Ross Anderson

Has Chip & PIN Had Its Chips?

[Update: added some extra links at http://avien.net/blog/?p=422] Here, so to speak, is a bit of hot potato*. Flippancy notwithstanding, this isn't really funny. For several years now, Brits have enjoyed a banking card system called chip and PIN, a simple form of two-factor authentication for in-person credit and debit card transactions. In countries where the

Verified by Visa – Pushmi-pullyu*

* http://en.wikipedia.org/wiki/Pushmi-pullyu#The_Pushmi-pullyu In an article in the Register with the eye-catching title of "Verified by Visa bitchslapped by Cambridge researchers", John Leyden comments on the argument by Cambridge researchers Ross Anderson and Steve Murdoch that the 3D Secure system, better known as Verified by Visa or Mastercard Securecode is better suited to shifting liability for

Millennium Falcon: Crash & Burn Revisited

I originally posted this on the AVIEN blog site at http://avien.net/blog/?p=286, but in view of the increasing volume of "Y2.10k" date-related bug reports, I'll re-post it here with an updated list. (Thanks to Mikko Hypponen for posting a couple of links I hadn't seen.) Windows Mobile/SMS bug (Welcome to 2016!) http://www.theregister.co.uk/2010/01/05/windows_mobe_bug/ http://www.wmexperts.com/y2016-sms-bug Bank Bugs: http://www.theregister.co.uk/2010/01/04/bank_queensland/ http://www.msnbc.msn.com/id/34706092/ns/technology_and_science-security/?ocid=twitter]

Qinetiq Energy: A Patent Leathering

[Update: Michael St Nietzel also pointed out that there's an issue with installers that verify a checksum before installation. In fact, this is a special case of an issue I may not have made completely clear before: unless this approach is combined with some form of whitelisting, there has to be some way of reversing the modification

Chinese Whispers: Targeted Malware and E-Espionage

I’ve mentioned here before that targeted malware, often delivered by "spear phishing" carried by apparently "harmless" documents such as PDFs, .DOCs and spreadsheets rather than overt programs, can have much more impact than the raw numbers of such attacks suggest. In fact, some sources now use the term "whaling" rather than "spear phishing" to reflect the

Follow us

Copyright © 2015 ESET, All Rights Reserved.