Authenticating with NRIC numbers

I was recently asked to take a survey which authenticated users solely using IC numbers. According to guideline 6 of PDPC's advisory on the use of NRIC numbers, NRIC numbers are widely used for various business purposes and organisations that use NRIC numbers as user names or membership numbers ...

Security Theatre: Samsung Note 7

Go google for photos of 'exploding Note 7' and you will realise that in every single photo, the phone is still intact in a one piece. If the phone really exploded, you would be looking at fragments scattered over an area. The Note 7 caught fire. It didn't explode. The media just blows (no pun ...

National Vulnerability Reporting Programme

Recent incidents have convinced me of the need to have a single avenue where the public can responsibly disclose vulnerabilities found on both government as well as commercial systems in a secure and efficient manner. While using these systems on a day to day basis, we sometimes do chance upon ...

Analysing smali code

Mobile apps have become increasingly widespread compared to their desktop counterparts. In addition, many apps often have stricter security requirements since they incorporate micropayments. We also perform sensitive transactions through mobile apps. For example, there are no desktop internet ...

DES key parity bit calculator

I was doing some reverse engineering and I could not find any tool which expands a 56 bit DES key into a 64 bit key with the parity bit included. Expanding the key is a pretty laborious process involving hex to bin conversions and plenty of manual counting. To add on, some online tools truncate ...

Bangladesh bank heist

The media initially attributed the hack to a couple of cheap second-hand $10 switches. However, according to further reverse engineering, this is not a snatch and grab but a full scale bank heist perpetrated by determined adversaries with resources at their disposal. Even if the bank had ...

ProtonMail: Technical prowess, Legal expertise and Guts

Technical prowess, Legal expertise and Guts. That is what you need to go up against a Nation State Adversary. We shall take the Apple vs US Government debate as an example. Apple obviously has the technical prowess to store the iPhone's PIN code securely. If it were easily retrievable, the ...

Biometrics and Passwords

Many people have the misconception that biometrics such as fingerprint readers are more secure than passwords. It probably stems from Hollywood spy movies showing Top Secret facilities protected by biometric devices. However, for the vast majority of us who use sensible 8-12 character passwords ...