Monday, 25 May 2015

Supercars suck at transporting TVs (and other Azure Table Storage lessons)

Monday, 25 May 2015

The other day my receiver for the home audio setup completely died. Kaput. So I go out to get another one and given a receiver is no larger than a couple of shoeboxes in size, I decide to drive the GT-R instead of taking the family estate. I love the GT-R because it’s enormous fun and I smile every time I drive it so given my requirements were well within the capacity allowance of the GT-R’s supercar proportions, it was the natural choice.

So I get to the shop with a smile one my face, find the right receiver and then… I see a TV. It’s not a big one, but it’s the perfect size for the bedroom which was still adorned with an old 4:3 CRT unit which was well past it’s prime. We negotiate and bundle the two units together price wise which works out quite nicely and ensures my smile remains in place. Then I try to put them in the car.

The receiver wasn’t a problem and that went straight into the boot. The TV, however, was a different story. I tried to move the passenger seat all the way forward and tilt it towards the dash then jam the TV into the two tiny seats in the back. No joy. I rotate the box and try and put it in the passenger seat but now the door won’t shut. I end up jamming the drivers seat forward which meant my 6’ 5” frame could barely fit and I couldn’t see out the rear view mirror. This was all highly amusing for those witnessing the scene and nothing erodes the cool factor of an attention-seeking car by seeing someone try to jam a TV into the back of it.

Clearly, the GT-R sucks and I should be rid of it. Yes it’ll get to 100kph in under 3 seconds and go well north of 300kph but it’s enormously impractical. It’s ok if you want to perform the simplest of tasks at huge speeds but anything complex (like carrying a TV), takes forever. And that got me thinking about this:

Read more

Thursday, 21 May 2015

It’s ethical hacking with SQL injection on Pluralsight!

Thursday, 21 May 2015

I’ve long been a proponent of “hacking yourself first”, that is the idea of building up some offensive skills such that you can actually take a good shot at ethically breaking apps for the betterment of society. Whether they’re you’re own apps that you’ve built or ones you’re testing part of a dev team doesn’t really matter, it’s the same skills and the same end result – you find bad stuff before bad people do.

What I can now share with everyone is that over the last few months, I’ve been working hard with the folks at Pluralsight and another fellow author to take this a step further and start building out an ethical hacking series.

SQL injection remains the number one risk on the web today. Understanding how to detect it and identify risks in your web applications early is absolutely critical. This course goes through the risk in depth and helps you to become an ethical hacker with a strong SQL injection understanding.

You can go and watch the course on Pluralsight right now or read on. Let me share the background on this, what’s in the first course of this series on SQL injection and what you can expect to see come next.

Read more

Thursday, 14 May 2015

</pfizer><pluralsight>

Thursday, 14 May 2015

So the dust has finally settled. A month ago I wrote about </pfizer> which marked my departure from the corporate world after spending the last 14 years building and managing their software things across a good whack of the world. With that chapter now formally closed, it’s time to talk about the next phase. It’s time to talk about Pluralsight.

Pluralsight glasses

Read more

Thursday, 7 May 2015

Implementing a content security policy with NWebsec, Azure Table Storage and Raygun

Thursday, 7 May 2015

I love it when a whole bunch of different bits play really nice together, especially when it’s making things more secure. Today I decided to properly implement a content security policy (CSP) on Have I been pwned? (HIBP) and managed to tie in a whole bunch of nice bits to create what I reckon is a pretty neat implementation.

Firstly, if CSP is new to you, go and read Scott Helme’s overview which is excellent. The tl;dr version is simply this: CSP lets you define via HTTP response headers what the browser should be able to load and parse and from where. If nasty, unexpected things like XSS happen, the browser will adhere to the CSP rules which put a stop to many of the popular approaches used in an attack like this such as embedding external resources.

Here’s how I put it all together today.

Read more

Monday, 4 May 2015

Do you really want “bank grade” security in your SSL? Here’s how Aussie banks fare

Monday, 4 May 2015

There was a bit of discussion down here recently about how the National Australia Bank (NAB) has requested their SSL stats be withheld from showing up in the SSL Labs test that which has become so popular in recent times. It’s a great way of identifying what’s good and what bad about an SSL implementation and indeed, it appears that NAB has pulled their stats:

NAB withholding their stas from Qualys

Which, of course, looks enormously suspicious. You don’t pull your stats when you have a good result and even if you do, Qualys who runs the service is only checking for publicly accessible information anyway, they’re simply bundling it up into a single test that’s dead easy to run.

But it did get me wondering – how do our local banks actually stack up? Is their SSL solid? And for that matter, is the old adage of “bank grade” security actually something you want to strive for or in the case of SSL, something you really don’t want?

Read more

Wednesday, 29 April 2015

Join me on a website security review with Lars and Pluralsight!

Wednesday, 29 April 2015

Sometimes, good ideas take a while to materialise. The penny only dropped on just how long some of them take when I was going back through my Pluralsight notes just the other day and found this:

Note reminding self that I really must do this course...

That was March last year and an awful lot of water has gone under the bridge since then. But it seemed like a really good idea at the time and inevitably, it was. I’d find a willing “muse” with a suitable website then go to town on it, critiquing everything that could possibly we wrong with it. This would be a “Play by Play” course where we sit together and the whole thing is recorded by video. It’s a very loosely rehearsed, candid discussion just like I’ve had many times in the past with real apps. Happily, during my visit to Salt Lake City last month for the Pluralsight Author Summit, good friend and willing muse Lars Klint proved the perfect straight man for the job and we recorded Play by Play: Website Security Review with Troy Hunt and Lars Klint.

Pluralsight has kindly made a 7 minute snippet of it available for free on YouTube so if you’re interested in what it’s all about, here you go:

Read more

Tuesday, 28 April 2015

Happy birthday! Now anyone can login to your Betfair account

Tuesday, 28 April 2015

I’m not often astounded by the woefulness of a security practice any more, but every now and then there’s a notable exception. Take this one, for example:

Yes, that’s exactly what it looks like and just for the sake of posterity should those Betfair responses be removed, Paul captured the discussion here. Now before we go on, do read that discussion in its entirety because context is important here. Read it all? Still got your sanity? Yeah, only just, let’s move on.

Paul is 100% correct despite the somewhat obnoxious customer service response to the contrary. Clearly they are confused and even towards the end of the discussion where he really couldn’t have been any clearer, the closest Betfair comes to a concession is “Thanks for contacting us”.

Obviously what’s needed here is a demo! Here it is with my account (which has now been closed) using my email address (the one that’s allegedly meant to be treated like a bank account and is not to be shared with anyone) and my birthdate. I’ve obfuscated the latter but if you want to work it out, I’d try looking at my publicly shared education history to work out the year of birth (you’ll get it in one or two guesses) and then combine that with public birthday wishes the last time that annual event came around.

Read more

Tuesday, 21 April 2015

Mobile app privacy insanity – we’re still failing massively at this

Tuesday, 21 April 2015

I was preparing for a talk last weekend where I wanted to show the sorts of bad mobile app behaviours you can readily find using Telerik’s Fiddler. Now I’ve spent quite a bit of time over the years looking at the behaviour of the apps we use every day on our phones, in fact it was nearly four years ago that I wrote Secret iOS business; what you don’t know about your apps and called out some really sloppy security practices. But since then we’ve had all sorts of things that have contributed to the overall awareness of online security; Snowden, more easily obtainable free SSL, countless attacks and so on and so forth. There are no longer any excuses for sloppy practices the likes of which I’m going to talk about here, you can no longer claim ignorance.

For the uninitiated, what I’m going to show in this post amounts to nothing more than looking at the requests that mobile apps are making over the web to back end services and inspecting the responses that are returned. It’s the mobile equivalent of looking at the network tab in the developer tools of your favourite browser. In this case though, I’m simply proxying my iPhone traffic through Fiddler which you can set up in about a minute. The particular patterns I’m looking for are discussed at length in my Pluralsight course titled Hack Your API First so if you want to understand the process in detail, go and check that out.

Let’s have a look at what’s going on.

Read more

Wednesday, 15 April 2015

</pfizer>

Wednesday, 15 April 2015

Today marks two important milestones for me – it’s the first time I’ve ever mentioned Pfizer on this blog and after 14 years, it’s my last day working for them. Both those milestones are significant and in their own ways, mark a pivotal point in my career. For those that are interested, I’d like to tell you what I’ve been doing in recent years and give a hint of what will come next.

Troy Hunt - Line Architect - Solution Delivery

Read more

Monday, 13 April 2015

Orchestrating massive parallelisation of Azure WebJobs for fun and profit

Monday, 13 April 2015

I’ve been having a few sleepless nights lately worrying about the big one. The big “what”, you ask? I mean another massive data breach the scale of Adobe back in 2013, you know, the one where they had a 153 million user accounts wander out the door. If I had to load those into Have I been pwned? (HIBP), frankly I’m not sure how I’d do it. Or at least I wasn’t sure.

When I first wrote about how I built the system, I talked about a very rudimentary console app implementation that I used to bulk load data into Azure Table Storage. I started with the Adobe breach and then batched that data into storage at the maximum rate of 100 rows per transaction. The problem, however, is that I couldn’t batch subsequent breaches as for each row I needed to check if the account existed in the system already then either update the existing record or insert a new one. It’s explained more in that original post, but because I want the service to be super-fast when querying it, I want one row in one partition for each email address and that has a massive impact on the speed with which I can insert new data.

After toiling away with the easiest short-term solution I could find for loading new breaches, I came to the following conclusion about the efficiency of the process:

However at that speed, another Adobe at 153 million records would still take a month.

Ouch! And this is for pretty time-critical data too because much of the value proposition of HIBP is that people get to know about a breach fast, not a month later! I needed a better mousetrap, and here’s how I built it.

Have I been pwned? logo

Read more