Eufy leaking your private images/faces & names... to the cloud. Paul Moore 2022-11-23 | I purchased a Eufy Doorbell Dual last week - believing it to be a private, locally-stored device. Eufy go to great lengths to convince you it's safe and accessible to you and only you.The reality however, is totally different. I don't have cloud support
Eufy doorbell - Another privacy failure... Paul Moore 2022-11-25 | Eufy have now admitted uploading pictures, faces & names from your device without your consent, straight to the cloud. They say that once deleted, they're removed automatically from AWS.This is also a lie.They also claim that deleting the account complies with GDPR and automatically deletes all cloud-based footage. That too, is a lie.
Cyber Wales CTF Cluster 14th April 2021 - A how not to solve XSS guide. Paul Moore 2021-07-15 | Two amateurs try to explain & solve XSS and fail miserably.DO NOT follow advice within this video. This is NOT OWASP grade content.Fundamentals:If you're trying to solve XSS on input, you don't understand the problem you're trying to solve. XSS is the process of escaping the current OUTPUT context and entering another. You can not safely sanitize inputs, as you've no way of knowing where that data will later be output; and that's the context that matters.Validating inputs, sanitize outputs.Clangers & Screw Ups:12:59 - John (Director at Pervade, "joking" that he'd alter a pen test report so basic flaws like this wouldn't appear - many a true word....)14:10 - Lacks basic understanding of IFRAMEs. Tries to load sites on the wrong protocol & sites which expressly prohibit framing with CSP (bbc, google etc).30:00 - Jeez, literally clueless. Seems to think javascript won't execute after a page has loaded, so "no dynamic stuff".31:00 - Seems to think this XSS attack is happening "server side" and because it is, we can now "insert code which does something"31:24 - This isn't being "executed" by the server, what is he talking about?32:03 - Genuinely believes a client-side language is being executed on the server. Is PHP node now?33:25 - Just throw htmlspecialchars at everything - job done. Forget quotes, forget context - but at least he's doing it on output.34:07 - Immediately renders the fix useless by running it against the inputs, not the output. This demonstrates a fundamental lack of understanding.34:33 - Oh good lord, they're using the same technique for SQL injection mitigation!34:54 - "We can now get more advanced" - Please do, this is cringe-worthy so far...--- ADVANCED (BUT EQUALLY STUPID/INEFFECTIVE) STUFF ----At this point, he moves away entirely from XSS mitigation and explains how to carry out basic input validation. This isn't necessary to protect against XSS.35:15 - Using regex (preg_match) to find "the bad characters". Bad characters in what context? Again, missing the point entirely.38:10 - "Sanitize our inputs so it can't do anything dangerous to us" - Sigh38:32 - "We can also replace the bad characters" - This guy is the Director of Pervade, a "professional" company which provides apps for the Police, NHS etc. Think about that for a moment.40:15 - Demonstrating a "stored XSS" attack - with fails aplenty.47:00 - "You can do that on any page on the planet. There's actually no way for me to stop you doing that" (referring to inline XSS). Again, fundamental lack of understanding of basic security controls. A CSP (Content Security Policy) header is literally designed to protect against attacks like this, but it's the same CSP he couldn't figure out whilst trying to embed an IFRAME earlier.48:55 - Genuinely seems to think he has to alter his code syntax to allow different inputs. HAHA53:28 - Me asking him to demonstrate how to protect against XSS in his own code - he REMOVES THE BAD CHARACTERS! Writes software for Police/NHS remember!56:13 - "To secure it, once again, it's one word - same as SQL injection" - Christ above. I give up.1:05:30 - I ask him to explain how an application which requires characters which allow XSS, can protect against it. He goes on to explain nested ifs, database calls etc. An IF statement for every possible input - seems scalable!1:09:50 - A glimmer of hope - "You can actually do this on the other side" - Referencing output encoding, which is actually how it should have been done an hour ago.
CyberAlarm - Production Build (05-10-20) - RCE PoC Paul Moore 2020-12-02 | CyberAlarm is "secure", they said. You are "entirely wrong", they said. "You can't obtain internal company information from behind a firewall", they said.Please, don't run CyberAlarm on your network.
Disabling paste on password fields does NOT break password managers. Paul Moore 2017-02-03 | For longer than I can remember, people continue to push the false notion that disabling "paste" on password fields breaks password managers. As this video demonstrates, it's a myth... at least with the top 4 (Dashlane also tested, worked fine).
Virgin Media Gadget Rescue - Fixing Poodle (Short Version) Paul Moore 2016-03-01 | Over the last few months, Virgin Media have been writing to customers it believes are vulnerable to Poodle; an exploit against the SSL & TLS protocols. Apart from removing my telephone number & postcode, this is an unedited recording of how they attempted to fix it.Suffice to say, it didn't go well. They not only ignored my request not to install any software (java, flash, adblock+, silverlight etc) but completely failed to fix Poodle.This is the heavily shortened version. The full version (at 2hrs 10 minutes long) is here: youtube.com/watch?v=NwQojoLaxyA and is only edited to remove the phone number & postcode.
Virgin Media Gadget Rescue - Fixing Poodle (In Full) Paul Moore 2016-03-01 | Over the last few months, Virgin Media have been writing to customers it believes are vulnerable to Poodle; an exploit against the SSL & TLS protocols. Apart from removing my telephone number & postcode, this is an unedited recording of how they attempted to fix it.Suffice to say, it didn't go well. They not only ignored my request not to install any software (java, flash, adblock+, silverlight etc) but completely failed to fix Poodle.
Virgin Media Gadget Rescue - The Poodle scam Paul Moore 2016-02-28 | Over the last few months, Virgin Media customers have started receiving letters & emails warning of security issues within their network.This video features two calls to their "premium" technical support number, looking for more information on an exploit called "Poodle"; a flaw in SSL/TLS using CBC cipher suites.Unsurprisingly, it didn't go entirely to plan.
PwnPhone: Default passwords allow covert surveillance. Paul Moore 2016-02-13 | A brief demonstration of how default passwords on VoIP devices allow covert surveillance using just a browser.
Cyber Security Experts - The shoemakers children go barefoot. Paul Moore 2016-02-07 | Well, this is painful.
Identity theft & payment fraud? Thats ASDA price. Paul Moore 2016-01-19 | 677 days after notifying ASDA of several serious security flaws, they're yet to deploy a fix.
Successful Natwest MiTM attack with Rapport running on client machine. Paul Moore 2015-11-18 | Trusteer/IBM Rapport is often pushed by banks to help protect against a wide variety of threats. It's fairly effective, but if the bank doesn't take basic precautions, it's useless in certain circumstances.
Why you shouldnt hash each character of a password... Paul Moore 2015-11-09 | If you need part of a user's password for identity validation (3rd & 5th character, for example), it's often considered secure to hash each character. With a 20 character, true random password consisting of mixalphanumerics & special chars and run through bCrypt (12 rounds), we're able to break it under 7 minutes.
TalkTalk discussing (in)security... insecurely. Paul Moore 2015-10-26 | Sometimes, the headline writes itself.
TalkTalk Breach: Even reporting fraud is insecure. Paul Moore 2015-10-24 | If you've been affected by the TalkTalk breach, just be aware that reporting fraud isn't secure either.
