Corporate Identity Theft - Perhaps the biggest risk is where you least expect it...

Update(s): 18/Dec/2012 - One SSL bug now fixed (might want to put security testing out to tender next time!) - but still a few to go.  Directory traversal still possible... hint encode/escape or strip, don't add slashes!  Significant improvements have been made to the SSL implementation

Companies House Security Review - Part 2

Update(s): 18/Dec/2012 - One SSL bug now fixed (might want to put security testing out to tender next time!) - but still a few to go.  Directory traversal still possible... hint encode/escape or strip, don't add slashes!  Significant improvements have been made to the SSL implementation Security - Missing a vital ingredient?

Update as of 15/03/13: I have received a number of emails asking for further comments on the situation @ MyDish. I firmly believe that every effort is being made to rectify the issues I've identified - and the insinuation that Carol or the team at MyDish have ignored the

Experian CreditExpert ID Theft Protection - Security Review

Update : 10/05/2013 - 4PM:  The community forum has returned - with site-wide SSL enabled.  Appropriate cookies are httponly & secure and protocol support, key transmission and cipher strength all pass with flying colours.  Superb.  It's still not immediately clear to the user that the username/password required for

Forgot your password? You're doing it wrong.

Have you ever struggled to remember a username or password?  Join the club. Wouldn't it be great if you could log in to every site using the same password, without compromising your security?  Now you can! Introducing AgileBits 1Password, the gold standard in decentralized identity & password management for Windows,

CashPlus: "It is secure" - Ooooh no it isn't.

As part of a wider research project, I joined CashPlus in June (18th to be precise), which is purportedly... better than a business bank account So I paid the £29.99 annual membership fee and waited for the card to arrive. Less than a week later, the card arrived and - Really bad #infosec advice.

Be Cyber Streetwise is a cross-government campaign, funded by the National Cyber Security Programme, and delivered in partnership with the private and voluntary sectors. The campaign is led by the Home Office, working closely with the Department for Business, Innovation and Skills and the Cabinet Office. On January 13th 2014,

Virgin Media SuperHub: 7 second security flaw...

OK folks, no waffling, no hyperbole... I'll get straight to the point. If you run a Virgin Media SuperHub or Superhub 2, your network is not secure. The Boot Sequence When you switch on your device, it takes roughly a minute to fully boot, bring up the network cards/WiFi

Council Tax, PCN & Benefits Payment Data Leaked! Are you affected?

Well, I guess it had to happen at some time. To be fair, I was parked on double yellow lines. No excuses, no basis to contest the penalty... I was in the wrong. In those 10 minutes however, I unwittingly caused Walsall Metropolitan Borough Council sufficient financial hardship to warrant

How secure is #Roboform? The 5 minute challenge.

TL;DR - Your master password is sent to Siber Systems and the mobile applications are insecure. Described by its creators, Siber Systems, as "completely secure using military grade encryption", Roboform has been knocking about since 1999. Now, I have a rule when testing password managers.  If the

Virgin Media: You're only as secure as your weakest link.

Avid followers will know, I've long been an advocate of password managers... specifically 1Password. So much so, I'm often criticised for treating it as a panacea. With that in mind, it's about time I outlined another risk which isn't immediately obvious; one which allows me access to almost any site

Does Two Factor Authentication Actually Weaken Security?

This article flies in the face of general consensus. As you're here, you either share this view or you're questioning my sanity and/or logic. Adoption Rates Ultimately, the success of any new technology hinges on the end-user. Trouble is, 2FA isn't new... we've used it in various contexts since

The difference between two-factor and two-step authentication.

No lengthy article this time folks, just a flow diagram to demonstrate the differences between two-factor authentication and two-step verification. (full size) Why isn't an OTP via SMS a 2nd factor? At first glance, the mobile phone appears to be "something we have" (one of 3 factors necessary

Value security? Avoid TalkTalk.

Update 18/10/2014: TalkTalk have now upgraded their SSL configuration; providing a much healthier "A-" on Qualys. More importantly, it's now PCI compliant. -- Cheap viagra, cialis & diet pills I could benefit from a diet pill or two, but I'm pretty sure my Dad isn't the

Kickstarter Password Managers: The good, the iffy and the dangerous.

Over the last few months, Kickstarter has been awash with password managers. Unless you're willing to invest and use a ridiculously tiny comments box, it's impossible to comment or ask further questions so others can see their response. Rather than clutter the comments area, this article will provide a very

Password Managers: Facts, Fallacies & FUD

Ah, passwords. The thought of choosing, remembering and inevitably resetting them is enough to make your blood boil. As a fundamental part of our digital lives and despite several reports claiming they're dead, our dependence on them shows little sign of slowing. A password manager is a great way to

Immobilise: Police Security Initiative Exposes 28 Million Records.

05/01/2015: Recipero, the company behind Immobilise, NMPR and CheckMEND have now mitigated this risk by limiting access to the "/verify" & pdf generation pages to only authorized users. You're no longer able to view records which you do not own, so although it's undoubtedly more secure,

Roboform Security Revisited: Lies, Deception & Misnomers.

You may recall, I recently published an article entitled "How secure is Roboform: The 5 Minute Challenge". Well, 6 months have passed and although there's been no official public response from Siber Systems, they have made a number of comments to journalists and customers by email/Facebook and

SagePay: Breaching PCI Compliance... intentionally.

Update: 2:50PM 03/02/2015 Just minutes after this article went live, SagePay have once again removed the 56bit cipher. It is being actively monitored, so if it creeps back in, I'll update the article again. As one of the largest payment service providers in the world, SagePay has

Everykey: 3 years and $250,000... is it vaporware?

Update 22/12/2015 I've received several emails regarding this project over the last few months; another landing just a few moments ago. Unbelievably, Everykey has been delayed yet further... with delivery now estimated in February 2016. I'm very grateful to everyone for keeping me informed. However at this stage,

Phishing attacks are evolving. The Vivian Gabb story...

"We have detect some unauthorized active on your account. Please update your detail as soon as possible" We've all had them; the notorious and grammatically inept phishing emails designed to strip us of our hard-earned money. The vast majority are destined for immediate deletion, but a growing number

Behavioral Profiling: The password you can't change.

We're all familiar with the 3 basic categories of authentication. Knowledge factors (passwords, PINs) Possession factors (a software/hardware token - Yubikey/Google Authenticator/SecureID) Inherence factors (fingerprint, heartbeat, iris/retina scanning) While the vast majority of sites use knowledge factors, a growing number are turning to multi-factor solutions in

Privacy & Password Managers: A Reality Check

Before we begin, let me preface this by saying... I actually quite like Steve Gibson. For all his faults, he often raises very salient points on a variety of topics, typically surrounding security products & services. During the latest "Security Now / TWiT" episode on 20/10/2015, Steve

Identity theft & payment fraud? That's ASDA price.

Back in March 2014, I contacted ASDA to report several security vulnerabilities and despite a fix promised "in the next few weeks", little appears to have changed. @Stuho1mez All of our sites are secure, I would advise using Chrome. Thanks, Beth — Asda Service Team (@AsdaServiceTeam) January 14,

PwnPhone: Default passwords allow covert surveillance.

A few weeks ago, I was asked to observe an installation of several wireless access points & VoIP phones, with a view to making recommendations on how best to improve security while maintaining ease of deployment. It didn't take long for several trends to appear; chief amongst which was the

EveryKey Revisited: Military grade? Give me a break.

Update 27/04/16: Here are some screenshots of the EveryKey Windows app. It's not digitally signed, so there's no way to ensure it's genuine and hasn't been modified, it crashes if you click the toolbar & if you click "forgot password", it opens Google. To be frank,

Bank & Mobile Network Security: For want of a nail...

Ever since publishing a "two factor authentication vs two step verification" article in 2014, I've been waiting for an opportunity to irrefutably demonstrate the difference. Note: This article is very much a "work in progress" as until both exploits are patched, I can't provide any technical

Don't let them paste passwords...

After months of tweets, emails & articles from eminent figures like Troy Hunt & the NCSC, it's about time I weighed in on the debate surrounding sites which disable a user's ability to paste passwords. The general consensus amongst many experts, including those mentioned above, is that disabling paste on

Kervball: The Kerv ring data breach...

Here's what happened the day my Kerv arrived...

SafeBuy: Can you trust a trustmark?

Private, secure & trusted... or is it?

CyberAlarm: An independent security review... and why you should avoid it.

A brief review of CyberAlarm uncovers several serious concerns. Please read this before you deploy it.

CyberAlarm: Testing the "production version"... and why you should avoid it.

Reviewing the "production" build of CyberAlarm. Good grief - you couldn't make it up.

TOFU Attack: Your registration flow is a breach waiting to happen...

The risks of failing to validate an email address...

Police CyberAlarm: Abysmal security, yet again.

3 attempts, 3 complete failures. Incredibly, cyberAlarm is now even worse than before.

Contact Me

Have a question? Want me to review a product?

You've successfully subscribed to Paul Moore
Great! Next, complete checkout for full access to Paul Moore
Welcome back! You've successfully signed in.
Unable to sign you in. Please try again.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info is updated.
Billing info update failed.