Photo of Terence Eden. He has a beard and is smiling.

Terence Eden’s Blog

How random are TOTP codes?

By · · 5 comments · 350 words · read ~3,875 times.

Histogram of distributions. 8 is clearly higher than the rest.

I'm pretty sure that the 2FA codes generated by my bank's TOTP app have a bias towards the number 8 - because eight is an auspicious number. But is that just my stupid meaty brain noticing patterns where none exist? The TOTP algorithm uses HMAC, which in turn uses SHA-1. My aforementioned brain is not […]

Continue reading →

Password Resets in an Age of MFA

By · · 3 comments · 400 words · read ~163 times.

A padlock engraved into a circuit board.

Recently, WordPress got in contact with me to say they suspect that my password was exposed in some sort of data breach. Well, it's a day ending with a "y" - so of course some scumbag has pilfered my digital identity. WordPress mandated that I change my password. But was that really necessary? Firstly, the […]

Continue reading →

The irony of TicketMaster's breach notification email

By · · 4 comments · 250 words · read ~262 times.

What is Ticketmaster doing to protect customers? We have been working with industry-leading cybersecurity experts, the relevant authorities, including law enforcement, as well as credit card companies and banks. No further unauthorised activity has been seen in the cloud database since we began our investigation. We are offering you a free 12-month identity monitoring service with TransUnion. These services will be provided by Cyberscout, a TransUnion company specialising in fraud assistance and remediation services. You can sign up for this service through the following link: https://bit.ly/TU-sign-up What can I do? There is nothing you need to do. However, exposure of personal information can, in some cases, increase the risk of identity theft or fraud, so it’s always a good idea to monitor your bank accounts. If you notice any suspicious activity, contact your bank and/or credit card companies. Be cautious of unsolicited emails from unknown senders, especially those with unusual content, links, attachments, or requests for personal information over the phone. If you have any questions, you can visit https://bit.ly/Ticketmaster-Data-Security-Incident or contact us at ticketmastersupport@ticketmaster.com. Ticketmaster understands the importance of your personal information and we take its protection very seriously. We apologise for having to write to you in these circumstances.

TicketMaster has joined the long list of companies to lose their customers' information. As is common, they sent out an email to warn poor sods like me who might have had our details snaffled. Their email is particularly poor and contains a delightful example of how not to communicate issues like this. See if you […]

Continue reading →

You can outsource risk, but you can't outsource reputation

By · · 350 words · read ~129 times.

Cyber attack hits major London hospitals. ‘Significant impact’ on King’s College Hospital, Guy’s and St Thomas’ and south-east London GP services, say NHS leaders. A cyber attack has crippled three major London hospitals, causing operations, blood tests and transfusions to be delayed for weeks. The National Cyber Security Centre (NCSC) is investigating the source of the ransomware attack, which led to chaos in A&E departments on Tuesday. NHS leaders said there had been a “significant impact” on King’s College Hospital, Guy’s and St Thomas’ and GP services in south-east London. The Telegraph understands that security sources believe the hack to bear the hallmarks of a criminal activity. The attackers behind it are believed to be

Over the last few weeks, I've had several people ask me about the recent hack on the NHS. A ransomware attack has meant that several hospitals have cancelled operations and there is now an urgent demand for blood donors. What does it say about the state of NHS IT that this attack has happened? Nothing. […]

Continue reading →

A security bug caused by… Dark Mode!

By · · 300 words · read ~133 times.

Image is of a Green Shield with a white tick.

Everyone loves Dark Mode. It is kinder on the eyes, less energy intensive, and looks hecking cool. *5 seconds later* We regret to inform you that Dark Mode causes security bugs. (With apologies to Ben Ward) OK, OK. This isn't a particularly severe security bug, but I found it interesting. The Matrix messaging app "Element" […]

Continue reading →

Bank scammers using genuine push notifications to trick their victims

By · · 8 comments · 500 words · read ~3,362 times.

`In app popup. "Are you on the phone with Chase? We need to check it's you on the phone to us. Let us know it's you and enter your passcode on the next screen. @ Not you? Your details are safe. Just tap 'No, it's not me' and we'll end the call."`

You receive a call on your phone. The polite call centre worker on the line asks for you by name, and gives the name of your bank. They say they're calling from your bank's fraud department. "Yeah, right!" You think. Obvious scam, isn't it? You tell the caller to do unmentionable things to a goat. […]

Continue reading →

There's nothing you can do to prevent a SIM-swap attack

By · · 5 comments · 450 words · read ~414 times.

Photo of a nano SIM card and its plastic housing.

It is tempting to think that users are to blame for their own misfortune. If only they'd had a stronger password! If only they didn't re-use credentials! If only they had perfect OpSec! If only...! Yes, users should probably take better care of their digital credentials and bury them in a digital vault. But there […]

Continue reading →

I made a mistake in verifying HTTP Message Signatures

By · · 5 comments · 400 words · read ~103 times.

A pet cat typing on a computer keyboard.

It's never great to find out you're wrong, but that's how learning and personal growth happens. HTTP Message Signatures are hard1. There are lots of complex parts and getting any aspect wrong means certain death2. In a previous post, I wrote A simple(ish) guide to verifying HTTP Message Signatures in PHP. It turns out that […]

Continue reading →

O2 UK's Weird MSISDN Lookup API

By · · 7 comments · 250 words · read ~184 times.

Sorry, we don’t recognise this number. Please try again.

It's always fun keeping your network inspector tab open. While looking around the O2 UK website, I found this page all about eSIMs. For some reason, it wants to know the user's phone number. I put in a random number, and it refused to let me in. Putting in a genuine O2 number let me […]

Continue reading →

HTTP Signature Infinite Loop?

By · · 10 comments · 500 words

A padlock engraved into a circuit board.

I'm trying to get my head round HTTP Signatures as they're used extensively in the Fediverse. Conceptually, they're relatively straightforward. You send me a normal HTTP request. For example, you want to POST something to https://example.com/data You send me these headers: POST /data Host: example.com Date: Sat, 24 Feb 2024 14:43:48 GMT Accept-Encoding: gzip Digest: […]

Continue reading →