GetCash from NatWest

It has been four or five months since NatWest launched a new function in its mobile phone app – GetCash. The goal is to allow customers withdraw cash from NatWest’s ATMs without a debit or credit card. The app will receive a six digit code that customers can type into an ATM and get as much as £100 at a time. I am not sure how useful it is as I personally forget my mobile phone more often than my wallet but it appears that some crooks found it very useful indeed.

Of contraseñas, סיסמאות, and 密码

Over a year ago, we blogged about a bug at Gawker which replaced all non-ASCII characters in passwords with ‘?’ prior to checking. Along with Rubin Xu and others I’ve investigated issues surrounding passwords, languages, and character encoding throughout the past year. This should be easy: websites using UTF-8 can accept any password and hash … Continue reading Of contraseñas, סיסמאות, and 密码

The science of password guessing

I’ve written quite a few posts about passwords, mainly focusing on poor implementations, bugs and leaks from large websites. I’ve also written on the difficulty of guessing PINs, multi-word phrases and personal knowledge questions. How hard are passwords to guess? How does guessing difficulty compare between different groups of users? How does it compare to … Continue reading The science of password guessing

Three Paper Thursday: Binary analysis and Security

Mention the phrase “binary reverse engineering” or “binary analysis” and it often conjures up an image of software pirates or hacking groups. However, there are practical reasons for doing analysis on machine code. For instance, machines don’t run source code, they run machine code – how do we know it’s running correctly? Malware doesn’t usually come with source code (but they are known to leak on occasion); How do we protect our software from discovered vulnerabilities if we’re unable to re-compile the program from the original source code? For three paper Thursday this week, my contribution is to highlight three representative security applications of binary analysis, namely software testing, malware analysis and software protection.

Another Gawker bug: handling non-ASCII characters in passwords

A few weeks ago I detailed how Gawker lost a million of their users’ passwords. Soon after this I found an interesting vulnerability in Gawker’s password deployment involving the handling of non-ASCII characters. Specifically, they didn’t handle them at all until two weeks ago, instead they were mapping all non-ASCII characters to the ASCII ‘?’ … Continue reading Another Gawker bug: handling non-ASCII characters in passwords

Encoding integers in the EMV protocol

On the 1st of January 2010, many German bank customers found that their banking smart cards had stopped working. Details of why are still unclear, but indications are that the cards believed that the date was 2016, rather than 2010, and so refused to process a transaction supposedly after their expiry dates. This problem could … Continue reading Encoding integers in the EMV protocol

When Layers of Abstraction Don’t Get Along: The Difficulty of Fixing Cache Side-Channel Vulnerabilities

(co-authored with Robert Watson) Recently, our group was treated to a presentation by Ruby Lee of Princeton University, who discussed novel cache architectures which can prevent some cache-based side channel attacks against AES and RSA. The new architecture was fascinating, in particular because it may actually increase cache performance (though this point was spiritedly debated … Continue reading When Layers of Abstraction Don’t Get Along: The Difficulty of Fixing Cache Side-Channel Vulnerabilities

The role of software engineering in electronic elections

Many designs for trustworthy electronic elections use cryptography to assure participants that the result is accurate. However, it is a system’s software engineering that ensures a result is declared at all. Both good software engineering and cryptography are thus necessary, but so far cryptography has drawn more attention. In fact, the software engineering aspects could … Continue reading The role of software engineering in electronic elections