Welcome to my blog

This is my blog on (mostly) cybersecurity, IoT and related subjects. It contains some historic stuff from LinkedIn and other places, as well as new thoughts that I’ll collect here. I’ll also occasionally talk about research work, including publications or other academic engagements.

For more information about me, visit my personal website.

Research in brief: Stealing fingerprints with smart locks πŸ”“

It can't be that easy, can it?

In August, I attended the IEEE iThings 2022 conference to present a paper titled “IoT Droplocks: Wireless Fingerprint Theft Using Hacked Smart Padlocks”. The proceedings should be published in a couple of months, but in the meantime, I’ve made an arXiv preprint available and will provide the reviewed & edited IEEE Xplore link when it’s available. If you want a shorter, simpler version, read on below.

[Read More]

The real reason why you shouldn't share OTP codes

It might not be what you think

One-Time Passwords, or OTPs are a widely used authentication factor in many online services, big and small. When I’m not ranting about them, I actually think they’re pretty good. So, today is not another attack on OTP or multi-factor authentication, but instead, an effort to educate people about how they work and what we need to do to ensure we stay safe. There are some misconceptions out there, so let’s try to correct them. [Read More]

Do we want software supply chain security or not? β›“πŸ‘©πŸ½β€πŸ’»πŸ”₯

Our actions do not match our words

The world is built on other people’s code, and that’s a good thing. But sometimes, other people’s code goes wrong, leading to problems and solutions that we’re not entirely in control of. When things go wrong, our trust in the software supply chain goes down, yet we still depend on it. The community is abuzz with discussions about securing the software supply chain. It’s time for me to give my take on it, and I’m putting one-liner install scripts in my crosshair 🎯. [Read More]

In detail: SCRAM with channel binding

Visualising the process, discussing its shortcomings

In January, I asked whether TLS channel binding with strong authentication was the solution to defend against MITM or proxy style phishing attacks. The answer was “yes, but also no”. I will look beyond SCRAM soon, but first I want to fulfil a promise to go into more detail about how SCRAM works, especially with channel binding.

[Read More]

Nine things I hate about Multi-Factor Authentication

My love-hate relationship with 2FA/MFA

Multi-factor authentication (MFA) is a critical part of our defence of information systems, but it is far from perfect. I’ve made a list of list of things I dislike about it, not because I think that MFA needs to go away, but because if we can solve some of these gripes, MFA becomes even more powerful. What is MFA? When I talk about MFA, I mean the authentication methods that tend to be used in addition to your username/password. [Read More]

Channel Binding: Should you be using it?

Stopping phishing in its tracks... maybe

Authentication and in particular passwords are the bugbear of many cybersecurity professionals. For all the encryption, firewalls, IDS and other defences we put in place, if authentication doesn’t do its job properly, or a user’s credentials get stolen, a compromise is very likely. In the future, we might embrace password-less authentication, relying instead on biometrics, tokens and smart devices in various combinations. Indeed, some platforms do this already, but not all. [Read More]

VPNs Considered Harmful

Confusion between anonymising and corporate VPNs is bad for cybersecurity

The Virtual Private Network, or VPN, has become a familiar term amongst Internet users in recent years. Yet, the secure tunnelling technology has been around much longer. So, why is it popular now, why should this be considered harmful, and what do we do about it? Take the global Google Trends for the terms VPN, SSL and TLS, pictured below. Comparatively few people seem to care about SSL and TLS, but VPN sees growing interest, with repeated spikes. [Read More]

Meep Meep! A story of certificate (un)verification πŸ”πŸ“œπŸ”βŒ

ACME clients seldom check the certificates they receive

This article discusses the lack of certificate checking done by ACMEv2 clients, as well as the lack of provision in the ACMEv2 protocol specification to encourage any checking. This article explores the implications of this, and demonstrate why we should probably being doing some additional checks in our ACMEv2 clients. The project is called “Meep Meep”, because that’s the sound a roadrunner makes. The author couldn’t think of a cleverer name for something related to ACME. [Read More]