Friday, 28 November 2014

This is your bank, please verify your details – No, you verify YOUR details!

Friday, 28 November 2014

The phone rings from a concealed number and you pick up:

Hello?

Silence.

More silence.

Eventually a foreign voice enters:

Hi, this is your bank, we need you to verify some details.

This is the point where you should be disclosing absolutely nothing, at least nothing that is not known already which is probably just your phone number and perhaps your name if they’ve greeted you with it. No, I’m not revealing my address or my account numbers or my password because frankly, I don’t trust you. Don’t get me wrong – it’s not because of your foreign accent – but it’s because it’s part of a larger tapestry of suspicious attributes of the call.

This is precisely what happened to me this week and it’s worth explaining why this is worrying, how you should respond and what the bank did wrong. Yes, the bank, the call was actually legit.

Tags:

Read more

Tuesday, 25 November 2014

Ransom is the new black – the increasing trend of online extortion

Tuesday, 25 November 2014

I heard about this guy, walked into a federal bank with a portable phone, handed the phone to the teller, the guy on the other end of the phone said: “We got this guy’s little girl, and if you don’t give him all your money, we’re gonna kill ‘er.”

Did it work?

F**kin’ A it worked, that’s what I’m talkin’ about! Knucklehead walks in a bank with a telephone, not a pistol, not a shotgun, but a f**kin’ phone, cleans the place out, and they don’t lift a f**kin’ finger.

Did they hurt the little girl?

I don’t know. There probably never was a little girl — the point of the story isn’t the little girl. The point of the story is they robbed the bank with a telephone.

This is out of the opening scene of Pulp Fiction and clearly, it’s fictitious. Except for when it isn’t:

Notice of extortion

Brian Krebs reported on this a few months ago and it’s about as brazen as you’d expect online criminals to get; give us money or we’ll mess up your stuff. It’s the mob protection racket of the digital era only more random with less chance of getting caught and not as many gold necklaces (I assume). That one bitcoin is about $400 American dollars today so enough for a tidy little return but not enough that it makes for an unachievable ransom for most small businesses.

The worrying thing is though, this is just part of a larger trend that’s drawing online criminals into the very lucrative world of extortion and we’re seeing many new precedents in all sorts of different areas of the online world. Let me show you what I mean.

Read more

Friday, 21 November 2014

“Have I been pwned?” – now with RSS!

Friday, 21 November 2014

As feature releases go, this is not exactly a killer, but to my surprise it was one that was requested quite frequently. It turns out that people really wanted to be able to keep abreast of new breaches and pastes in Have I been pwned? (HIBP) via RSS. Not only is that a perfectly reasonable request, but it was also an easy one to get on top of so here it is!

There are two RSS feeds both linked in from various places on the site including in the navigation. For your RSS’ing convenience, they are both available as direct links here:

  1. Latest 20 breaches
  2. Latest 50 pastes

I choose these numbers because pastes appear very frequently – sometimes dozens per day – whilst breaches being a highly manual process means I do maybe only a couple a month on average. Both feeds have their own attractions, breaches because it’s always a serious volume of data from a verified event and pastes because if you’re like me, I’m kinda curious to see the sort of data that’s continuously being dumped onto Pastebin.

You may also notice that these feeds are served via Feedburner. Regular readers will recall that I try and optimise HIBP to the n’th degree to really maximise the resources I have at my disposal and keep the cost down. By using Feedburner as a proxy to the underlying feeds, I’ve got one service hitting HIBP and then “n” of you guys hitting Feedburner. That keeps the load off my end and also means that Google pays for the bandwidth.

If you have suggestions for either of the feeds such as other information you’d like to see in the title or body, do let me know. Enjoy!

Tuesday, 18 November 2014

Does an insecure website compromise the security of a payment system in an iframe?

Tuesday, 18 November 2014

Here’s a conundrum for you: would you trust this page with your credit card?

The Semi Precious Beads website loaded over HTTPS

It has HTTPS and it has a GoDaddy logo with a padlock (if the significance of this is lost on you, my thoughts on both GoDaddy and padlock icons are well documented), so from a casual glance, it’s ok, right?

Read more

Thursday, 13 November 2014

Success by a thousand cuts: Visual Studio 2013 Update 4 and SQL Azure

Thursday, 13 November 2014

It seems like every time I turn around there’s something I haven’t seen in Azure. If I’m honest, it leaves me in a perpetual state of “Oh man, there is so much stuff I don’t know”. I suspect that resonates with many readers of this blog because there’s just so much stuff to keep on top of these days.

Often I’m not sure if I’ve just been overlooking something that’s always been there or if it’s brand new. Case in point: today I’m in the Azure Management Portal and I see this when I’m in the context of a SQL Azure database:

Link to "Open in Visual Studio" when in the context of a SQL Azure DB

Read more

Tuesday, 11 November 2014

Hacking your API first at TechEd Australia 2014

Tuesday, 11 November 2014

I’ve been doing a lot of talking about API security recently because frankly, there’s a lot to talk about. Those little web services that sit behind the rich client apps on our devices and increasingly behind our Internet of Things have a nasty habit of having some really serious vulnerabilities in them. I’m talking about everything from leaking data to allowing unauthorised users to perform actions they shouldn’t be allowed to all the way through to entirely useless SSL implementations because certificate validation has been disabled.

Pretty much every time I set out to look at the APIs being called by my devices, I find nasty stuff. Even just yesterday I was involved in reviewing a project that had the most heinous API crimes you can imagine; think along the lines of absolutely zero access controls on a service that processes some serious financial transactions. I didn’t find this through any high-tech means accessible to penetration testers who live in the underworlds, I found it using common dev tools in just a few minutes because I knew where look.

This is an area that I’m convinced is a significant enough threat to online security that I published a Pluralsight course on it just a couple of months ago – Hack Your API First. Further to that, I’m getting around talking about it at various events and last month that meant Microsoft’s TechEd in both Melbourne and Sydney, the former of which is now online for you to view here:

Oh – and if you’d like to watch that Pluralsight course for free, just get on over to this blog post that has a little challenge in it, leave your comment and I’ll get one right over to you!

Thursday, 30 October 2014

10 email security fundamentals for everyday people

Thursday, 30 October 2014

A couple of weeks back, this bloke hit the news when his private emails were leaked and disclosed that he was fond of, shall we say, a very “colonial” vernacular when it comes to talking about our indigenous people:

University of Sydney Professor Barry Spurr

That he is (was?) a professor at a university would normally suggest that he’s a pretty switched on guy, but the evidence is clearly to the contrary.

Speaking of people we’d normally assume to have above average intelligence, you’d probably not expect a Senator to offer a foreign athlete a handful of taxpayer funds to travel over here and then suggest that he be “compensated for the long haul, sexually of course”:

Senator Nova Peris

Read more

Friday, 24 October 2014

Get Cloak. Go Dark. VPN’ing out from the Great Firewall of China

Friday, 24 October 2014

Let’s go through just some of the ways you can hand your valuable datas over to people that want to get somewhere in between you and whatever service it is you want to talk to at the other end.

You can get pineappled and certainly that’s been a favourite of mine to demonstrate because it’s just so damn easy (it’s also kinda cool, if I’m honest).

The router you connect through can be pwned and its DNS changed to help pay for Brazilian hookers (yes, you read that right).

The Tunisian government can just siphon up all your packets as they pass through the ISPs under their control. Ok, maybe you’re not in Tunisia, but I think we’re all a little wary of the American government lately too…

And so on and so forth. I saw a great story today on the risks of public wifi which puts the threat of a man in the middle attack (henceforth an MitM attack) into perspective. As an iOS user, when I read stuff like China's Massive iCloud Hack, I get a little concerned. As an iOS user travelling to China, I get a VPN and that’s where Cloak comes in.

There are many consumer-orientated VPN service and I’m told that many of them are excellent, which I’m sure they are. I decided to give Cloak a go in part because their website made it super simple to understand, in part because the Twitter account actually reached out and made contact when I mentioned it (pro tip: this matters to a lot of people) and also in part because it has a free intro and good pricing plan. It was only after I started using it that I found some other neat tricks as well. It’s a dead simple app and it looks like this:

The Cloak app

This is really, really simply and that’s what really got me excited about Cloak, not much more than the plan you’re on and a few basic settings. Let’s go through them.

Read more

Wednesday, 22 October 2014

.NET Rocks Podcast: The Security of IoT

Wednesday, 22 October 2014

You know how you always wanted a fork with an ARM processor that could upload data wirelessly over the internet? C’mon, you know you want it and now you can get a HAPIfork.

Or how about your light globes? Yes, LIFX totally rocks but no, I wasn’t so keen on the idea once I learned your neighbours could pwn your wifi through them.

This brave new “Internet of Things” world is equal parts awesome and scary and there seems to be no limit to the extent we’ll go to connect our things. We connect these things to the internet via APIs and of course at the end of the day, an API is not much more than a website without a user interface. Because it’s a website it has website vulnerabilities yet when we put these APIs behind our “things”, they’re that much harder to monitor in terms of risks, unless you know where to look…

This is why I wrote the Pluralsight course titled Hack Your API First. I’ve explained why this course rocks before so I won’t dwell on it here, but I did get a good chance to talk to the awesome duo from .NET Rocks again the other day on the security implications of IoT, what it means to connect all our things and why you may no longer be able to trust your toilet.

The podcast is over on the .NET Rocks website or embedded here:

Enjoy!

Tuesday, 21 October 2014

Disabling SSL 3 in Azure websites (and why it doesn’t look like you have)

Tuesday, 21 October 2014

Just a quick one as it’s mostly explained in How to Disable SSL 3.0 in Azure Websites, Roles, and Virtual Machines, but there are a few bits worth adding. Oh – just in case POODLE was news to you, go back and read my post on Everything you need to know about the POODLE SSL bug from last week.

Back to Nazim’s guidance above on Azure websites, you can either install a site extension to disable SSL 3 or make a URL rewrite rule that looks at a custom header in the request. My view is that the latter is always preferable as it puts it right into the config of the site. Deploy it somewhere else later and the config is still good (assuming it’s an Azure website that recognises the setting). I can see some people preferring the site extension as it means you don’t need to redeploy the site, but if you’re worried about that then you probably have some bigger problems to deal with!

Now, before deploying the fix, let’s make sure that SSL 3 is indeed enabled because personally, I like to see evidence that changes I’m making actually do something. Here’s a Qualys SSL Labs scan of the site before any changes:

An A- rating on SSL labs with SSL 3 being reported as enabled

Read more