Welcome to my blog

This is my blog on (mostly) cybersecurity, IoT and related subjects. It contains some historic stuff from LinkedIn and other places, as well as new thoughts that I’ll collect here. I’ll also occasionally talk about research work, including publications or other academic engagements.

For more information about me, visit my personal website.

Enabling SecureBoot on ARM EC2 instances in AWS

Easy enough to do, even if it's not the default

Posted on January 4, 2024
SecureBoot is a way to ensure the integrity of a system by configuring it to only boot if the images (programs) being loaded are signed by an authorized source. This is true of physical machines, but also of virtual machines, and by extension, cloud instances. However, I recently discovered that in AWS, an AMI of the popular Ubuntu operating system, when running on arm64 instance types such as t4g.nano, didn’t have SecureBoot enabled. [Read More]
#cloud  #aws  #ec2  #secure boot  #uefi  #arm 

GPG: My go-to example for teaching cryptography all-in-one πŸ“§πŸ”

The glue in my lessons on encryption

Posted on April 19, 2023
As I write this piece, I’m preparing for the graduation of some of the first Bachelor of Cybersecurity students from James Cook University Singapore, which means it’s approaching two years since I joined and started teaching Cybersecurity. So now seems like a good time to reflect on some recurring tools and techniques that I’ve found useful so far. This post will focus on one: GNU Privacy Guard (GPG). Unsurprisingly, cryptography comes up a lot in a course about cybersecurity, so no matter what subjects I’m teaching, there’s often a reason to introduce, or reiterate, some essential concepts. [Read More]
#teaching  #GPG  #encryption 

Password managers are still a good thing. Here's why...

When the compromised service can offer faster fixes

Posted on January 10, 2023
Imagine, if you will, that dreaded day when you read in the news that the password manager you use has suffered a cyberattack and user data may have been obtained. Imagine feeling some sense of reassurance that the breach isn’t as bad as first thought, only to learn some time later that actually, it was worse than it was initially made out to be. Or, don’t imagine at all, because it happened. [Read More]
#password manager  #passwords  #passwordless  #key management 

Research in brief: Stealing fingerprints with smart locks πŸ”“

It can't be that easy, can it?

Posted on August 31, 2022

In August, I attended the IEEE iThings 2022 conference to present a paper titled “IoT Droplocks: Wireless Fingerprint Theft Using Hacked Smart Padlocks”. If you have access to the IEEE Xplore library you can view the published version. I’ve made an arXiv preprint available as well. If you want a shorter, simpler version, read on below.

[Read More]
#iot  #biometrics  #paper  #brief 

The real reason why you shouldn't share OTP codes

It might not be what you think

Posted on June 28, 2022
One-Time Passwords, or OTPs are a widely used authentication factor in many online services, big and small. When I’m not ranting about them, I actually think they’re pretty good. So, today is not another attack on OTP or multi-factor authentication, but instead, an effort to educate people about how they work and what we need to do to ensure we stay safe. There are some misconceptions out there, so let’s try to correct them. [Read More]
#OTP  #MFA  #authentication 

Do we want software supply chain security or not? β›“πŸ‘©πŸ½β€πŸ’»πŸ”₯

Our actions do not match our words

Posted on May 25, 2022
The world is built on other people’s code, and that’s a good thing. But sometimes, other people’s code goes wrong, leading to problems and solutions that we’re not entirely in control of. When things go wrong, our trust in the software supply chain goes down, yet we still depend on it. The community is abuzz with discussions about securing the software supply chain. It’s time for me to give my take on it, and I’m putting one-liner install scripts in my crosshair 🎯. [Read More]
#software  #supply chain  #security  #open source 

In detail: SCRAM with channel binding

Visualising the process, discussing its shortcomings

Posted on May 6, 2022

In January, I asked whether TLS channel binding with strong authentication was the solution to defend against MITM or proxy style phishing attacks. The answer was “yes, but also no”. I will look beyond SCRAM soon, but first I want to fulfil a promise to go into more detail about how SCRAM works, especially with channel binding.

[Read More]
#SCRAM  #channel binding  #TLS  #encryption 

Nine things I hate about Multi-Factor Authentication

My love-hate relationship with 2FA/MFA

Posted on February 16, 2022
Multi-factor authentication (MFA) is a critical part of our defence of information systems, but it is far from perfect. I’ve made a list of list of things I dislike about it, not because I think that MFA needs to go away, but because if we can solve some of these gripes, MFA becomes even more powerful. What is MFA? When I talk about MFA, I mean the authentication methods that tend to be used in addition to your username/password. [Read More]
#MFA  #2FA  #list  #opinion  #authentication 

Channel Binding: Should you be using it?

Stopping phishing in its tracks... maybe

Posted on January 25, 2022
Authentication and in particular passwords are the bugbear of many cybersecurity professionals. For all the encryption, firewalls, IDS and other defences we put in place, if authentication doesn’t do its job properly, or a user’s credentials get stolen, a compromise is very likely. In the future, we might embrace password-less authentication, relying instead on biometrics, tokens and smart devices in various combinations. Indeed, some platforms do this already, but not all. [Read More]
#phishing  #TLS  #encryption  #channel binding  #SCRAM