Friday, 23 January 2015

Automating web hosting creation in Azure with PowerShell

Friday, 23 January 2015

Here’s your situation: you’ve got a heap of websites on traditional hosting models. Shared tenancies on single logical machines, dedicated infrastructure or even worse, not really any idea because you just keep paying that $5 per month and stuff works. Most of the time.

But you’ve seen the light and you want to move things to Azure en masse. A small handful of sites isn’t a drama, there’s a bit of setup work to create the Azure resources for each one and so long as you follow a pre-defined set of steps just perfectly, you’re fine. But like most things that require manual steps, it’s highly error-prone in terms of getting everything just right every time and it’s also very laborious. Once that handful of sites becomes dozens, it starts to feel like a bit of hard work. Not only that, but you’re going to want new assets in Azure in the future and having a repeatable way of doing that near instantaneously would be kind of nice.

I had this challenge recently – “we want to migrate a heap of websites to Azure and they’ll all fit into basically the same pattern” – so rather than have people clicking links in the Azure Portal, I gave them a single PowerShell script and unleashed them. I’m going to give you all the steps here that explain how it all works and give you the entire PowerShell script so that you don’t have to work out all the nuts and bolts from scratch. Enjoy!

Tags:

Read more

Thursday, 15 January 2015

Have your customers been pwned? Would you like to know?

Thursday, 15 January 2015

For the past year and a bit I’ve been building out features on Have I been pwned? (HIBP) in response to things I think would be awesome and things I’m asked for. I’m constantly surprised at the ways people have found to use the data for good, which is a nice twist given that the data normally comes from very unpleasant circumstances. For some ideas on how the data has been used, have a look at the API consumers page: various mobile apps, security tools, an IFTTT recipe and even a browser plugin. All of these plug into the existing freely available API, the one with nothing to get in the way such as auth or rate limits or anything else that poses a barrier to just getting in there and using it, like money! It’s open and it’s free.

But there’s much more been going on to make this data more useful to people that can do good things with it. Almost a year ago to the day, I released the domain search feature which allows anyone to verify their ownership of a domain and then be notified when anyone with an email on that domain is pwned. It’s been great for people who manage their own domains (i.e. they create multiple emails @myname.com) and also for organisations that want to get alerts when their staff get pwned which is particularly useful given the potential for subsequent phishing attacks and direct impact to the organisation. There have been thousands of domain notifications already sent for both breaches and pastes that have impacted domains ranging from those managed by individuals for their family members right up to a number of Fortune 100 orgs with 100,000+ staff. It’s all working rather nicely :)

But there’s another really interesting use case for the service and that’s supporting people with dozens or even hundreds of domains they want to monitor. This is not something that’s really feasible to setup one by one; the existing verification process is fine for a few, but it’s not only laborious for large numbers, sometimes it’s not even possible. To that effect, over the last year I’ve had a number of people come to me and ask for a bulk load of domains. For example, a major bank who has assets spread out across many brands with unique domains. A telco who provides email services across dozens of domains. A financial services company that offers products under different names. And a really interesting one I can actually share with you publicly: XCentral.

Read more

Tuesday, 6 January 2015

Are your apps leaking your private details?

Tuesday, 6 January 2015

For many regular readers here, this is probably not overly surprising: some of your apps may do nasty things. Yes, yes, we’re all very shocked about this but all jokes aside, it’s a rather nasty problem that kids in particular are at risk of. There was a piece a few days back on Channel 4 in the UK about Apps, ads and what they get from your phone where a bunch of kids had their traffic intercepted by a security firm. The results were then shared with the participants where their shocked responses could then be observed by all.

I got asked for some comments on this by SBS TV here locally which went to air last night:

Read more

Monday, 5 January 2015

Introducing the “Secure Account Management Fundamentals” course on Pluralsight

Monday, 5 January 2015

I’ve just published my eighth Pluralsight course – Secure Account Management Fundamentals – and it’s all about the things we need to do to properly look after the valuable customers that use the services we developers build. Normally when I launch a new course I’d write up a bunch of detail on what it’s all about but this time, I thought I’d reproduce a collection of the discussions I’ve had with many people over many years about secure account management concepts.

I assure you, I’ve had all these conversations many times and I keep seeing the same fundamental misunderstandings not just with discrete security concepts but with the logic flow that surrounds account management processes. Treat this as “stories from the trenches” which the new Pluralsight course sets out to directly address.

Read more

Friday, 2 January 2015

Sony, North Korea and Cyberwarfare on RunAs Radio

Friday, 2 January 2015

It was the story that got weirder and weirder and will likely remain the high water mark for impactful security breaches for, well, probably not very long given this industry! Be that as it may, the Sony saga was unprecedented in many ways and it provoked some really interesting discussions.

A couple of weeks back I suggested that many of us are working for the next Sony Pictures insofar as a lot of the atrocious practices they followed being pretty much par for the course in large enterprises. This to me is one of the key lessons we should be taking away from all this – you may be nothing more than one bad employee or one nasty piece of malware away from your own place of work suffering the same fate.

Last week I caught up with Richard Campbell and we recorded a RunAs Radio episode on the hack. Whilst only a half hour can barely do it justice, we still covered a lot and I hope you find it interesting listening. Enjoy!

Friday, 19 December 2014

Are you working for the next Sony Pictures? Here’s some things to check at work

Friday, 19 December 2014

Clearly, Sony Pictures has had a rather bad time of it lately. First there were the threats from the alleged attackers, then the beginning of internal data dumps that now total tens of GB already, then the embarrassing internal email leaks, then the threats of 9/11 style attacks and now pulling the launch of “The Interview” because allegedly, the North Koreans don’t share their sense of humour. This is, without a doubt, the bizarrest of hacks in an industry where bizarre is par for the course.

One of the things that keeps hitting the headlines is how bad Sony’s security practices are (or at least “were”, apparently they’re back to fax machines now). But there’s that whole “stones and glass houses” thing which last night, prompted me to suggest this:

This is a very uncomfortable truth. Yes, many of Sony’s practices were atrocious and yes, they deserve to be raked over the coals for them, but are they the exception? Or the norm? I say it’s far more the latter than the former, let me show you what I mean and how you can identify the same risks in your organisation that are probably going to cost Sony hundreds of millions of dollars.

Read more

Thursday, 4 December 2014

Applied Azure: Infographic of how “Have I been pwned?” orchestrates Microsoft’s cloud services

Thursday, 4 December 2014

Remember the good old days when a website used to be nothing more than a bunch of files on a web server and a database back end? Life was simple, easy to manage and gloriously inefficient. Wait – what? That’s right, all we had was a hammer and we consequently treated every challenge like the proverbial nail that it was so we solved it in the same way with the same tools over and over again. It didn’t matter that an ASP.NET website on IIS was woefully inadequate at scheduling events, that’s all we had and we made it work. Likewise with SQL Server; it was massive overkill for many simple data persistence requirements but we’d spent the money on the licenses and we had an unhealthy dose of loss aversion coupled with a dearth of viable alternatives.

This was the old world and if you’re still working this way, you’re missing out big time. You’re probably spending way too much money and making life way too hard on yourself. But let’s also be realistic – there are a heap of bits in the “new world” and that means a lot of stuff to learn and wrap your head around. The breadth and depth of services that constitute what we know of as Microsoft Azure are, without a doubt, impressive. When you look at infographics like this you start to get a sense of just how comprehensive the platform is. You also get a bit overwhelmed with how many services there are and perhaps confused as to how you should tie them together.

I thought I’d take that aforementioned infographic and turn it into what Have I been pwned? (HIBP) is today. Oh – and speaking of today – it’s exactly one year since I launched HIBP! One of the key reasons I built the service in the first place was to get hands on with all the Azure services you’ll read about below. I had no idea how popular the service would be when I set out to build it and how well it would demonstrate the cloud value propositions that come with massively fluctuating scale, large volumes of data storage and a feature set that is distributed across a range of discrete cloud services.

Here’s the infographic, click through for a high-res PNG or go vector with PDF and read on after that for more details on how it’s all put together.

The "Have I been pwned?" Microsoft Azure Ecosystem

So that’s the big picture, now let me fill in the details.

Read more

Friday, 28 November 2014

This is your bank, please verify your details – No, you verify YOUR details!

Friday, 28 November 2014

The phone rings from a concealed number and you pick up:

Hello?

Silence.

More silence.

Eventually a foreign voice enters:

Hi, this is your bank, we need you to verify some details.

This is the point where you should be disclosing absolutely nothing, at least nothing that is not known already which is probably just your phone number and perhaps your name if they’ve greeted you with it. No, I’m not revealing my address or my account numbers or my password because frankly, I don’t trust you. Don’t get me wrong – it’s not because of your foreign accent – but it’s because it’s part of a larger tapestry of suspicious attributes of the call.

This is precisely what happened to me this week and it’s worth explaining why this is worrying, how you should respond and what the bank did wrong. Yes, the bank, the call was actually legit.

Tags:

Read more

Tuesday, 25 November 2014

Ransom is the new black – the increasing trend of online extortion

Tuesday, 25 November 2014

I heard about this guy, walked into a federal bank with a portable phone, handed the phone to the teller, the guy on the other end of the phone said: “We got this guy’s little girl, and if you don’t give him all your money, we’re gonna kill ‘er.”

Did it work?

F**kin’ A it worked, that’s what I’m talkin’ about! Knucklehead walks in a bank with a telephone, not a pistol, not a shotgun, but a f**kin’ phone, cleans the place out, and they don’t lift a f**kin’ finger.

Did they hurt the little girl?

I don’t know. There probably never was a little girl — the point of the story isn’t the little girl. The point of the story is they robbed the bank with a telephone.

This is out of the opening scene of Pulp Fiction and clearly, it’s fictitious. Except for when it isn’t:

Notice of extortion

Brian Krebs reported on this a few months ago and it’s about as brazen as you’d expect online criminals to get; give us money or we’ll mess up your stuff. It’s the mob protection racket of the digital era only more random with less chance of getting caught and not as many gold necklaces (I assume). That one bitcoin is about $400 American dollars today so enough for a tidy little return but not enough that it makes for an unachievable ransom for most small businesses.

The worrying thing is though, this is just part of a larger trend that’s drawing online criminals into the very lucrative world of extortion and we’re seeing many new precedents in all sorts of different areas of the online world. Let me show you what I mean.

Read more

Friday, 21 November 2014

“Have I been pwned?” – now with RSS!

Friday, 21 November 2014

As feature releases go, this is not exactly a killer, but to my surprise it was one that was requested quite frequently. It turns out that people really wanted to be able to keep abreast of new breaches and pastes in Have I been pwned? (HIBP) via RSS. Not only is that a perfectly reasonable request, but it was also an easy one to get on top of so here it is!

There are two RSS feeds both linked in from various places on the site including in the navigation. For your RSS’ing convenience, they are both available as direct links here:

  1. Latest 20 breaches
  2. Latest 50 pastes

I choose these numbers because pastes appear very frequently – sometimes dozens per day – whilst breaches being a highly manual process means I do maybe only a couple a month on average. Both feeds have their own attractions, breaches because it’s always a serious volume of data from a verified event and pastes because if you’re like me, I’m kinda curious to see the sort of data that’s continuously being dumped onto Pastebin.

You may also notice that these feeds are served via Feedburner. Regular readers will recall that I try and optimise HIBP to the n’th degree to really maximise the resources I have at my disposal and keep the cost down. By using Feedburner as a proxy to the underlying feeds, I’ve got one service hitting HIBP and then “n” of you guys hitting Feedburner. That keeps the load off my end and also means that Google pays for the bandwidth.

If you have suggestions for either of the feeds such as other information you’d like to see in the title or body, do let me know. Enjoy!