The use of SMS (Text Message) to deliver a One Time Passcode (OTP) is not recommended.

12 February 2020

sms-two-factor-authenticationUsing a text message (SMS) to deliver a authentication or security token to a user has been useful in the past. It is still used in many systems, but we need to phase this method out.

Messages are transmitted across the global SS7 network, there is no encryption, authentication, or integrity protection on the SS7 network. Access is limited (Mainly telecom operators, but wider access is developing) There have been a few malicious actors detected on this network, but this threat is growing.

The more common attack method at the moment is to Social Engineer the mobile operator to do a SIM swap, and while Mobile Operators have a poor security record in protecting customers against number takeover attacks.

While the Mobile Operator is attacked in this there is little incentive for them to protect customers against this as their business is not affected. This has been the main mechanism of SMS OTP compromise so far.

The responsibility falls to system designers not to rely on SMS to securely deliver these messages.

You can use of email to transport the OTP, or the use of an encrypted messaging service such as Whatsapp, signal, telegram as an alternative to SMS.

The use of a Time based OTP is recommended, this should conform to the RFC-6238 standard. Google Authenticator is widely assessed and recommended tool for using this.

Attacks and exploitations reported

https://krebsonsecurity.com/2018/11/sms-phishing-cardless-atm-profit/

https://krebsonsecurity.com/2018/11/busting-sim-swappers-and-sim-swap-myths/

https://bitcoinmagazine.com/articles/investor-lawsuit-brought-against-t-t-mobile-sim-swapping-hacks/

https://motherboard.vice.com/en_us/article/mbzvxv/criminals-hackers-ss7-uk-banks-metro-bank

https://thehackernews.com/2016/07/two-factor-authentication.html

PCI DSS Standards

https://www.pcisecuritystandards.org/pdfs/Multi-Factor-Authentication-Guidance-v1.pdf

Use of SMS for Authentication

PCI DSS relies on industry standards—such as NIST, ISO, and ANSI—that cover all industries, not just the payments industry. While NIST currently permits the use of SMS, they have advised that out-of-band authentication using SMS or voice has been deprecated and may be removed from future releases of their publication.


Winter book suggestions

29 December 2019

Book reading by the fire

Holiday Book Guide 2019

Here is my annual reading suggestions list from things that I have read this year, and a few suggestions from friends. Please add your own suggestions in the comments.

“Radialised” by Cory Doctorow.

Cory is an activist with the Electronic Freedom Foundation (EFF) and some of that is reflected in his stories. In this there are 4 separate stories of the near future where the consequences of some of the current laws are played out. What if your toaster was like an iPhone, so you could only toast approved bread. What if superman came in a just stopped discrimination, would that solve anything. What would happen if the prediction of “preppers” came true would they be better placed to survive in a post apocalypse world.
https://craphound.com/category/radicalized-full/

“Good Omens” by Neil Gaiman & Terry Pratchett.

I have not read much Terry Prachett, and only a bit of Neil Gaiman, but I picked this up when I heard about the BBC series of the book. Really enjoyed the dry humour and story. Read it before you watch the rerun of the BBC Series.
https://www.neilgaiman.com/works/Books/Good+Omens/

“Rendezvous with Rama” by Arthur C Clark.

I first read this many many years ago. Picked it up to re-read this year. What a wonderful story. And with the amazing scientific rigueur that allows an amazing space story without having to invent imposable things like warp drive, ray guns and teleport machines. Why hasn’t this been made into a film.
https://en.wikipedia.org/wiki/Rendezvous_with_Rama#Film

And here are some suggestions from my friends.

Matt Kemp

“The End Is Always Near” by Dan Carlin.

A superb history of apocalypse, suffering and extreme human situation throughout history. Amos if your history buff and makes you think about the world today.
https://en.wikipedia.org/wiki/Dan_Carlin

“The Storm Before The Storm” by Mike Duncan.

If you’re interested in the Roman Empire, this is a thorough take on the period prior to the downfall of Rome. An appreciation of what it took to be at the top of a society where everyone is striving to get their name set into history.
https://en.wikipedia.org/wiki/Mike_Duncan_(podcaster)#The_Storm_Before_the_Storm

“Invisible Women” by Caroline Creado-Perez.

An absolutely superb book about the gender data gap. Explores how society dominated by men, designs everything for men.
https://en.wikipedia.org/wiki/Caroline_Criado-Perez

Oh I read Birdsong recently. I know it’s on all the lists of books to read but it is bloody brilliant.
https://www.sebastianfaulks.com/book/birdsong/

Mark Sutton

“The Order of Time” by Carlo Rovelli.

Very accessible perception altering book on the nature of time and how fundamental it is.
Gives a good background from classical to quantum and includes philosophical perspectives from Aristotle etc.
https://en.wikipedia.org/wiki/Carlo_Rovelli

“A Gentleman in Moscow” by Amor Towles.

A historical fiction about a Count sentenced during the revolution to spend his days in a Moscow hotel. Amusing easy going book with something of everything.
http://www.amortowles.com/gentleman-moscow-amor-towles/

Nigel Worthy

I’ve been very intellectual and reading the Bernie Gunther series by Philip Kerr this year. Very much a detective/action Set in Hitler’s Germany and post Hitler, he’s a German detective and then SS intelligence officer (hates Nazis), then escapee to Argentina. Interesting history elements and perspective from a non-Nazi. Set between 1930s and 1950s. Easy reading, though some heavy and disturbing bits. Fiction, of course.
https://berniegunther.com/


Letter to Mr John Howarth MEP

21 March 2019

With the coming calamity that is the Directive on Copyright in the Digital Single Market, and Article 13 and Article 11, I wrote to a number of MEPs asking for their support in ensuring that this does not pass. Most were supportive, but Mr John Howarth MEP replied with a lot of rubbish. I have copied my reply to him below. Please do write to your MEPs about this issue.

Dear Mr John Howarth MEP

Thank you for your reply, but with respect I think you are very wrong about the effect of the Directive on Copyright in the Digital Single Market, and Article 13 and Article 11 that is before you. You had a series of claims on which I think you are wrong. I respectfully ask you to reconsider your position.

On 21/03/2019 13:41, John Howarth MEP wrote:

Among all of this claims have been made about the proposed legislation that are wildly exaggerated or simply untrue. The implementation of updated copyright legislation will NOT end the internet as we know it.

No, it will not end the internet, but it will seriously change it. As the internet is now the means of communication and organisation for society the dominance of the giant companies will shape the internet in ways that support their business, not be a conduit for social change. Article 11 imposes a tax on linking. The link is a fundamental part of the internet, taxing and restricting this will change the internet in ways we cannot predict, but probably not good ways.

It will NOT constrain or unduly limit ‘free speech’,

And this is my main point. Upload filters are a pre-restraint on speech. A fundamental right. This amounts to institutional censorship of the internet. Who will police the upload filters to ensure that they are not over-blocking? There will be no penalty for falsely claiming copyright on a work in the blocking list. This is designed to promote over-blocking.

It gives more power to the vested interests that are already using the current powers to limit free speech. The notice and take-down requirements are repeatedly used the claim copyright in content to force unpalatable content off the internet. Are you a regular contributor to YouTube? if you are you will know that your uploads are randomly taken down because of spurious copyright claims. Or because you have accidentally incorporated some background music that has been detected. Here are some links to documented abuse of Notice and Take-down:

https://www.takedownabuse.org/
https://www.eff.org/wp/unsafe-harbors-abusive-dmca-subpoenas-and-takedown-demands
https://iamstevein.files.wordpress.com/2019/02/free-speech-and-dmca-abuse.pdf

it will NOT place an unreasonable burden on the internet giants who have put significant time and effort into misleading people because they believe it threatens their super profits.

Yes Here I agree with you, that the large companies will not be unduly affected, it will cement their market dominance, and any smaller company that grows above the threshold will suddenly have to implement filters at huge expense. Nobody will be able to challenge the dominant players and this will stifle innovation.

It will not “outlaw memes”, it protects and defines the notion of satire and parody (which, by the way, were not in any way protected in the outdated copyright regimes that have applied till now). Exceptions set out in the legislation protect free academic enquiry, small businesses and bloggers.

I welcome the exceptions for academic research Article 4, but even here copyright claims (false or valid) will affect everyone, there will be no way to turn off the upload filters just because you are doing research, or your usage is satire, or parody. You will have your upload blocked and will have to go through a lengthy process to obtain remedy. Upload filters give a presumption of gilt.

I do not believe that the legislation in any way limits the ability of the open source software community to continue to trade on the business model it has operated for some time – in other words the ‘sharing economy’ will continue to do just fine. The monopolistic platforms benefit from this “free internet”, however the fact is nothing is “free” – someone always pays, whether through collection of personal data in exchange for access or by the exploitation of their work.

Well that is not the view of Github, perhaps the largest open source community on the internet. Even as the latest version seems to have a very explicit exception for open source software.

https://github.blog/2019-02-13-the-eu-copyright-directive-what-happens-from-here/

Yours sincerely

Stuart Ward


Reading Repair Cafe poster

14 January 2019

Reading Repair Cafe 2019 Dates


I help run the Reading Repair Cafe. As always with these things the effort of actually running the event is small compared with the effort of organising and promoting. So anyone reading this in and around Reading it would help if you could put up a poster. Either click on the picture above to get an A4 version to print out, or come along to an event where I have lots of A5 versions.


Book recommendations for 2019

4 January 2019

books

Last year I posted my holiday reading recommendations both from Me and those I work with. This year I have not had the same level of responses from team, but most of them are new this year. So I am posting again here hope that the ex-team can again come up with some good suggestions in the comments.

I hope this will prompt you to add your own recommendations. It doesn’t have to be a book published last year, just one you have read an recommend.

The Long Earth, Terry Pratchett & Stephen Baxter

I am not a big Pratchett fan, but I have read a few. I have read a few Stephen Baxter and quite like them. In this book I think you get the best of both of them, The wild speculation of Baxter, and the crafted prose of Pratchett. Be careful as there are a further 4 books in the series.

https://en.wikipedia.org/wiki/The_Long_Earth

If the Universe Is Teeming with Aliens… Where Is Everybody? Seventy five Solutions to the Fermi Paradox and the Problem of Extraterrestrial Life, Stephen Webb

There is a simple paradox first articulated by the physicist Enrico Fermi. The contradiction between the high probability of extraterestial live, and the lack of evidence. See wikipedia for an introduction. This is a fun romp through a lot of issues and on the way Webb offers up all the solutions to the Fermi Paradox he can find, and mostly debunks them.

https://books.google.co.uk/books?id=QWKyrQEACAAJ&redir_esc=y

Things to Make and do in the Fourth Dimension, Matt Parker

I am a fan of Mat Parkers YouTube Channel standupmaths. I also went to the show Festival of the spoken nerd this year when it was on in Reading. This is a fun romp through some interesting mathematics. No maths doesn’t have to be boring, and Matt is on a mission to make it approachable and fun.

https://makeanddo4d.com/

17 Equations that changed the world, Ian Stewart

OK so there is a bit of a maths theme to my recommendations this year, but this really is a must read. Ian Stewart starts each chapter with an equation, and then goes on to give a history around it and how it has changed our world. He starts simple with Pythagoras, Einstein E=mc^2, and Newton’s law of Gravity. If you want to understand our world then you need to have some understanding of the maths behind it.

https://profilebooks.com/seventeen-equations-that-changed-the-world.html
https://ianstewartjoat.weebly.com/equations.html


Book and Audio book recommendations from Me and my Team

10 January 2018

booksDiscussing good book (and audiobook) recommendations here is my recommendations, and those added by my team at work.

Walkaway by Cory Doctorow

What really happens in a disaster, people help each other, but there is still plenty of disagreement. set in the near future.

Daemon by Daniel Suarez

As the book starts the main character is dead, but then his retribution starts. The title refers to a Unix Daemon…

Ready Player One by Ernst Cline

When online game worlds become the world. with a nostalgic tour through the game worlds of the past. Read the book in preparation for the Film next year.

Mark Sutton

Listen to This by Alex Ross (Recommend Audio Book)

Music correspondent of the New Yorker, accessible insights into how to listen to music from Bjork to Beethoven.

Salka Valka by Haldor Laxness

Sean Wiles

Red Rising by Pierce Brown

Earth is dying. Thousands of workers, who live in the vast caves beneath Mars, mine the precious elements that will make the planet habitable. They are Earth’s only hope. Until the day Darrow learns that it’s a lie. Mars has been habitable – and inhabited – for generations. Darrow disguises himself and infiltrates their society, intent on taking them down. But the surface is a battlefield – and Darrow isn’t the only one with an agenda.

Alone in Berlin by Hans Fallada, Michael Hofmann (translator)

Berlin, 1940. The city is paralysed by fear. But one man refuses to be scared. Otto, an ordinary German living in a shabby apartment block, tries to stay out of trouble under Nazi rule. But when he discovers his only son has been killed fighting at the front he’s shocked into an extraordinary act of resistance and starts to drop anonymous postcards attacking Hitler across the city. If caught, he will be executed.
Soon this silent campaign comes to the attention of ambitious Gestapo inspector Escherich, and a murderous game of cat-and-mouse begins. Whoever loses, pays with their life.

Wool by Hugh Howey

An epic story of survival at all odds and one of the most anticipated books of the year. In a ruined and hostile landscape, in a future few have been unlucky enough to survive, a community exists in a giant underground silo. Inside, men and women live an enclosed life full of rules and regulations, of secrets and lies. To live, you must follow the rules. But some don’t. These are the dangerous ones; these are the people who dare to hope and dream, and who infect others with their optimism. Their punishment is simple and deadly. They are allowed outside. Jules is one of these people. She may well be the last.

Ender’s Game by: Orson Scott Card

Ender Wiggin is Battle School’s latest recruit. His teachers reckon he could become a great leader. And they need one. A vast alien force is headed for Earth, its mission: the annihilation of all human life. Ender could be our only hope. But first he must survive the most brutal military training program in the galaxy…

Foundation by: Isaac Asimov

Long after Earth was forgotten, a peaceful and unified galaxy took shape, an Empire governed from the majestic city-planet of Trantor. The system worked, and grew, for countless generations. Everyone believed it would work forever. Everyone except Hari Seldon.

Matt Kemp

Non-fiction:
The Rise and Fall of the Third Reich by William L Shirer

Excellent account of the Nazi regime taken from Nuremberg Trial papers and interviews, letters and telegrams during the war from the Nazi and Allied vaults. Warning LONG!

D-Day Through German Eyes (1 & 2) by Holger Eckhertz

Excellent account of D-Day from a German perspective, via interviews with German troops and narrative.

I have many more war related ones I’ve read if you’re interested.

A Short History of Nearly Everything by Bill Bryson

Excellent run through of scientific history and discovery.

Anarchism: A Collection of Revolutionary Writings by Peter Kropotkin.

A little hard going, but interesting views on society and anarchism.

Fiction:

Norse Mythology by Neil Gaiman

Fantastic re-telling/re-interpretation of a lot of short Norse mythologies. Good fun

Enchantress (The Everman Saga Book 1) by James Maxwell

Some excellent fantasy reading and part one of a decent series.

The Odyssey by Homer; Alexander Pope

The classics are the best.

Ice Station by Matthew Reilly

1st in a series of absolutely mad crazy-paced action novels. Reilly books barely leave the action for a split second and something to read if you want a break from something heavier.

Nigel Worthy

Some I’ve enjoyed this year ………

Haruki Murakami – Norwegian Wood  (or anything by Murakami)

Ted Chiang – Stories of your life and Others

Neil Gaiman – The Ocean at the end of the Lane.

Mikhail Bulgakov – The Master and Margarita

Kazuo Ishiguro – The buried Giant

Fyodor Dostoevsky – Crime and Punishment, The Karamazov Brothers

Michael Faber – The book of small things

William Gibson – All his books!

Claire North – The first fifteen lives of Harry August   (recommended to me by Jo-Anne and it’s excellent!)

Plato – The Republic

David Mitchell – The Bone Clocks

Brian Krebs – Spam Nation

Jonas Jonasson – The one hundred year old man who climbed out the window and disappeared

Bogdan Dragomir

Here’s one I know you’d enjoy Be Fast Gone Critical Management. Don’t let the title mislead you it is far from being a boring project management book.

In the same vein I would mention The Phoenix Project
A novel about Agile development methods and Dev-Ops, that is not boring.

Petros Theodorakis

I am currently reading Off to be a wizard which is fun. It’s supposed to be something between “Ready player one” and Terry Pratchett’s fantastic books. Being a comics collector since a kid (a long time ago in a galaxy NOT far far away…)

I would also recommend Rock candy mountain.

And after that I am planning to read The Four

Chris Tommasi

I missed this list but thought to add for fun…

some GREAT looking recommendations from everyone… thanks

Matt – the odyssey; wow heavy… good call but heavy dude, well done

to expand Sean’s suggestion to Asimov Foundation (presume series, great btw, thumbs up) to include the Robots Series (Caves of Steel, Naked Sun etc)

Nigel’s great nod to Gibson… and to push it forward. if adventurous then the Shadowrun novels (some hit and miss with different authors) bring a fun blending of cyberpunk and magic…

Add to that a couple of my all time favourite novels… Neal Stephenson’s Snow Crash and Diamond Age (I could gush over this novel all day long) – but if you’re after a little less cyberpunk and more cyber then Cryptonomicon

Petros (the four looks interesting) you mentioned Pratchett – love it or hate it, it’s all good… if you do like that type of thing the BBC has recently re broadcast the radio version of Good Omens a fun collaboration with Neil Gaimen (book is better, but radio fun light listen)

talking radio

finally, if I’ve not forced this on you before then try out Patrick Rothfuss: The Adventures of the Princess and Mr. Whiffle he reads it here (skip to 39:40’ish), it’s only about 10 minutes, but you need to watch, something short but fun to get your teeth into


End to End encryption under attack

30 March 2017
Amber Rudd

UK Home Secretary, Amber Rudd

During the consultations on the #SnoopersCharter or the Investigatory Powers Bill we were assured that there were no plans to break end to end encryption. And now with the most minor of incidents, of a single misguided individual, killing fewer that an average day of road traffic in the UK, that is being called a terrorist attack, we should give up all our privacy.

Thursday 30 March 2017

Dear Alok Sharma,

You wrote to me on 17 November 2015 (ref: CRM12097) in respect to my concerns over the Snoopers Charter aka Investigatory Powers Bill (now an Act).

In that letter you assured me that: “However the Government does not advocate or require the provision of a back-door or support arbitrarily weakening the security of internet applications and services in such a way. Such tools threaten the integrity of the internet itself.”

https://stuartward.wordpress.com/2015/11/26/reply-from-alok-sharma-on-ipbill-snooperscharter/

The comments by the Home Secretary, Amber Rudd, directly contradict that position. She is calling for messaging applications to be provisioned with back-door access.

I and other security professionals keep telling you it is not possible to safely provide back door access to encryption systems.

https://www.schneier.com/academic/paperfiles/paper-keys-under-doormats-CSAIL.pdf

This extraordinary level of access must require extraordinary evidence that it is necessary. At the moment there is no evidence that access to this data would have any material effect on the outcome of the recent criminal attack in Westminster, nor any other situation.

Calling a misguided individual, a Terrorist only inflates the situation and causes fear. Lets keep things in perspective.

Yours sincerely,

Stuart Ward