Tuesday, 30 June 2015

.NET Rocking in Oslo!

Tuesday, 30 June 2015

I had a crazy trip to the Norwegian Developers Conference in Oslo this month; 2 days of workshops, a user group presentation, 2 conference talks, a podcast and a panel discussion. Despite the craziness of it all though, I was massively pleased that after the dust settled on the more than 150 speakers presenting over 200 talks, I found myself up here:

Top talks at NDC Oslo

Those little buzzers in front of the screen were hit on the way out and it so happened that I had a huge number of the green ones selected for my second talk on “Making Hacking Child’s Play” which put it way up in the top ranked spot. Mind you, the first talk on “50 Shades of AppSec” although did rather well coming in at number 5 so I’d call that an altogether rather successful event!

Read more

Monday, 29 June 2015

Understanding HTTP Strict Transport Security (HSTS) and preloading it into the browser

Monday, 29 June 2015

During my travels over recent weeks I’ve been doing a quick demo that works like this:

First, I open up the dev tools in Chrome and select the network tab.

Second, I load up americanexpress.com and show the network requests:

Network requests for americanexpress.com

Read more

Thursday, 25 June 2015

Get my new Pluralsight course on CloudFlare for free!

Thursday, 25 June 2015

You know how you like free stuff? And cloud? And security? Of course you do – what’s not to like?! Well because Pluralsight and CloudFlare love it, we’re making my latest course available to everyone 100% for free for the next week.

Knowledge is power. Sweet, free power.

This is a great course for anyone who wants a very slick way of quickly adding SSL and raft of other security features to their site with a bare minimum of effort. CloudFlare’s service gets you up and running in literally minutes and the bits I cover in this course are 100% free. That’s the CloudFlare service that’s free and the course that’s free so there’s now a very low barrier to entry to get up and running with the service. This course is off to a fantastic start rating five out of five stars by those who’ve viewed it and I really hope everyone enjoys getting access to it free of charge.

You can access “Getting Started with CloudFlare Security” for free on Pluralsight’s Free Weekly Course page right now. Enjoy!

Tuesday, 23 June 2015

Free recorded webinar on Pluralsight: Why SQL Injection Remains the #1 Web Security Risk Today

Tuesday, 23 June 2015

A couple of weeks ago I did a free webinar on Pluralsight titled Why SQL Injection Remains the #1 Web Security Risk Today (and what you should know about it). This is a rather self-explanatory title and it’s completely true – SQL injection remains a big thing and we keep getting it wrong. Like an example? Only 8 months ago, Drupal had a major vulnerability in their product. If you’re not already familiar with Drupal, it allegedly powers 2.1% of the world’s websites… including WhiteHouse.gov. But here’s the really scary bit from their announcement:

You should proceed under the assumption that every Drupal 7 website was compromised unless updated or patched before Oct 15th, 11pm UTC, that is 7 hours after the announcement.

Wait – so I go to bed and everything is fine then I get up and have to assume all my data has been sucked out or modified or, well, basically anything because that’s what SQL injection risks mean!? This is an enormously dangerous attack which is why the first Ethical Hacking course I produced for Pluralsight is on SQL injection. To kick it off, we decided to do the aforementioned webinar which is now available for everyone to watch for free right here.

If you’d like to watch the full course, then jump on over to Ethical Hacking: SQL Injection.

The Apple Watch is simultaneously awesome and pointless

I’ve had a week and a bit playing with the Apple Watch, pretty much all of that time being on flights and at events which is probably not a normal usage representation, but it’s certainly given me a chance to give it a good workout. Some stuff is good, some is bad and a bunch of it is quite frankly absolutely pointless. But I expected that – it’s what you get with first gen tech – what I was more interested in is how it changes the way I might do otherwise normal everyday stuff.

Pictures speak louder than words in this case so I’ve just been snapping interesting stuff as I’ve gone along. Let me show you what I’ve found.

Watch setup

Read more

Wednesday, 17 June 2015

Get started with CloudFlare security on Pluralsight

Wednesday, 17 June 2015

You may not realise this, but you use CloudFlare. You probably use it every day and you do so without even realising it. You reap numerous benefits from it as well but they’re seamless – it just makes your browsing experience better. By better I mean faster and most importantly in the context of this blog post and my latest Pluralsight course, more secure. Unless you’re an attacker in which case this may happen:

The CloudFlare Model

Read more

Tuesday, 9 June 2015

Now you can monitor “Have I been pwned?” performance on Azure in real time

Tuesday, 9 June 2015

There’s been a huge amount of activity on Have I been pwned? (HIBP) in recent weeks, particularly in the wake of the Adult Friend Finder breach which drew a lot of attention. The activity has comprised of organic browser-based traffic as well hits to the API. The latter in particular is interesting as you can see a steady rate of traffic (or a steady increase of traffic) suddenly interrupted by a sudden and massive increase which then sits at a threshold for a period of time. Sometimes that’s minutes, sometimes it’s even days.

I often get asked “I want to hit your API but I don’t want to disrupt the service – is that ok?” and I’m always just slightly amused as the site services ridiculous levels without breaking a sweat. And then it scales out ten times over! To date, scale has never even been close to a problem which is great, but I wanted to add even further transparency to the service (beyond the extensive blog posts I’ve written, that is), and share my New Relic stats with the world. These are live stats – real time stats – and they’re now accessible here:

image

I’m going to list them each below as live embedded charts because firstly, it will allow me to explain how to interpret them and secondly, it will mean there’s a location entirely independent of the HIBP website where people can see what the service is doing. If they can’t access the site itself, they can always come here to this blog post and see what’s going on. Oh – and thirdly, it means that if you’re hitting the API then you can see the traffic you’re causing and how the system is performing as a result. All nice and transparent :)

Read more

Friday, 5 June 2015

Speaker style bingo: 10 presentation anti-patterns

Friday, 5 June 2015

For the first time in about as long as I can remember, I’m at a conference and not actually presenting anything. It’s enormously liberating actually and it’s allowed me to soak up a heap of info without being preoccupied with actually, well, doing stuff. Mind you, I’m chairing half a dozen sessions at AusCERT 2015 but that amounts to introducing someone, sitting back to enjoy their talk then thanking them very much.

Anyway, all this sitting around and watching other people talk about technology really got me thinking about speaking style. I work enormously hard on refining my own style and a huge amount of how I present today is influenced by what I observe from other speakers, both the good and the bad.

As I watched the presentations these last few days and reflected on those I’ve seen just in the last couple of weeks during my European travels, I realised that many of the talks demonstrated common speaking anti-patterns that I see all over the world in different talks. What’s more, at one time or another I have demonstrated every single one of them myself in my own talks. I know this because I watch them all again (at least once) and tear them apart.

So here are the anti-patterns I see and more importantly, what I reckon you need to do to avoid them. Speaking can be enormously empowering and continuous improvement is a very fulfilling thing, but it only happens by being a bit introspective and looking for your own areas of improvement.

16054445381_5ed05fc2a5_o

Read more

Tuesday, 2 June 2015

It’s time for A grade SSL on Azure websites

Tuesday, 2 June 2015

I get a lot of this sort of thing:

“Hey, how come your site only gets a B grade on the SSL Labs test?”

They’re referring to my Have I been pwned? (HIBP) site and they’re right, it only scores a B grade:

"B" grade rating for an Azure website

The killer blow here is highlighted in orange – RC4. It’s a weak cipher by today’s terms and evidently it’s capped my grade lower than it would otherwise be if it was no longer supported. So I’d get a report from someone along these lines and have to explain why:

“HIBP is hosted on the Azure website server (now known as Web Apps) and SSL termination is upstream of the site itself therefore I have no control over the service”

Then we’d argue about the merits of the upsides of using Azure’s platform versus the downsides of RC4 support and how much risk it truly posed to a service of this nature. Regardless, RC4 support is not a good thing in today’s terms and it has to go. And it is going.

Read more

Thursday, 28 May 2015

Want to Hack Yourself First in Amsterdam? Come join Xebia and I for a 2 day workshop!

Thursday, 28 May 2015

It’s the “Hack Yourself First” trilogy: Watch the talk, take the Pluralsight course and now you can spend a couple of days with me in Amsterdam next month on June 22 and 23 doing the workshop. I’ve teamed up with Xebia who does a bunch of tech training and we’ve put together a course that anyone can come along to: Hack Yourself First, how to go on the cyber-offence.

The event is being held in Hilversum just outside Amsterdam at the Hotel Lapershoek:

Read more