Tuesday, September 16, 2014

Introducing paste searches and monitoring for “Have I been pwned?”

Tuesday, September 16, 2014

I’ve got 174,451,409 breached accounts in Have I been pwned? (HIBP) as of today which probably sounds like a lot, but it’s not. Why is it not a lot? Because whilst that list spans a lot of the big breaches I could get my hands on, as of the middle of this year (now a couple of months ago already), there were over half a billion accounts breached in just six months. That’s just nuts and as that article explains, its set us on a track that will make 2014 the most hacked year to date by a fairly significant margin over last year which was the previous most hacky year.

Every time a major breach occurs (and frequently after smaller ones too), I go through the process of seeking any publicly dumped data (which frequently can’t be found, it remains in the attackers’ hands) then verifying the legitimacy of the breach and when it checks out, publishing the data to HIBP. It can be time consuming and labour intensive if I want to avoid any false-positives then combine that with the fact that only a small portion of breaches ever see the light of day and you realise that despite my best efforts, I’m really only scraping the surface of pwned data.

But along with those massive, sporadic public dumps, there’s another channel by which we very frequently see breached accounts appear and that’s “pastes”. As it turns out, there are literally tens of thousands of email address appearing in pastes every day unbeknownst to the rightful owner. Also unbeknownst to them is that alongside their email address is often their password and other personal data, all on public display for anyone who cares to look.

But I’m getting ahead of myself here, let me explain what a paste is and the relevance to HIBP.

Read more

Monday, September 15, 2014

10 things I learned about rapidly scaling websites with Azure

Monday, September 15, 2014

This is the traffic pattern that cloud pundits the world over sell the value proposition of elastic scale on:

Sessions going from barely anything to almost 12k an hour almost immediately

This is Have I been pwned? (HIBP) going from a fairly constant ~100 sessions an hour to… 12,000 an hour. Almost immediately.

This is what happened last week when traffic literally increased 60-fold overnight. September 10 – 2,105 sessions. September 11 – 124,036 sessions. Interesting stuff happens when scale changes that dramatically, that quickly so I thought I’d share a few things I learned here, both things I was already doing well and things I had to improve as a result of the experience.

Oh – why did the traffic go so nuts? Because the news headlines said there were 5 million Gmail accounts hacked. Of course what they really meant was that 5 million email addresses of unknown origin but mostly on the gmail.com domain were dumped to a Russian forum along with corresponding passwords. But let’s not let that get in the way of freaking people out around the world and having them descend on HIBP to see if they were among the unlucky ones and in the process, giving me some rather unique challenges to solve. Let me walk you through the important bits.

Read more

Monday, September 8, 2014

Solving the tyranny of HTTP 403 responses to directory browsing in ASP.NET

Monday, September 8, 2014

You may not know this, but an HTTP 403 response when browsing to an empty directory is a serious security risk.

What the?! You mean if I go to my website which has a “scripts” folder where I put all my JavaScript and I have directory browsing disabled (as I rightly should) and the server returns a 403 “Forbidden” (which it rightly should), I’m putting my internet things at risks of being pwned?!

Yes, because it discloses the presence of a folder called “scripts” which is a common directory.

Well of course there’s a bloody folder called “scripts”, all my HTML source which you can see references it! I could call it “i-love-drunken-elephants” and you could still see it so what’s the point?!

But it would still return a 403 which would confirm the existence of the resource and pose a directory enumeration risk.

But you can discover the presence of the directories anyway! Ok, in today’s modern apps like ASP.NET MVC they might actually be routes that don’t translate through into physical paths but still, this is just being pedantic!

Your site can’t go live until you fix it.

Uh, let me just fix that for you…

Read more

Friday, September 5, 2014

What the f*** were they thinking?! Crazy website biases exposed by naughty words lists (the NSFW version)

Friday, September 5, 2014

I’ve long held the view that passwords should consist of as many crazy things as the owner deems fit. If I want to create a password that looks like a dog just ate the keyboard and threw up all the keys, then good for me. (Chances are that Fido is going to cough up a pretty unique password too but before PETA gets on my case, try using a password manager like 1Password instead.)

Now I’m used to seeing all sorts of ridiculous limits on passwords – no “special” character, limit of 12 chars, no spaces, can’t use letters “q” or “z”, can’t use letters at all – but the banning of specific words is something else altogether. I don’t mean words like “select” or “drop” either, you know, the kind that shows someone has done a sloppy job of their SQL injection mitigations, I mean words like these:

A jar of Extreme Nut Butter

I’ll come back to the impact of passwords named after this particular sandwich spread. Banning certain words is one thing, but inadvertently publishing the entire list is quite another and it discloses some very interesting biases on behalf of the site.

Biases implied by the words a site allows versus those it blocks doesn’t need to remain the domain of passwords alone. There are other cases where words are blocked and again, the list is exposed publicly for (assumedly unintentional) scrutiny. When I say “biases”, I’m talking about everything from religious views to gender equality to which animals zoophilia may be off limits for. Yep, it’s that weird and it all begs the question – what the fuck are they thinking?! (Get used to the language, the title of the post warned you!)

Read more

Thursday, September 4, 2014

Hack Your API First – learn how to identify vulnerabilities in today’s internet connected devices with Pluralsight

Thursday, September 4, 2014

A few years ago I was taking a look at the inner workings of some mobile apps on my phone. I wanted to see what sort of data they were sending around and as it turned out, some of it was just not the sort of data that should ever be traversing the interwebs in the way it was. In particular, the Westfield iPhone app to find your car caught my eye. A matter of minutes later I had thousands of numberplates for the vehicles in the shopping centre simply by watching how this app talked over the internet:

Four photos of vehicles matching the search results

In line with my personal views on disclosure, I published the blog mentioned above and a media furore followed; how on earth can a company be so careless with our personal data?! Why wasn’t this identified earlier?

The thing is, this sort of thing is both very common and very easily identified in your apps or anyone else’s apps for that matter and that’s exactly what I set out to show you in my latest Pluralsight course Hack Your API First.

Read more

Wednesday, September 3, 2014

Automating web security reviews with Netsparker

Wednesday, September 3, 2014

I will not run web security analysers without first understanding web security.
I will not run web security analysers without first understanding web security.
I will not run web security analysers without first understanding web security.

Are we clear now? Good, because as neat as tools like I’m about to discuss are, nothing good comes from putting them in the hands of people who can’t properly interpret the results and grasp the concepts of what dynamic analysis scanners can and cannot cover. If you’re looking for a tool to do all the hard work for you without actually understanding what’s going on, this isn’t the post you want to read! (Yes, there are places that sell “security in a box”, no, do not trust them!)

That said, Netsparker is rather awesome at automating the often laborious process which is trawling through a website and looking for risks. I do this all the time and it quickly becomes both repetitive and time consuming. But it also very often bears fruit, in fact this is why I wrote the Pluralsight course titled Hack Yourself First: How to go on the Cyber-Offense. The whole premise of this course is about how to identify insecure patterns in web apps, how to exploit those patterns and then most importantly, how the secure patterns look and how they defend against attacks. If I’m honest, it’s my favourite course to date and I reckon it’s a “must watch” for all web developers, although I will acknowledge some bias :)

Speaking of Hack Yourself First, have you seen this train-wreck of a website?

The vulnerable "Supercar Showdown" website

This is the site I built specifically for the course and it’s publicly accessible at hackyourselffirst.troyhunt.com. It also has about 50 serious security vulnerabilities in it. These are the sorts of vulnerabilities I’ve seen over many, many reviews of web security over the years and I’ve built them all into the one mother of an insecure site. It’s the kind of site that Netsparker should have a field day with so let’s see what it finds shall we?

Read more

Thursday, August 28, 2014

Security Insanity with RunAs Radio

Thursday, August 28, 2014

I know I’ve shared this a number of times now, but no matter how much I see it, it still cracks me up:

Twitter: @troyhunt Passwords are stored in a secure way. They’re only copied into plain text when pasted automatically into a password reminder mail.

Make sense? Of course it doesn’t and therein lies the insanity of it all! But let us not single out Tesco alone, there are plenty of British companies that construct responses like this (sorry English people, I don’t know why, they just seem to feature disproportionately to the rest of the world). In fact earlier this week I wrote about the new Twitter account I’d set up called @InfoSecInsanity which is sharing heaps of this kind of nuttiness, not just the stuff from the UK!

I was inspired in part when Richard Campbell asked me to do another RunAs Radio show on the subject and I realised I didn’t have a good list of the crazy on hand. Anyway, InfoSec Insanity is now a thing and Richard and I recorded the show earlier this week. It’s now out for your listening pleasure here or you can play it directly below. Enjoy!

Monday, August 25, 2014

InfoSec Insanity: Sharing the crazy for the betterment of online security

Monday, August 25, 2014

I was getting a little fed up with the craziness I kept seeing on the web when it comes to security, so I created this:

Logo

That’s right, a great big freakin’ padlock with a straightjacket or more to the point, I created the Twitter account @InfoSecInsanity.

Read more

Tuesday, August 12, 2014

Hello World, this is Troy

Tuesday, August 12, 2014

How did you get started in this industry? I mean what made you go “Hey, sitting it a keyboard day in day out whilst focussed on screens and not seeing much sunlight sounds awesom…” – wait, it doesn’t sound quite so awesome when you think of it like that.

In fact that was my original view of computers in general but as I told Shawn Wildermuth on his latest Hello World podcast, that view of the world soon changed. The change of heart was more than helped along by making some rather obscene amounts of money writing code while very young, then consequently watching it all disappear (and then some) as the dodgy “horseracing identities” I was writing it for went down in spectacular fashion.

That’s just part of the story I told Shawn, here’s the rest of it:

Friday, August 8, 2014

Migrating from Subversion to Git with svn2git on Windows (the tricky bits explained)

Friday, August 8, 2014

This is one of those “I keep doing this and it hurts each time and there’s never a good concise resource that explains it well so I’m writing one” posts. Yes, yes, I know it’s easy – if you have Ruby installed. Or you’re living in a *nix world. Or you have a reasonable understanding of Git. Or you get pleasure from pain.

However, if you’re living on Windows and you just want to get the damn thing done, it can be painful. I keep setting up new machines and having to remember how to do this from scratch so this time, I’m writing it all down. Here geos:

Read more