Welcome to my blog

This is my blog on (mostly) cybersecurity, IoT and related subjects. It contains some historic stuff from LinkedIn and other places, as well as new thoughts that I’ll collect here. I’ll also occasionally talk about research work, including publications or other academic engagements.

For more information about me, visit my personal website.

GPG: My go-to example for teaching cryptography all-in-one πŸ“§πŸ”

The glue in my lessons on encryption

As I write this piece, I’m preparing for the graduation of some of the first Bachelor of Cybersecurity students from James Cook University Singapore, which means it’s approaching two years since I joined and started teaching Cybersecurity. So now seems like a good time to reflect on some recurring tools and techniques that I’ve found useful so far. This post will focus on one: GNU Privacy Guard (GPG). Unsurprisingly, cryptography comes up a lot in a course about cybersecurity, so no matter what subjects I’m teaching, there’s often a reason to introduce, or reiterate, some essential concepts. [Read More]

Password managers are still a good thing. Here's why...

When the compromised service can offer faster fixes

Imagine, if you will, that dreaded day when you read in the news that the password manager you use has suffered a cyberattack and user data may have been obtained. Imagine feeling some sense of reassurance that the breach isn’t as bad as first thought, only to learn some time later that actually, it was worse than it was initially made out to be. Or, don’t imagine at all, because it happened. [Read More]

Research in brief: Stealing fingerprints with smart locks πŸ”“

It can't be that easy, can it?

In August, I attended the IEEE iThings 2022 conference to present a paper titled “IoT Droplocks: Wireless Fingerprint Theft Using Hacked Smart Padlocks”. If you have access to the IEEE Xplore library you can view the published version. I’ve made an arXiv preprint available as well. If you want a shorter, simpler version, read on below.

[Read More]

The real reason why you shouldn't share OTP codes

It might not be what you think

One-Time Passwords, or OTPs are a widely used authentication factor in many online services, big and small. When I’m not ranting about them, I actually think they’re pretty good. So, today is not another attack on OTP or multi-factor authentication, but instead, an effort to educate people about how they work and what we need to do to ensure we stay safe. There are some misconceptions out there, so let’s try to correct them. [Read More]

Do we want software supply chain security or not? β›“πŸ‘©πŸ½β€πŸ’»πŸ”₯

Our actions do not match our words

The world is built on other people’s code, and that’s a good thing. But sometimes, other people’s code goes wrong, leading to problems and solutions that we’re not entirely in control of. When things go wrong, our trust in the software supply chain goes down, yet we still depend on it. The community is abuzz with discussions about securing the software supply chain. It’s time for me to give my take on it, and I’m putting one-liner install scripts in my crosshair 🎯. [Read More]

In detail: SCRAM with channel binding

Visualising the process, discussing its shortcomings

In January, I asked whether TLS channel binding with strong authentication was the solution to defend against MITM or proxy style phishing attacks. The answer was “yes, but also no”. I will look beyond SCRAM soon, but first I want to fulfil a promise to go into more detail about how SCRAM works, especially with channel binding.

[Read More]

Nine things I hate about Multi-Factor Authentication

My love-hate relationship with 2FA/MFA

Multi-factor authentication (MFA) is a critical part of our defence of information systems, but it is far from perfect. I’ve made a list of list of things I dislike about it, not because I think that MFA needs to go away, but because if we can solve some of these gripes, MFA becomes even more powerful. What is MFA? When I talk about MFA, I mean the authentication methods that tend to be used in addition to your username/password. [Read More]

Channel Binding: Should you be using it?

Stopping phishing in its tracks... maybe

Authentication and in particular passwords are the bugbear of many cybersecurity professionals. For all the encryption, firewalls, IDS and other defences we put in place, if authentication doesn’t do its job properly, or a user’s credentials get stolen, a compromise is very likely. In the future, we might embrace password-less authentication, relying instead on biometrics, tokens and smart devices in various combinations. Indeed, some platforms do this already, but not all. [Read More]

VPNs Considered Harmful

Confusion between anonymising and corporate VPNs is bad for cybersecurity

The Virtual Private Network, or VPN, has become a familiar term amongst Internet users in recent years. Yet, the secure tunnelling technology has been around much longer. So, why is it popular now, why should this be considered harmful, and what do we do about it? Take the global Google Trends for the terms VPN, SSL and TLS, pictured below. Comparatively few people seem to care about SSL and TLS, but VPN sees growing interest, with repeated spikes. [Read More]