Underground, overground, travelling free !

So the Tube – the London Underground is going NFC for payment transactions then … [LINK] … can you see the weakness here ?

We’ve had Oyster cards for some time now in London as a means to pay at the turnstiles to travel on the London networks – bus, Underground etc. I assume some contractual issues came in to play and the scheme was moved to a new contactless system. I noted that the tech at the turnstiles appeared to not change which indicated that the readers stayed the same but perhaps the software behind the system did change.

 

So we have a NFC reader and a piece of software to read those NFC chips to authenticate that the code being presented indeed is for a valid card.

I also noted a conversation with First Group commercial director in Manchester during 2013 when they were talking about trialling contactless payment systems.

This is definitely pointing to a payment on the device environment coming up for the UK. I kind of support it as it is rare I don’t go out without my device .. but often that I forget to take my travel card !

 

I have a Samsung i9100P specifically for its NFC chip – I see NFC in several devices and with the announcement of the iPhone 6 – I see it also features NFC. The good news is that it can allow micro-payments not only from your bank but also against your phone provider which means you can use a variety of accounts. Massive benefits to the consumer – I can see its adoption.

I also see the criminals rubbing their hands in glee. How many bus drivers will be checking that the app you pay for the journey with is the genuine one ?

 

In the London Underground with good connectivity, they could probably spot the fake NFC payment coming in and block you going through the turnstiles but on a vehicle such as a bus or unmanned station – I can see fake apps springing up to allow you to reset your “payment card” to get free journeys.

I found this link some time ago [LINK] and yes indeed San Francisco has had this problem with a weakness in the NFC cards allowing them to be tinkered with.

 

But this is now 2 years later – with a rooted Android phone I can see NFC becoming an interesting new vector for attack … I wonder if anyone is :

  1. looking at it (vendor, supplier and corporate)
  2. thinking about it at a coding level at the vendor
  3. working out the legals of what is involved – is it illegal ? What are the laws around this ?

 

An interesting subject that I think could grow especially with iPay from Apple also.

 

*UPDATE

And as if by magic comes news that Subway restaurants are going NFC also (LINK). Interestingly here is that iPay won’t be accepted yet … I guess they’re waiting for trusted security to be proven.

 

What do you think ?

 

The movie list

This list is for my kids.

 

Let’s face it, I hate most of the stuff you watch – Barbie and the Dreamhouse was the low point. So this is a list of films I want you to watch.

Not in any particular order (although I’ll guide you on the proper order for Star Wars!) – just make sure they’re age appropriate. When you’ve watched them all, then I’ll allow Barbie again !!! (maybe not also !!)

 

  • THX1138
  • Blazing Saddles
  • Rollerball
  • Driver
  • Convoy
  • Time Bandits
  • Escape from New York
  • Mad Max (all of them so we can then debate which was the best)
  • Blade Runner
  • Dark Crystal
  • War Games (I want to watch this again too, book it in!!)
  • Top Gun
  • Labyrinth (ask for my Ludo impression)
  • Flight of the Navigator
  • Short Circuit (don’t watch number 2 – it sucked)
  • Ferris Beuller
  • Lost Boys
  • Dirty Dancing
  • La Bamba
  • BeetleJuice
  • Akira
  • Bill + Ted (all of them in one sitting)
  • Pretty Woman (with your mum)
  • Flatliners (they all die .. get over it)
  • Drop Dead Fred
  • Jurassic Park (Start at 9am and watch them all in one day)
  • Mrs Doubtfire
  • Wayne’s World (Schwing! …. inappropriate but very funny !)
  • Dumb and Dumber
  • Mask
  • Shawshank Redemption
  • Forrest Gump
  • Ace Ventura (One of my hero’s is Ace … you may get my humour … CHICAGO !!)
  • Pulp Fiction (great soundtrack)
  • Leon
  • Judge Dredd (all versions then debate which is the best and why)
  • The Net (I’ll show you all the technical nonsense in it .. Sandra Bullock didn’t invent the internet)
  • Crimson Tide
  • Hackers (all of them – but you need to read a couple of books first)
  • Tank Girl
  • Braveheart
  • Romeo and Juliet (with your mum)
  • Trainspotting (cracking soundtrack)
  • Mission Impossible (wait till you see 3 … you’ll die laughing)
  • The Rock
  • DragonHeart
  • Eraser
  • Swingers
  • Contact
  • Face Off
  • Gattaca
  • Grosse Point Blank
  • Full Monty
  • Titanic
  • Good Will Hunting
  • Austin Powers (and please get dressed up)
  • Men in Black (all of them in one sitting)
  • Rocky Horror Picture Show
  • Little Shop of Horrors

 

  • Weird Science
  • CannonBall Run
  • Devils Advocate
  • Fifth Element
  • Godzilla (the older one)
  • Truman Show
  • Enemy of the state
  • Armageddon
  • Lock Stock
  • Snatch
  • Meet Joe Black
  • Shakespeare in Love (watch with your mum!)
  • Avengers
  • Matrix (promise you’ll only watch the first one!)
  • American Pie
  • 6th Sense
  • Notting Hill
  • Office Space
  • Payback
  • Three Kings
  • Emperor’s New Groove
  • Chicken Run
  • Road Trip
  • Gladiator (See MovieMistakes.com first)
  • Gone in 60 Seconds
  • Pich Black
  • O Brother Where Art Thou
  • Boiler Room
  • Hollow Man
  • Perfect Storm
  • Monsters Inc
  • Dune
  • Convoy
  • Smokey and the Bandits
  • Fast and Furious (all of them)
  • Lord of the Rings
  • Oceans 11
  • AI (please read Isaac Asimov I Robot first)
  • Moulin Rouge
  • Swordfish
  • A Knight’s Tale
  • Catch Me If You Can
  • Bourne Identity
  • Men In Black (all of them)
  • Transporter (all of them)
  • Minority Report
  • Austin Powers (all of them)
  • Finding Nemo
  • Italian Job (the original)
  • School of Rock
  • League of Extraordinary Gentlemen
  • Love Actually
  • 50 First Dates
  • Day After Tomorrow
  • National Treasure (after watching – speak to Grandy)
  • Anchorman
  • Van Helsing
  • Yes Man
  • HitchHikers Guide (Orginal, read  the books then watch the latest one)
  • xXx
  • Cars
  • Flushed Away
  • 300
  • V for Vendetta
  • Talladega Nights
  • Ice Age
  • Night at the Museum
  • Employee of the Month
  • Little Miss Sunshine
  • I am Legend (and then write the ending properly)
  • Meet the Robinsons
  • Madagascar (all of them)
  • Below

 

That’ll do for now … I’ll add to it as I remember more.

 

If you have any suggestions please recommend them here :

 

I’m seeking new opportunities

After nearly 3 1/2 years in my previous role, I have decided to move on to find to pastures new.

Security is a personal passion of mine as you may have seen from my Twitter account (@SPCoulson) and I want to now bring security to the doorstep of organisations and help highlight and repair weaknesses, but also demonstrate how they can effectively prevent themselves becoming a victim of crime.

So many organisations spend vast amounts of time, money and resources to create powerful brands and great products but because security is often seen as a barrier to innovation, it only gets added on afterwards, usually in a reactionary way, and rarely implemented well.

Having seen and heard the pain that organisations go through during breaches and compromises, I want to reach out and use my knowledge and expertise to guide organisations to safer and securer times so their people, physical and data assets, and intellectual property are appropriately protected.

If you think you might be able to use my services, or have a position I may be relevant for – please get in touch. I am actively hunting so there is a chance you are on my radar !

As I have a broad set of skills, you may find this list of some guidance :

* Commercial –

Business Development, Business Process Management, Project Management, Process Re-Organisation, Project Build, Market Research, Sector Analysis, Competitor Research,

* Educational –

Training, Coaching & Mentoring, Side-by-Side Coaching, Researcher, Speaker.

* Compliance –

Quality Management, ISO 9001, ISO27001, ISO14001, PAS 2060, Basic PCI

* Security –

Ethical Security Testing, Social Engineering, Penetration Testing, Vulnerability Scanning, Security Professional, Physical Security Design,

* Datacentres –

Datacentre Design, Operation and Security.

[LINK] – Reduced CV for download, full CV available on request

[LINK] – Link to my LinkedIn Profile

 

Get in touch if you think I can help you !

XSS and Tweetdeck and the person behind the discovery

So XSS appears to be back in Tweetdeck.

 

I was first alerted when I got this pop-up :

Capture22

My initial reaction was to ask out on Twitter – then I noticed it … every time there was a love heart in someone’s tweet I got a pop-up telling me there was an XSS in Tweetdeck.

 

I did a quick search to try and find the first reference of XSS and Tweetdeck and found https://twitter.com/pixeldesu/status/476744509783822337

After a quick dialogue and a few names .. there it was :

Capture 33

I had a brief chat with @firoxl and it appears that the bug was discovered by accident.

It actually was some sort of accident. ^^

https://twitter.com/firoxl/status/476738843841159168

Capture 44

I was using TweetDeck, suddenly there were 2 hearts.

I made some experiments and discovered that TweetDeck doesn’t escape HTML-chars if there is that Heart in the tweet.

As with all great discoveries – they were done by accident.

At the time of writing, Tweetdeck has now fixed the issue :

https://twitter.com/TweetDeck/status/476763638695743489

Capture55

Where could it have gone to ?

Well – Firo speculates “someone could load some external js-code and build a computer-worm which takes over the accounts of many people… there are many ways this issue can be used to harm someone…”

And there you have it 3:52pm to 5:31pm – bug identified, replicated, proven, fixed and rolled out – not a bad issue fix in the grand scheme of things !

 

Many thanks to everyone who was involved in the making of this blog – especially Firo XI, kudos for helping out.

 

 The FIX :

Log out of Tweetdeck – log back in again !

 

 

 

Security Mantras

I have to explain security concepts quite a bit in my job and so I thought I’d share my thoughts with you all for some discussion.

 

I’m going to keep it brief and then update this blog with the feedback and comments shortly.

 

Mantra 1

There are two kinds of people – those who have been hacked and those that don’t know it yet.

I’m all for a bit of FUD, Fear, Uncertainty and Doubt. It is a good sales technique to be fair – but please, if you are going to use FUD, be accurate. The infosec is getting a bad rap for wild accusations so let’s keep it real. If you feel the need to use a FUD mantra – how about:

Do you want to be one of those companies that you get to read about who didn’t do anything and then got hacked.

 

Mantra 2

Monitor, Manage and Maintain

Bit of a personal favourite of mine – so for transparency reasons … yes, I am biased!

  • Monitor – you have to be looking out to see what is coming your way. Ensure you have adequate monitoring that is telling you of an impending attack. Of course the critical part of all this is to know your base line – what is normal ? Once you know this, then you can work out what could be going wrong.
  • Manage – if you don’t have someone looking after these things, it goes the way of the paperless office … it was a good idea once. There should be a sponsor … a person at the top of the tree who ensures that the top line buys in, then there should be a busy bee worker who is making sure ‘stuff’ happens.
  • Maintain – patch, upgrade – do what you need to to ensure you are always at the edge and not falling in to the hands of criminals who love to capitalise on out of date systems

 

Mantra 3

We have [VENDOR PRODUCT] so we’ll be OK

or

Buy our [VENDOR PRODUCT] and you will be secure

No, no, no, no. No piece of tin will keep you safe. I love this quote which explains this perfectly “It doesn’t matter how thick your suit of armour is, you can still get flu.” With humans, there is always a will and a way !

 

 

So there you go …. my starter for 10 …. what security mantras do you use to protect yourself or what mantras do you train others in ?

 

 

Top Insecurity Tips

This is meant to be humorous blog about internet tips and why some advice is just bad. Just a bit of fun for April’s Fool.

 

1) Go to a public internet access point to surf the internet for a long time. Free wi-fi !

Bad idea – Public internet cafes are common places for various types of theft.

  • Physical theft of devices
  • Spoofing the access point to listen in on your traffic
  • Malicious payloads can be added via sponsored adverts
  • Shoulder surfing risk is greater

2) Do not put a password on your home wi-fi so that your friends can connect to the internet easily

Bad idea – so can your neighbours and malicious people. They can use your access point to surf nefarious websites and hammer it for downloads which all affect your speed and bandwidth limits.

3) One password to remember – use something easy like your name

Bad idea – Too easy to guess. and generally very easy to break as well because all words from the dictionary are already cracked. using the same password everywhere means that should you have a leak of your details, a criminal can gain access to everything you have ever logged in to.

4) Store your passwords in a notebook called passwords so you never forget another login

Bad idea – If someone opens your notebook , they can then log in on your computer with your credentials.

5) Antivirus, anti-malware tools and firewalls all slow down your computer, besides, you’ve never had a problem

Bad idea – all because you think you’ve never had a problem, does not mean that you have never been hit

6) Patching computers and installing updates gets in the way, takes too long and fills up your computer. Your computer works fine without them.

Bad idea – the hackers and malware writers can easily gain access to older versions of home systems, they have specific tools written to exploit these older out of date systems.

7) Leave your home computer on at home connected to the internet, that way you can just turn on the screen and have immediate access to the internet

Bad idea – if you are hacked, you won’t know about it till you get home and by then someone could have taken everything!

8) Downloading illegal content is fine, who cares about little old me !

Bad idea – it’s illegal.

9) Never clear your history – that way you can always find your old websites you have browsed

Bad idea – using tools a criminal can see everything you have done on your computer.

10) Auto-save passwords – that way your computer can auto-log in to all websites. How convenient is that, no more remembering passwords

Bad idea – anyone using your computer will also auto-login to sites with your details also, a criminal who may have been able to obtain remote access to your computer will also have all your passwords.

11) If they want to send you £20million from a relative you didn’t know from a foreign country you’ve never been to, what is £3000 in the grand scheme of things compared!!

Bad Idea – it’s a scam, congratulations, you’ve just lost £3000

Have some fun people and feel free to contact me on Twitter at @SPCoulson to add your own !

Why do I do what I do ?

I ask myself this several times a month … why am I doing this ?

Yet again, another compromised site, more unpatched software – I could scream ! Well … I could … but I don’t. Each person has their own incident – to them it is a personal disaster and so I respect that.

April 2013 and I was sat in bed, the missus asleep and kids climbing all over me. I picked up my tablet and logged in to Twitter. It’s about 8am and there it was .. another leak of a database. I still don’t know why I felt compelled to act but I did. It was medical data. Maybe it was the first record being a young child and I empathised ? I don’t know … but I did respond.

I found the website of the source and it was a small charity. How cruel I thought. A small charity doing its best and someone compromised them and leaked their data – no ethics amongst thieves.

I called the charity – and yeah, I didn’t really know what I was going to say so I thought go with the facts. The lady I spoke to was upset, but I knew I could help. Sunday disappeared in a blur – calls, emails, web forms – within a very short space of time, the leaked data was removed from the net and a Police report filed.

Why ?

Why would I give up my Sunday – one of the few days I get with my kids to help some tiny charity who had been attacked ? The answer is quite simple. This is what I do. I help people when they have been attacked, I dig and I find and I sort out the mess.

And in this case, they were saved from ICO fines, the data was protected as best as possible and the charity continued.

Around Christmas I saw a post on their Twitter account that a new website was launched and there was also good news with regards to treatments in their specific area. It really did give me such a great feeling to know that a few days of my and my colleagues time resulted in them continuing. It felt great and I sent them a quick note to wish them well.

Today is Saturday and I have just checked my email to receive some of the best news ever. I have quoted it in full below.

Why a sledgehammer can’t smash our butterfly
A personal letter to members from CEO, Liz Glenister

On a Sunday morning in early April last year, the phone rang. I didn’t recognise the number so I let the answer phone pick up. ‘Hello, my name’s Stuart Coulson and I’m calling from a company called Secarma….’ which he proceeded to spell out. ‘Great, a cold caller on a Sunday morning!’ I thought and was heading downstairs when I heard the words ‘…..and your Twitter account has been hacked.’ Was this for real? I hesitated. ‘I’m an Information Security Professional and your patient database has been leaked.’ My blood ran cold. ‘Look up LulzsecWiki on Twitter; I’m afraid you’ve got a pretty big issue going on here.’ I picked up the phone and was launched into a nightmare that lasted 4 months.

Hacked off

Lulzsec are a notorious hacking group, an offshoot of the Anonymous collective, who hack for the ‘lulz’ or laughs but it was about as far from funny as you can get for us. The group had closed down the CIA server that very same morning – which did at least make us feel that maybe we couldn’t have been any more careful. They hacked into our patient database (apparently under the impression that it was a UK hospital database as part of an ongoing April Fool raid on the NHS), dumped the information (user names, passwords, medical details etc) in a site called Pastebin and then posted the link on their Twitter account, announcing the deed to the world with the word ‘Enjoy‘. I was completely shocked and devastated. As was Ivor, our webmaster, and the executive committee. We have always taken the security of our members very seriously indeed and were extremely worried. We barely slept for the next week as we took every step possible to track down and remove data, inform and protect our members.

Wonderful webmaster

We were supported at this point by our wonderful webmaster, Ivor Humphreys. Ivor has given years of his time to us voluntarily and had to shoulder this burden while driving miles back and forth to care for his mother who was severely ill. He was a complete and utter star. It was an extremely stressful and difficult time involving a huge amount of work but Ivor left no stone unturned and saw us safely through to recovery. We will always be grateful for his loyalty, his dogged persistence and especially his uplifting humour.

Superheroes to the rescue

We discovered that there was an entire community out there that we had not known existed and to whom we owe everything: the information security professionals. They are truly the superheroes of today, looking out for us and guarding against hackers. They had already taken steps themselves and we worked with them over the months, being guided through a quagmire of legalities and technicalities and out the other side. We had a massive amount of support from professionals who appeared out of the blue like this to offer help and advice. I would like to take this opportunity to publicly thank everyone who helped us and gave so freely of their expertise and time, particularly Stuart Coulson of SECARMA , online security specialists http://www.secarma.co.uk/about.html and James Cleeter of the Computer Security and Incidence Response team for JANET, the UK’s network for education & research communities https://www.ja.net/about-janet/about-us. I had an email from Stuart at Christmas whose personal delight in seeing us get back up and carry on I found very touching. Without him we probably wouldn’t be here. There are a lot of good guys out there too!

All these agencies were horrified that a small patient support charity had been so unusually targeted in this way and many articles appeared in both IT and healthcare press about the incident. You can read a typical summary here in PHIprivacy.net which reports and investigates health and medical related privacy breaches http://www.phiprivacy.net/uk-support-organization-hacked-data-leaked/. Thank you to author ‘Dissent‘ who moved fast to highlight our plight.

New forum

So then began the arduous task of choosing, and setting up a new forum. For this I would like to thank Ivor Humphreys, for the initial phase, and Mandy Mainland, forum administrator, and Su Clifton and Lisa Burke, forum moderators who worked long and hard to see it through to going live as swiftly as possible. They did a really fantastic job. We chose to look on this enforced shut down as an opportunity for positive change and we think the new forum is greatly improved! We hope you like it. Although each of you has received an email about it, not everyone who had registered on the old forum has yet re-registered on the new one so if you would like to show your support for all our work we’d be really pleased if you would go and sign up now. www.hypopara.org.uk/board.

Further to this is also this poem (I’ve never had a poem about me before!).

Hacked Off
Su Clifton

We came across some hackers
I won’t reveal their name
Hacking on the internet
What a pointless claim to fame

They saw our little website
And thought ‘oh how divine
Lets rummage through their details
Then we’ll post them all online’

Secarma was our saviour
To guide us through this mess
Like knights in shining armour
To our damsels in distress

Stuart Coulson helped us out
Thank you most sincerely
Now no fine from ICO
That would have cost us dearly

Beefed up our security
Got a brand new forum
Usernames and passwords safe
All moderators awesome

So if you are a hacker
Please leave our site alone
We ask you most politely
As to us it feels like home.

So why do I do what I do ?

The arrival of this news today in my inbox helped my to finally write this blog. It is something I have tried to do several times before, but it is a difficult topic. Who you are.

So … why do I do what I do ?

Well the answers are many; for the love of it, because I care. But the most important one surely is because I can and so I do. I will always have a hand in security – my kids have amazing passwords, my 10yr old can pick locks. I’m building a secure future there. Just spreading the message by one person just helps to make the world safer. Even if it is one person at a time.

I’m hoping my blog hits home with some of the security community and maybe spur you to see what you can do to help small charities around you. Free vulnerability scan ? Quick 2 day pen test ? Protect a small charity that is fighting to get its voice heard ? Pro-active protection to help the little man from the cruel criminal community.

 

I wish the Hypopara supporters and team all the best wishes for the future. The new site looks great and with the leaps in the Natpara treatment, it looks like the charity has a bright future. You really are an amazing team and your incident response was second to none. You really did a great job. Genuinely humbled by you all. Thank you.