Upgrade and new theme
Regular readers may have noticed that Light Blue Touchpaper was down most of today. This was due to the blog being compromised through several Wordpress vulnerabilities. I’ve now cleaned this up,...
View ArticleGoogle as a password cracker
One of the steps used by the attacker who compromised Light Blue Touchpaper a few weeks ago was to create an account (which he promoted to administrator; more on that in a future post). I quickly...
View ArticleWordpress cookie authentication vulnerability
In my previous post, I discussed how I analyzed the recent attack on Light Blue Touchpaper. What I did not disclose was how the attacker gained access in the first place. It turned out to incorporate...
View ArticleTheme is back
Dan Cvrček has very kindly ported over the old Blix-based theme to be compatible with Wordpress 2.3 (and also hopefully more maintainable). There are a few bugs to be ironed out, for example the...
View ArticleWordpress 2.5 cookie integrity protection vulnerability
Recently, I was preparing to give a talk on web authentication so was looking at the source code of Wordpress, which I had just upgraded to version 2.5. Unfortunately, I found a rather nasty security...
View ArticleHardened stateless session cookies
The root cause behind the last-but-one Wordpress cookie debacle was that the authors invented their own password hashing and cookie generation scheme. This is generally a bad idea, since it’s hard...
View ArticleStatic Consent and the Dynamic Web
Last week Facebook announced the end of regional networks for access control. The move makes sense: regional networks had no authentication so information available to them was easy to get with a fake...
View ArticlePhD Position on Privacy Enhancing Technologies and Anonymous Communications
Applications are invited for one PhD position in the Security Group at the Computer Laboratory to work with Dr Steven Murdoch. Funding for this position is provided by the Engineering and Physical...
View ArticleNew theme and upgrade
Regular users will have noticed that we’ve got a new theme, to go along with the WordPress upgrade and new hardware to run it on. If you spot any issues, please leave a comment here or email...
View ArticleLight Blue Touchpaper now on HTTPS
Light Blue Touchpaper now supports TLS, so as to protect passwords and authentication cookies from eavesdropping. TLS support is provided by the Pound load-balancer, because Varnish (our reverse-proxy...
View Article