Friday, 19 December 2014

Are you working for the next Sony Pictures? Here’s some things to check at work

Friday, 19 December 2014

Clearly, Sony Pictures has had a rather bad time of it lately. First there were the threats from the alleged attackers, then the beginning of internal data dumps that now total tens of GB already, then the embarrassing internal email leaks, then the threats of 9/11 style attacks and now pulling the launch of “The Interview” because allegedly, the North Koreans don’t share their sense of humour. This is, without a doubt, the bizarrest of hacks in an industry where bizarre is par for the course.

One of the things that keeps hitting the headlines is how bad Sony’s security practices are (or at least “were”, apparently they’re back to fax machines now). But there’s that whole “stones and glass houses” thing which last night, prompted me to suggest this:

This is a very uncomfortable truth. Yes, many of Sony’s practices were atrocious and yes, they deserve to be raked over the coals for them, but are they the exception? Or the norm? I say it’s far more the latter than the former, let me show you what I mean and how you can identify the same risks in your organisation that are probably going to cost Sony hundreds of millions of dollars.

Read more

Thursday, 4 December 2014

Applied Azure: Infographic of how “Have I been pwned?” orchestrates Microsoft’s cloud services

Thursday, 4 December 2014

Remember the good old days when a website used to be nothing more than a bunch of files on a web server and a database back end? Life was simple, easy to manage and gloriously inefficient. Wait – what? That’s right, all we had was a hammer and we consequently treated every challenge like the proverbial nail that it was so we solved it in the same way with the same tools over and over again. It didn’t matter that an ASP.NET website on IIS was woefully inadequate at scheduling events, that’s all we had and we made it work. Likewise with SQL Server; it was massive overkill for many simple data persistence requirements but we’d spent the money on the licenses and we had an unhealthy dose of loss aversion coupled with a dearth of viable alternatives.

This was the old world and if you’re still working this way, you’re missing out big time. You’re probably spending way too much money and making life way too hard on yourself. But let’s also be realistic – there are a heap of bits in the “new world” and that means a lot of stuff to learn and wrap your head around. The breadth and depth of services that constitute what we know of as Microsoft Azure are, without a doubt, impressive. When you look at infographics like this you start to get a sense of just how comprehensive the platform is. You also get a bit overwhelmed with how many services there are and perhaps confused as to how you should tie them together.

I thought I’d take that aforementioned infographic and turn it into what Have I been pwned? (HIBP) is today. Oh – and speaking of today – it’s exactly one year since I launched HIBP! One of the key reasons I built the service in the first place was to get hands on with all the Azure services you’ll read about below. I had no idea how popular the service would be when I set out to build it and how well it would demonstrate the cloud value propositions that come with massively fluctuating scale, large volumes of data storage and a feature set that is distributed across a range of discrete cloud services.

Here’s the infographic, click through for a high-res PNG or go vector with PDF and read on after that for more details on how it’s all put together.

The "Have I been pwned?" Microsoft Azure Ecosystem

So that’s the big picture, now let me fill in the details.

Read more

Friday, 28 November 2014

This is your bank, please verify your details – No, you verify YOUR details!

Friday, 28 November 2014

The phone rings from a concealed number and you pick up:

Hello?

Silence.

More silence.

Eventually a foreign voice enters:

Hi, this is your bank, we need you to verify some details.

This is the point where you should be disclosing absolutely nothing, at least nothing that is not known already which is probably just your phone number and perhaps your name if they’ve greeted you with it. No, I’m not revealing my address or my account numbers or my password because frankly, I don’t trust you. Don’t get me wrong – it’s not because of your foreign accent – but it’s because it’s part of a larger tapestry of suspicious attributes of the call.

This is precisely what happened to me this week and it’s worth explaining why this is worrying, how you should respond and what the bank did wrong. Yes, the bank, the call was actually legit.

Tags:

Read more

Tuesday, 25 November 2014

Ransom is the new black – the increasing trend of online extortion

Tuesday, 25 November 2014

I heard about this guy, walked into a federal bank with a portable phone, handed the phone to the teller, the guy on the other end of the phone said: “We got this guy’s little girl, and if you don’t give him all your money, we’re gonna kill ‘er.”

Did it work?

F**kin’ A it worked, that’s what I’m talkin’ about! Knucklehead walks in a bank with a telephone, not a pistol, not a shotgun, but a f**kin’ phone, cleans the place out, and they don’t lift a f**kin’ finger.

Did they hurt the little girl?

I don’t know. There probably never was a little girl — the point of the story isn’t the little girl. The point of the story is they robbed the bank with a telephone.

This is out of the opening scene of Pulp Fiction and clearly, it’s fictitious. Except for when it isn’t:

Notice of extortion

Brian Krebs reported on this a few months ago and it’s about as brazen as you’d expect online criminals to get; give us money or we’ll mess up your stuff. It’s the mob protection racket of the digital era only more random with less chance of getting caught and not as many gold necklaces (I assume). That one bitcoin is about $400 American dollars today so enough for a tidy little return but not enough that it makes for an unachievable ransom for most small businesses.

The worrying thing is though, this is just part of a larger trend that’s drawing online criminals into the very lucrative world of extortion and we’re seeing many new precedents in all sorts of different areas of the online world. Let me show you what I mean.

Read more

Friday, 21 November 2014

“Have I been pwned?” – now with RSS!

Friday, 21 November 2014

As feature releases go, this is not exactly a killer, but to my surprise it was one that was requested quite frequently. It turns out that people really wanted to be able to keep abreast of new breaches and pastes in Have I been pwned? (HIBP) via RSS. Not only is that a perfectly reasonable request, but it was also an easy one to get on top of so here it is!

There are two RSS feeds both linked in from various places on the site including in the navigation. For your RSS’ing convenience, they are both available as direct links here:

  1. Latest 20 breaches
  2. Latest 50 pastes

I choose these numbers because pastes appear very frequently – sometimes dozens per day – whilst breaches being a highly manual process means I do maybe only a couple a month on average. Both feeds have their own attractions, breaches because it’s always a serious volume of data from a verified event and pastes because if you’re like me, I’m kinda curious to see the sort of data that’s continuously being dumped onto Pastebin.

You may also notice that these feeds are served via Feedburner. Regular readers will recall that I try and optimise HIBP to the n’th degree to really maximise the resources I have at my disposal and keep the cost down. By using Feedburner as a proxy to the underlying feeds, I’ve got one service hitting HIBP and then “n” of you guys hitting Feedburner. That keeps the load off my end and also means that Google pays for the bandwidth.

If you have suggestions for either of the feeds such as other information you’d like to see in the title or body, do let me know. Enjoy!

Tuesday, 18 November 2014

Does an insecure website compromise the security of a payment system in an iframe?

Tuesday, 18 November 2014

Here’s a conundrum for you: would you trust this page with your credit card?

The Semi Precious Beads website loaded over HTTPS

It has HTTPS and it has a GoDaddy logo with a padlock (if the significance of this is lost on you, my thoughts on both GoDaddy and padlock icons are well documented), so from a casual glance, it’s ok, right?

Read more

Thursday, 13 November 2014

Success by a thousand cuts: Visual Studio 2013 Update 4 and SQL Azure

Thursday, 13 November 2014

It seems like every time I turn around there’s something I haven’t seen in Azure. If I’m honest, it leaves me in a perpetual state of “Oh man, there is so much stuff I don’t know”. I suspect that resonates with many readers of this blog because there’s just so much stuff to keep on top of these days.

Often I’m not sure if I’ve just been overlooking something that’s always been there or if it’s brand new. Case in point: today I’m in the Azure Management Portal and I see this when I’m in the context of a SQL Azure database:

Link to "Open in Visual Studio" when in the context of a SQL Azure DB

Read more

Tuesday, 11 November 2014

Hacking your API first at TechEd Australia 2014

Tuesday, 11 November 2014

I’ve been doing a lot of talking about API security recently because frankly, there’s a lot to talk about. Those little web services that sit behind the rich client apps on our devices and increasingly behind our Internet of Things have a nasty habit of having some really serious vulnerabilities in them. I’m talking about everything from leaking data to allowing unauthorised users to perform actions they shouldn’t be allowed to all the way through to entirely useless SSL implementations because certificate validation has been disabled.

Pretty much every time I set out to look at the APIs being called by my devices, I find nasty stuff. Even just yesterday I was involved in reviewing a project that had the most heinous API crimes you can imagine; think along the lines of absolutely zero access controls on a service that processes some serious financial transactions. I didn’t find this through any high-tech means accessible to penetration testers who live in the underworlds, I found it using common dev tools in just a few minutes because I knew where look.

This is an area that I’m convinced is a significant enough threat to online security that I published a Pluralsight course on it just a couple of months ago – Hack Your API First. Further to that, I’m getting around talking about it at various events and last month that meant Microsoft’s TechEd in both Melbourne and Sydney, the former of which is now online for you to view here:

Oh – and if you’d like to watch that Pluralsight course for free, just get on over to this blog post that has a little challenge in it, leave your comment and I’ll get one right over to you!

Thursday, 30 October 2014

10 email security fundamentals for everyday people

Thursday, 30 October 2014

A couple of weeks back, this bloke hit the news when his private emails were leaked and disclosed that he was fond of, shall we say, a very “colonial” vernacular when it comes to talking about our indigenous people:

University of Sydney Professor Barry Spurr

That he is (was?) a professor at a university would normally suggest that he’s a pretty switched on guy, but the evidence is clearly to the contrary.

Speaking of people we’d normally assume to have above average intelligence, you’d probably not expect a Senator to offer a foreign athlete a handful of taxpayer funds to travel over here and then suggest that he be “compensated for the long haul, sexually of course”:

Senator Nova Peris

Read more

Friday, 24 October 2014

Get Cloak. Go Dark. VPN’ing out from the Great Firewall of China

Friday, 24 October 2014

Let’s go through just some of the ways you can hand your valuable datas over to people that want to get somewhere in between you and whatever service it is you want to talk to at the other end.

You can get pineappled and certainly that’s been a favourite of mine to demonstrate because it’s just so damn easy (it’s also kinda cool, if I’m honest).

The router you connect through can be pwned and its DNS changed to help pay for Brazilian hookers (yes, you read that right).

The Tunisian government can just siphon up all your packets as they pass through the ISPs under their control. Ok, maybe you’re not in Tunisia, but I think we’re all a little wary of the American government lately too…

And so on and so forth. I saw a great story today on the risks of public wifi which puts the threat of a man in the middle attack (henceforth an MitM attack) into perspective. As an iOS user, when I read stuff like China's Massive iCloud Hack, I get a little concerned. As an iOS user travelling to China, I get a VPN and that’s where Cloak comes in.

There are many consumer-orientated VPN service and I’m told that many of them are excellent, which I’m sure they are. I decided to give Cloak a go in part because their website made it super simple to understand, in part because the Twitter account actually reached out and made contact when I mentioned it (pro tip: this matters to a lot of people) and also in part because it has a free intro and good pricing plan. It was only after I started using it that I found some other neat tricks as well. It’s a dead simple app and it looks like this:

The Cloak app

This is really, really simply and that’s what really got me excited about Cloak, not much more than the plan you’re on and a few basic settings. Let’s go through them.

Read more