Gidley's Gossipings

A blog about not much really

Are you feeling lucky?

How lucky do you feel today? It’s an important question as your IT security is probably mostly down to luck. If we examine most ‘hacks’ we usually see the organisation hit issuing statements about ‘sophisticated hackers’ and the public image of hackers, as lone genius’s wearing hoodies in darkend rooms is re-enforced. In fact most attacks are perpetrated by far less skilled people and succeed by luck. That’s not to say there aren’t some super skilled experts out there, but they are few and far between. Read more →

Computers are complex, so is protecting them

Computer systems are complex, and the complexity has been at the point for quite a few years now it’s impossible for any one person to understand ‘everything’ about any given system. There will often be people with a good understanding the ‘building blocks’ but it’s pretty much impossible to understand all the detail of the code, libaries and platforms it depends on. Complexity has massive implications for the security of computer systems. Read more →

Certs again

Once again a major CA (Symantec) has been ‘caught’ issuing certificates improperly. There is a great write up on Ars Technica. This is really significant as falsly issued CA certificates are one (of many) way to MITM SSL. This underlies the extreme difficulty in securing anything in IT. There are simply too many ‘moving parts’ and people in involved in securing anything. Your computers security depends on thousands of people and companies all doing everything correctly all of the time, and simple law of averages suggests this is unlikely to ever happen! Read more →

N26

There is a really good talk about some vulnerabilities found in the N26 banking app presented at the CCC congress this year. <amp-iframe width=“1024” height=“360” sandbox=“allow-scripts allow-popups” layout=“responsive” frameborder=“0"src=“https://media.ccc.de/v/33c3-7969-shut_up_and_take_my_money/oembed" allowfullscreen> The talk is worth a watch but it does highlight some key points No Certificate Pinning was being used that made it easy for the research to MITM the app that’s not to say Cert Pinning fixes all issues but doing it makes things a lot harder for attackers. Read more →

Kaspersky

Ouch - Kaspersky have been enabling MITM attacks on their customer base. The Register citig a Chrome bug report explains how you can use this to trick consumers in thinking a site is valid/safe when it is not. This underlines the ease of MITM SSL/TLS - see my previous article for all the different ways this can be done! Read more →

Human Momentum

I’ve been travelling quite a bit recently for work and have been reminded (again) how ‘human factors’ can defeat any attempt to improve security. A good example of this is chip and pin/contactless. Chip and Pin is common and popular in Europe and as a result in Europe I never ‘give’ my card to members of staff for them to process it. This reduces the risk of fraud substantially as staff cannot easily clone/copy cards when they’ve never handled them. Read more →

Man in the middle is easier than you think

I’m often heard saying it’s quite easy to MITM HTTPS (also called SSL/TLS) and decided that maybe I should list all the methods I know of (there are quite a few). The attacker has many options to try and get in the middle between the user and web server/API Pure Technical Approaches Zero Day Vulnerabilities in browsers TLS/SSL Breaks Incorrectly Issued Trusted Certificate Aquire vendor issued ‘trusted’ certificate Social Engineering Approaches Convince user to install MITM certificate Convince user to install software Malicious Browser Extensions Conclusion Pure Technical Approaches The pure technical approaches rely on attacks that don’t require users to make any mistakes and anyone can be vulnerable. Read more →

mitm key

To continue my MITM attacks theme - someone has just release a nice USB key that ransacks your PC - Ars Technica has a good write up. This kind of thing is very dangerous as it’s really easy to get people to put USB keys into computers! I’m currently writing a longer article on the (many) ways to MITM TLS to help explain how easy it is! Read more →

malware and https

I’m often heard worrying about the state of HTTPS and the ease to get users to do things that make it basically not function - but I’ll admit evidence of real world attacks is thin on the ground. There is a systematic reason for the lack of information - if a hacker uses a Man-In-The-Middle (MITM) technique to hack HTTPS there is very little evidence left and all thart will happen is the stolen data will turn up in a list at some point in the future. Read more →

Booth eye tracking

Recently I was at a Trade Show (Money 2020 in Las Vegas) and was wondering how effective the booth designs were at getting people’s attention. There seem to be a number of apporaches people try Big Pictures to grab attention Videos on loop explaining stuff ‘Gimmicks’ on the stand Live Talks Text explaining products Slogans explaining mission What’s not clear to me is which of these actually work. Annecdotially you can watch people go buy and see what they look at, and then observe who engages. Read more →