Posts about


You Just Need to Speculate to Exfiltrate

January 9, 2018

There is much to discuss in the wake of the security news flow last week. It was dominated by the Meltdown and Spectre CPU bug announcements — 2018 has certainly got off to an interesting start. In part one of this two part blog I will look at these bugs from a high level. In part two I shine the spotlight on the implications for mobile security, and for Android in particular. Read Full Story

If You Can't Make It, Fake It

November 22, 2017

As many social media platforms continue to experience incredible growth in popularity, the supporting apps, and the APIs that service them, remain top targets for bad actors. The ability to communicate quickly and indirectly with the platforms’ vast user bases make them ideal for spreading malware, phishing attacks, or fake news. Networks of automated accounts, gaining artificial levels of popularity and influence are often used to instigate attacks and the recent admission by Facebook that Kremlin linked propaganda may have been seen by as many as 126 million users gives us some idea of the scale of the threat and the ambition of the attackers. Read Full Story

Capitalising on Uber's London Misadventure

October 17, 2017

Rival Cab Companies Are Quick to Move, But Cyber Criminals May be Quicker Read Full Story

Unintentional Unpinning with Firebase

August 28, 2017

Google's Firebase provides comprehensive set of analytics services for developers to integrate with their apps. On Android the basic functionality is enabled simply by integrating the desired plugins. No code changes required. Read Full Story

Swipe Left to Scrape

May 2, 2017

Yesterday morning security forums reported news that an AI researcher had published a dataset of 40,000 photos that had been scraped from the dating app Tinder. The purpose was simply to extract a real world data set that can be used for training Convolutional Neural Networks (CNN) to tell the difference between men and women. This seems innocent enough, although the author's choice of variable naming caused a bit of a stir. He quickly changed the variable name "hoe" to "subject" soon after the story broke. Apparently this original naming was inherited from the Tinder Auto-Liker code. Read Full Story

Richer Client, Poorer Security?

April 19, 2017

(Image courtesy of Steve F) Read Full Story

Adapting OAuth2 for Internet of Things (IoT) API Security

March 30, 2017

On Friday, 21 October 2016, multiple waves of distributed denial of service (DDoS) attacks shut down major internet services across the United States and Europe. The attacking botnet army consisted mainly of printers, IP cameras, residential gateways, and baby monitors infected with Mirai malware. Mirai targets IoT devices, and though each individual IoT device was not very powerful, taken together these devices did significant damage. For many mainstream internet users, the need for strong IoT security became painfully obvious. Read Full Story

There's a Fake App for That

January 10, 2017

The well-respected Coach brand stands for authenticity, innovation, and relevance. They are a luxury brand, so you might be a bit surprised to find in mid-October that the Coach mobile app in the iTunes App Store was offering an extra 20 percent off bags, shoes and accessories. Act fast but watch out, because Coach doesn't really have an iPhone app! Read Full Story

The Rise of DDoS

October 18, 2016

The attack on the website of Brian Krebs and the release of the Mirai malware source code demonstrates the challenges that face the anti-bot world. At its peak, the Krebs on Security DDoS attack was generating 620Gbps of traffic, mostly from IoT devices. With the ever increasing number of internet connected devices, and their current security shortcomings, it should come as little surprise that the scale of DDoS attacks is increasing. Read Full Story