Richard Taylor

There is much to discuss in the wake of the security news flow last week. It was dominated by the Meltdown and Spectre CPU bug announcements — 2018 has certainly got off to an interesting start. In part one of this two part blog I will look at these bugs from a high level. In part two I shine the spotlight on the implications for mobile security, and for Android in particular. Read Full Story

Recently I was doing some API analysis on a video sharing app aimed at the teenage market. As is typical in these types of apps, before you can do anything you need to sign up with an account. You’d think that would be straightforward enough, right? Read Full Story

Yesterday morning security forums reported news that an AI researcher had published a dataset of 40,000 photos that had been scraped from the dating app Tinder. The purpose was simply to extract a real world data set that can be used for training Convolutional Neural Networks (CNN) to tell the difference between men and women. This seems innocent enough, although the author's choice of variable naming caused a bit of a stir. He quickly changed the variable name "hoe" to "subject" soon after the story broke. Apparently this original naming was inherited from the Tinder Auto-Liker code. Read Full Story

(Image by Cory Doctorow licensed under CC BY 2.0) It's another sunny Scottish morning at CriticalBlue and we're having a chat about the latest and trendiest of Android vulnerabilities and the fundamental mobile security flaws that have come up in our pentesting activities. Every now and again they might be enabled by a race condition that's been in the Linux kernel for nine years but more often than not, they lurk in the apps themselves, storing secrets in plain text on devices or sending unencrypted data over the network. We all know we shouldn't be doing it, and if we didn't, we could learn how to equip our code with basic security in a few stack overflow questions' time, so why do embarrassing things keep happening? Read Full Story

(Image © Steve Fareham (cc-by-sa/2.0)) Over the years the OWASP top 10 has been a key guide for directing application developers to the things they should worry about from a security perspective. The same types of issues seem to occur again and again with alarming regularity. Read Full Story

Nowadays it's very common for car manufacturers to develop mobile applications that allow you to control several aspects of your vehicle. The level of control that these apps give you is diverse. From the simple function of unlocking the car to the much more complicated action of summoning it to your location. Read Full Story

There is a revolution underway in healthcare in the USA. At its heart is MU3, Meaningful Use Stage 3 of the Electronic Health Record incentive program. One of the goals of this program is to empower patients and give them greater access to their medical records. Healthcare providers will have a legal responsibility to allow patients to access their data and they also have a responsibility to ensure the security of the data they provide. They have to walk a fine line between ease of access and security, and they have to do it by 2018. Read Full Story

In the world of banking, security has always been important and the recent breach at Tesco Bank is a timely reminder. With an increased appetite for regulation in the banking sector and in the realms of data protection it is becoming ever more important for responsible companies to take action to tighten up their defences against the constant threat of data theft and fraud. Regulation is becoming a powerful lever to encourage banks to have robust mechanisms in place to protect their customers. The EU's General Data Protection Regulation (GDPR) raises the possibility of heavy fines if you fail to take steps. Read Full Story

The number of devices connected to the internet has exploded in recent years as everyone becomes permanently attached to their phone or tablet. As the number of mobile users has increased, there has been movement away from websites towards mobile apps. Large companies can gain more information about users when they use their app, and can also provide a more fully featured experience by offering offline functionality or by making use of the phone’s camera, accelerometer or GPS. Users tend to prefer them as well because they offer a richer experience. Read Full Story

The attack on the website of Brian Krebs and the release of the Mirai malware source code demonstrates the challenges that face the anti-bot world. At its peak, the Krebs on Security DDoS attack was generating 620Gbps of traffic, mostly from IoT devices. With the ever increasing number of internet connected devices, and their current security shortcomings, it should come as little surprise that the scale of DDoS attacks is increasing. Read Full Story