can go two ways.  Continue reading “The next American civil war ?” »

 Posted by at 9:42 am
Feb 242016

Leader of the Pack.The working title for my game is ‘Lane Splitaz’.

The game itself is fairly simplistic, you are the rider of a moped and you have to split the lanes of traffic under a variety of conditions against the clock….

Level 1 – The easy intro.

Bike – 50cc scooter, no mirrors.
Traffic – Entirely stationary cars
Gaps – about 2M wide

The only difficult section here is that you pretty much have to be totally flat out the whole time to reach the end of the course.  Continue reading “I have this idea for a video game….” »

 Posted by at 10:16 am
Feb 202016

My office is abHeathcliff out 37 miles from home.

If I take the train, it takes about an hour and a half. Assuming everything all works out beautifully. Which is pretty much never the case, because this is the train net and this is England. The station is about ten minutes walk away, the train to Stratford takes about 52 minutes, then it takes about five minutes to walk to the DLR, then about fifteen to twenty minutes to reach Canary Wharf.

The problem is, there are several places that a delay is introduced, the trains are often a few minutes late here and there, or they stop outside Shenfield for a while for reasons that appear to be entirely random.

An hour and half is really a very good trip.

Coming home it is even worse, the trains run every ten minutes or so, in theory. But during January, I was delayed more often than not and I failed to get a seat for about 30% of the trips back, at least for the first 40 minutes or so.

There are other options.  Continue reading “Trains, planes and Automobiles.” »

 Posted by at 4:30 pm
Jan 282016

This is an email that I received from fitness for less a couple of days ago. My immediate response was that this was a very poor phishing attempt that probably used a PDF vulnerability.

Curiousity got the better of me though, because I remember getting an emai form the gym last year about an extra payment that was for ‘gym improvements’.

I cloned and then fired up a virtual machine that was pretty much disposable  and forwarded the email to it.

The pdf was a legitimate one. They were informing me that they are taking a couple of extra ££’s this month.

There are a lot of things wrong here.

The email checked pretty much every known box when looking for suspicious emails.

Fitness for less know my name, yet nothing was personalised.

The email contained nothing at all of value, if you wanted to find out the details you have to open the PDF.

The phraseology feels awkward.

So I replied to the email . I explained that I was not going to open the pdf. I told them that it looked like spam and a very amateurish phishing attempt.

Sadly they just sent me a wall of copy pasted text explaining that they had invested £100k in the website And the payment that they are taking would do towards that.

It’s a shame that they did not spend a few ££s on a decent CRM system that was capable of spitting out personalise emails.

I wonder how many people disregarded the email and are now wondering why their bank account is a little short ??

 Posted by at 7:48 am