Author: Edward Thomson

Blockchains, Data Protection, and GDPR

Blockchains, Data Protection, and GDPR

By | | Comments 0 Comment

Recently I came across an interesting problem which is to do with data regulation and blockchains: what are the regulations surrounding storing data on blockchains? While there are very few regulations which are specific to blockchain technology it is worth considering which existing laws already apply to blockchain technology. Governments, and their associated regulatory institutions, have been fairly hands off but that’s not to say that no laws apply.

The SEC in the US have strict laws around registered exchanges. Simply setting up an exchange using blockchain technology in order to skirt around the SEC isn’t going to cut it.

Read More Read More

Always take your credit card receipt when paying by contactless

Always take your credit card receipt when paying by contactless

By | | Comments 0 Comment

Quick post: it is worth taking your credit / debit card receipt when paying by contactless.

Why: if you take the receipt you will notice that there is a card number displayed in full without the stars (“*”). Not everytime, but too many times. Personally, I think that is bad practice although not actually illegal in terms of a contract breach under laws of payment card use (PCI DSS).

The number being printed on your copy is “fine” since it is your number, and it is “fine” to be on the merchant copy since they are supposed to dispose of the receipts securely, too often receipts are just thrown in the bin. 🙁

When paying by chip and pin the card number is always hidden with stars (except the last 4 digits). This number is the same as the one display along your card. The number printed when using contactless is actually different, but just poor practice.

When will hedge funds become interested in the security posture of a company?

When will hedge funds become interested in the security posture of a company?

By | | Comments 0 Comment

At some point the security posture of a company will be of great interest to hedge funds and investment managers. That is to say that they will be interested in how secure other companies will be and whether that can affect their investments.

The companies of interest are more likely to be a publicly listed company, although it could be of concern for investment managers looking to acquire a share of a private company. For hedge funds and other managers with an appetite for more exotic investment vehicles the security posture of a company could indicate a potential shorting opportunity (making profit from the decline in a company’s share price).

Read More Read More

The people behind malware and cybercrime

The people behind malware and cybercrime

By | | Comments 0 Comment

As interesting as the techniques used in creating new malware are the people behind the code and the lengths they go to in order to hide themselves. The malware writers are a small but important piece of the puzzle however they are part of a wider category of cybercriminal.

In this piece I explore some of the people behind well known malware and other cybercrimes. Some people, and their actions, may be defined as criminal in a true legal sense but I make no statement on the morality of them. Is cyber-vigilantism justified (“doing right”) even if the actions are illegal? I have my own opinion but here I will try to stick to report facts with some opinion of personalities rather than of their morality.

Read More Read More

Wikileaks releases a new dump from the CIA – hacking tools – Vault 7

Wikileaks releases a new dump from the CIA – hacking tools – Vault 7

By | | Comments 0 Comment

I’m losing track of all the leaks that have happened at US government agencies. It seems that yet another load of information has been shared to Wikileaks. This batch of data supposedly carries hacking tools. It seems there is a lot of policy and procedure documents including checklists for secure development.

Wikileaks Vault 7 — A link to the information dump. Caution: some of the information is classified (if this applies to you then you will know that already). Some of the information also been redacted for now.

Scheier’s comments — Bruce and the commenters often provide interesting thoughts and insight.

One interesting thing that Bruce pointed out:

Recently, the CIA lost control of the majority of its hacking arsenal including malware, viruses, trojans, weaponized “zero day” exploits, malware remote control systems and associated documentation.

Read More Read More

Uber’s fake app providing anonymity to drivers?

Uber’s fake app providing anonymity to drivers?

By | | Comments 0 Comment

An interesting revelation was dropped in the news this week about Uber implementing a mechanism to provide some level of protection from law enforcement in cities where Uber is prohibited (if I have understood correctly). It would seem that the mechanism affords the driver a level of anonymity.

Bruce Schneier wrote a comment on the revelation and focussed on the surveillance aspect of this. While I’m a fan of Bruce, I’m less inclined to focus on the surveillance aspect of this story and look more at the ‘anonymising protocol’ employed by the app. Interestingly, while Bruce was critical of Uber it would seem that many of the commenters defended Uber’s actions.

Read More Read More

Hashing, fast and slow

Hashing, fast and slow

By | | Comments 0 Comment

Integrity is an important consideration for security assurance. In this article I will explore the importance of hash functions and an associated type of function known as a Key Derivation Function (KDF).

Fast hash functions

In an digital setting we would like to know that if we are given a particular file that it is the one we expect. Part of that assurance will come down to whether we trust the source of the file; however, hash functions are a technical control that can help us to gain assurance that the file we just obtained is the file we want. This is important as there can be errors in the transmission of data and that an attacker could try to modify a file while it is in transit. There are more sophisticated scenarios which will be ignored for the purpose of this illustration.

Read More Read More

Password Managers – Local vs Global

Password Managers – Local vs Global

By | | Comments 0 Comment

I’ve written a few articles already about the need for better passwords and the necessity of using a password manager. In this article I will point out why I think a local password manager is better.

Local

A local password manager is one that sits upon one device and does not back up to the cloud or anywhere remote location automatically. My own preference is to use something which is as simple as possible. This minimises the possible attack surface in case the password management software has a flaw. Let me recap what my password manager does / is:

  • Save my passwords in an encrypted file
  • The software is local to my computer
  • There is a automatic backup file which is saved locally
  • I can copy / paste the usernames and passwords

The password file is only saved to the computer on which I’m working. I have one manager on my work computer and one on my personal computer. There is no saving of passwords to the cloud, nor do the password managers have any sort of remote connectivity.

The software only saves passwords. That’s it. Nothing more. Let me outline why this is best.

Read More Read More

It may look complex and unpredictable but is it really?

It may look complex and unpredictable but is it really?

By | | Comments 0 Comment

A key idea in security is that of unpredictability. If I can’t guess your password then it ought to be secure. This is almost true, except the problem isn’t about whether I (as a human) can guess your password but whether a computer can iterate through all possible passwords and find your particular password within a sufficiently short timeframe. There is a mistaken assumption that if your password is hard for a human to guess then it is a good password to use. I heard an anecdote that went something like “My password is ‘JohnSmith’. No one will guess that because my name is Bill Jones.” This line of thinking is based on whether someone you know is likely to guess your password.

Read More Read More

Investigating the security of anonymous messaging over the Internet

Investigating the security of anonymous messaging over the Internet

By | | Comments 0 Comment

The topic of strongly encrypted communication has been receiving a lot of press coverage over the last few years and is a politically sensitive issue. Adding the possibility of making such communication anonymous makes it more sensitive. This work is based upon the thesis that I submitted for my MSc. The layout of the sections plus some of the wording has been tweaked to fit better as blog posts. The intent is to present the information across several pages.

Anonymity over the internet
Can we be anonymous on the Internet?

In this post I am introducing a new section of the blog which will be devoted to anonymity and privacy.

This blog will investigate to what degree anonymous communication over the Internet is possible. The result is unclear: theoretically possible but unlikely to be true in most real situations. Sources will be provided where necessary and may be acaedmia in nature or from the media. The combination of the two will show the cultural relevant of the topic and to highlight the interface between researchers, software developers and the general public who have no formal training in this area.

Read More Read More