man in the middle

(get it in RSS or Atom)

Authentication is all around us! 60 Sec Security [VIDEO]

Here's our latest "60 Second Security" video - catch the week's security news in just 1 minute.

SSCC 202 - They hacked the US Army? Are you SURE? [PODCAST]

Join Sophos security experts Chester Wisniewski and Paul Ducklin for this week's security podcast.

Apple, Microsoft, patching, hacking the army (sort of), and 49 arrests in a Europol action against bank fraudsters!

Anatomy of a LOGJAM - another TLS vulnerability, and what to do about it

We've had BEAST, Lucky Thirteen, BREACH, BEAST, POODLE, Heartbleed and, it's LOGJAM.

Paul Ducklin explains, and tells you what you can do about it.

TLS certificate blunder revisited - whither China Internet Network Information Center?


Just under three weeks ago, we wrote about a TLS certificate blunder by a Root Certificate Authority called CNNIC.

We thought we'd revisit that story today to see how the Big Four browser makers responded to the lapse...

Serious Security: China Internet Network Information Center in TLS certificate blunder

TLS certificates are very important.

In fact, you could say they are the cornerstone of online security, especially for e-commerce.

So we thought we'd use a story about a recent certificate security blunder to remind you why...

SSCC 187 - The cryptography edition [PODCAST]

Sophos expert John Shier sits in for regular presenter Chester Wisniewski in this episode.

John and Paul Ducklin dissect the latest security issues, which were dominated this week by some thorny matters of cryptography.

What's SUPER and helps you to PHISH, sorry, FISH? 60 Sec Security [VIDEO]

Here's our weekly news roundup - from Superfish to Super Spectacles.

It's amusing, informative, and only takes a minute - enjoy!

SSCC 177 - Will Sony's breach be the never ending story? [PODCAST]


Here's the latest episode of our regular security podcast.


Coinbase wallet app in SSL/TLS SNAFU

Bitcoin digital wallet

The popular Bitcoin wallet Coinbase has a security flaw in its Android apps which could allow an attacker to steal authentication codes and access users' accounts, according to a security researcher.

Coinbase is far from alone in leaving its wallet app users vulnerable, so what should you do to stay safe when using mobile banking apps?

Anatomy of a "goto fail" - Apple's SSL bug explained, plus an unofficial patch for OS X!


Apple just patched an SSL/TLS bug in iOS - but the flaw is not yet fixed in OS X.

Paul Ducklin comes to the rescue with explanations, mitigations, and even an unofficial patch! (For educational purposes only, you understand.)

Ruby + OpenSSL && sprintf() == 2009-style Man-in-the-Middle?


If you have web-facing code written in Ruby, and you support SSL (which you do, right?), be sure to patch as soon as you can, to avoid falling victim to what seems very much like a four-year-old flaw...

LinkedIn flips the two-factor authentication switch

LinkedIn flips the two-factor authentication switch

Just in time for the one-year anniversary of getting its socks knocked off in an attack that saw 6.5 million passwords swiped. Thanks: that's a good anniversary gift, LinkedIn.

Use Instagram on your iPhone? Your account can be hijacked, claims security researcher

Instagram vulnerability

A security researcher has published a proof-of-concept attack on Instagram for iOS that would allow malicious users to remotely hijack victims' accounts, delete or download photos, and tinker with profile details.

Android developers - just how much can we trust them to do web security properly?

Android developers - just how much can we trust them to do web security properly?

Six German academics have taken on the question, "Just how well-informed are Android developers, and how much can we trust them to do web security properly?"

It seems the answer is, "Not enough."

Missing dots from email addresses opens 20GB data leak

Missing dots from email addresses opens 20GB data leak

Security researchers have captured 120,000 emails intended for Fortune 500 companies by exploiting a basic typo.

The emails included trade secrets, business invoices, personal information about employees, network diagrams and passwords.