Author Archive
Posted by Craig H on 2 May 2017
I was recently asked by the GSMA to undertake an independent study looking at the security of various LPWA (Low-Power Wide-Area) network technologies. I took on the project because I find it a very interesting topic; these types of network are targeted at IoT (Internet-of-Things) devices, an area I have been working on over the last couple of years with IoTUK and the IoT Security Foundation. One of the main challenges of the IoT space is in making trade-offs to accommodate low-power and low-cost devices, and security is one of the things that might be traded off.
You can download the 20-page report here.
Read the rest of this entry »
Posted in Cryptography, Internet of Things, Network Protocols, Risks | 1 Comment »
Posted by Craig H on 3 November 2015
Today we’ve launched a new web site, enigmamug.com, and an associated CafePress store. The idea is that you enter your name, or whatever other word(s) you might like on a mug, it creates a design in the style of the Enigma machine logo and you can then (if you like it!) buy a mug with that design from CafePress. We have other designs also in the store: Enigma machine pluboards, with or without the plugs and cables, which we think look pretty good wrapped around a mug.
Read the rest of this entry »
Posted in Amusement, Bletchley Park, Cryptography, Enigma | Leave a Comment »
Posted by Craig H on 14 October 2015
Recently we’ve taken on a client with immense experience of IT product development but not so much experience with computer security. A report I am writing for them starts by defining terms, to avoid possible confusion; I thought I’d also write this article to discuss more generally why “threats”, “risks” and “vulnerabilities” deserve specific definitions in that context.
Read the rest of this entry »
Posted in Terminology | Tagged: architecture risk analysis, cybersecurity, threats | Leave a Comment »
Posted by Craig H on 29 August 2015
I don’t usually post Windows tips and tricks, but I thought this might be useful as I haven’t seen it mentioned anywhere else. Briefly, the Windows 10 Print to PDF support doesn’t allow custom page sizes as it comes, but there is a simple way to enable it.
Read the rest of this entry »
Posted in IT Tips | Tagged: PDF, Printing, Windows 10 | 76 Comments »
Posted by Craig H on 2 May 2015
An often neglected, but crucial, part of Bletchley Park’s work in World War II was the vast amount of data processing done using punched cards on Hollerith machines. The department which did this was called the “Freebornery”, at first located in Hut 7 (since demolished) and later in Block C (recently restored as the new visitor centre).
There has been very little detail published on the day-to-day operations of the Freebornery, so I recently visited the National Archives and made a copy of a typewritten document they hold: “The Use of Hollerith Punched Card Equipment in Bletchley Park”. With their kind permission, we are now publishing the text on our wiki for the benefit of researchers and other interested readers.
Read the rest of this entry »
Posted in Bletchley Park, Enigma | Tagged: Bletchley Park, data processing, Hollerith machines, punched cards | 1 Comment »
Posted by Craig H on 7 August 2014
A few years ago I gave talks at Open Tech and Over the Air, including some mobile security ideas that phone manufacturers were unlikely to implement. One of those ideas was what I called “notarised call recording”, being a way to hold utility companies to account for what they promise you in telephone calls.
I was listening to the BBC’s You and Yours radio programme yesterday (on my way to Bletchley Park, as it happens) and was delighted to hear some aggrieved customers using the UK Data Protection Act (DPA) to get their utility company to supply them with call recordings. The company in question has complied, including a recording which clearly proves that they did promise what they subsequently denied!
Read the rest of this entry »
Posted in Data Protection Act, Data Rights | Tagged: DPA, subject access request | Leave a Comment »
Posted by Craig H on 16 August 2013
Having proved the concept using netcat, we need to add access control and make it accessible via a discoverable external address. The design is essentially the same, running the video capture command on the Pi and routing the output stream over IP to a remote client, but we use ssh (Secure SHell) as the transport to add authentication and encryption.
The first thing to do before exposing your Pi to the outside world is: change the default password! With Raspbian, the default admin user name and password is “pi” and “raspberry”. You should change the password to something that’s not based on a name or word that could be found in a cracking dictionary; best would be a randomly generated password that you write down and keep with you, or you can use initial letters of words in a sentence you can remember but others can’t guess. For extra security you could change the name of the admin account too.
Read the rest of this entry »
Posted in Authentication, Cryptography, Open Source | Tagged: Raspberry Pi, video streaming | 6 Comments »
Posted by Craig H on 16 July 2013
I had security concerns over installing a wireless webcam to keep an eye on our goldfish. Such things are available cheaply off the shelf, typically manufactured in China, but I’m not willing to put a device of questionable provenance on our Intranet, especially not with a direct channel out to a server in China.
I started thinking about using a Raspberry Pi and Skype as an alternative solution. As (most of) the software would be open source, that way I would only have to trust Microsoft and the NSA not to interfere with the Skype server ;-).
My Raspberry Pi camera module didn’t arrive until this week (the first production run sold out almost immediately back in May) and, unfortunately for the plan, Microsoft have turned off the ability to register a Skype developer account in the meantime :-(. Read the rest of this entry »
Posted in Open Source, Risks | Tagged: Raspberry Pi, video streaming | 4 Comments »
Posted by Craig H on 29 May 2013
I had fun presenting at the DC4420 security meetup in London yesterday. The topic was “Security Lessons from Bletchley Park and Enigma” and the slides are now up on SlideShare.
We covered how the Enigma machine works, how Bletchley Park exploited German mistakes, and the five lessons I picked out were:
- Cryptosystems have subtle flaws
- Plan for key compromise
- Users pick poor passwords
- Pick a good RNG and trust it
- Don’t underestimate the enemy
Read the rest of this entry »
Posted in Cryptography, Enigma | 6 Comments »
Posted by Craig H on 10 April 2013
Last month I was pleased to attend the BSIMM Europe Open Forum. BSIMM is a model for assessing software security activities within an organisation; I have been following it since its first release in 2009, and over the last several months I’ve been able to use it in earnest at Visa Europe.
For me, the most interesting discussion at the forum was on presenting BSIMM assessment results in a visually compelling way. The BSIMM document uses spider charts, which hide potentially valuable information about activities at lower maturity levels. Sammy Migues presented a format he uses at Cigital, called “equalizer diagrams”, which reveal that information but lack the comparison with a benchmark.
I decided to ask Louise (the other half of Franklin Heath) about this, as data visualisation is one of her principal skills. We’ve come up with something I like to call a “DIP switch diagram”, which I will explain in this post. Read the rest of this entry »
Posted in Software Security, Visualisations | 1 Comment »
Franklin Heath Ltd 