Friday, 30 January 2015

Understanding Azure website auto-scale magic

Friday, 30 January 2015

I was helping out a consumer of Have I been pwned? (HIBP) earlier today as they were trying to build up a profile of the pwnage state of their client base. This mean firing a heap of requests at the API so that they could assess a very large number of accounts. I’m always interested in how far this service can be stretched and indeed what the thresholds are before Azure starts applying auto-scale magic.

First up, keep in mind that each request to the API is searching through 175 million records in Azure Table Storage. You can read about the story of HIBP for background on why I chose this data structure but one of the key reasons is scale – it’s massive!

Anyway, here’s what I started seeing early this morning courtesy of New Relic:

Requests per minute peaking at over 5k

Read more

Wednesday, 28 January 2015

Azure WebJobs are awesome and you should start using them right now!

Wednesday, 28 January 2015

No really, they’re totally awesome! I used Azure WebJobs in the very early days and whilst they served a purpose, I wasn’t blown away with them at the time. In fact I went on to use Worker Roles for the back end paste processing behind Have I been pwned? (HIBP) and whilst they served me well, there were also aspects that weren’t as slick as what the broader Azure ecosystem is.

Recently I had cause to build another back end process for HIBP (one I’ll talk more about in detail in a later post) so I thought I’d come back and visit WebJobs again. The extent of what I was able to do, the ease with which it all happened the time it took just totally blew me away. There were a few things in particular though that really struck me while building out this new feature using WebJobs and I wanted to capture and share those here.

What I ended up deciding to do is to rebuild a part of HIBP using a WebJob, namely the part that looks for new pastes in a queue then goes and retrieves them from Pastebin and sends out notification emails to those impacted. Converting this from a Worker Role really highlighted where WebJobs shine.

Read more

Friday, 23 January 2015

Automating web hosting creation in Azure with PowerShell

Friday, 23 January 2015

Here’s your situation: you’ve got a heap of websites on traditional hosting models. Shared tenancies on single logical machines, dedicated infrastructure or even worse, not really any idea because you just keep paying that $5 per month and stuff works. Most of the time.

But you’ve seen the light and you want to move things to Azure en masse. A small handful of sites isn’t a drama, there’s a bit of setup work to create the Azure resources for each one and so long as you follow a pre-defined set of steps just perfectly, you’re fine. But like most things that require manual steps, it’s highly error-prone in terms of getting everything just right every time and it’s also very laborious. Once that handful of sites becomes dozens, it starts to feel like a bit of hard work. Not only that, but you’re going to want new assets in Azure in the future and having a repeatable way of doing that near instantaneously would be kind of nice.

I had this challenge recently – “we want to migrate a heap of websites to Azure and they’ll all fit into basically the same pattern” – so rather than have people clicking links in the Azure Portal, I gave them a single PowerShell script and unleashed them. I’m going to give you all the steps here that explain how it all works and give you the entire PowerShell script so that you don’t have to work out all the nuts and bolts from scratch. Enjoy!

Tags:

Read more

Thursday, 15 January 2015

Have your customers been pwned? Would you like to know?

Thursday, 15 January 2015

For the past year and a bit I’ve been building out features on Have I been pwned? (HIBP) in response to things I think would be awesome and things I’m asked for. I’m constantly surprised at the ways people have found to use the data for good, which is a nice twist given that the data normally comes from very unpleasant circumstances. For some ideas on how the data has been used, have a look at the API consumers page: various mobile apps, security tools, an IFTTT recipe and even a browser plugin. All of these plug into the existing freely available API, the one with nothing to get in the way such as auth or rate limits or anything else that poses a barrier to just getting in there and using it, like money! It’s open and it’s free.

But there’s much more been going on to make this data more useful to people that can do good things with it. Almost a year ago to the day, I released the domain search feature which allows anyone to verify their ownership of a domain and then be notified when anyone with an email on that domain is pwned. It’s been great for people who manage their own domains (i.e. they create multiple emails @myname.com) and also for organisations that want to get alerts when their staff get pwned which is particularly useful given the potential for subsequent phishing attacks and direct impact to the organisation. There have been thousands of domain notifications already sent for both breaches and pastes that have impacted domains ranging from those managed by individuals for their family members right up to a number of Fortune 100 orgs with 100,000+ staff. It’s all working rather nicely :)

But there’s another really interesting use case for the service and that’s supporting people with dozens or even hundreds of domains they want to monitor. This is not something that’s really feasible to setup one by one; the existing verification process is fine for a few, but it’s not only laborious for large numbers, sometimes it’s not even possible. To that effect, over the last year I’ve had a number of people come to me and ask for a bulk load of domains. For example, a major bank who has assets spread out across many brands with unique domains. A telco who provides email services across dozens of domains. A financial services company that offers products under different names. And a really interesting one I can actually share with you publicly: XCentral.

Read more

Tuesday, 6 January 2015

Are your apps leaking your private details?

Tuesday, 6 January 2015

For many regular readers here, this is probably not overly surprising: some of your apps may do nasty things. Yes, yes, we’re all very shocked about this but all jokes aside, it’s a rather nasty problem that kids in particular are at risk of. There was a piece a few days back on Channel 4 in the UK about Apps, ads and what they get from your phone where a bunch of kids had their traffic intercepted by a security firm. The results were then shared with the participants where their shocked responses could then be observed by all.

I got asked for some comments on this by SBS TV here locally which went to air last night:

Read more

Monday, 5 January 2015

Introducing the “Secure Account Management Fundamentals” course on Pluralsight

Monday, 5 January 2015

I’ve just published my eighth Pluralsight course – Secure Account Management Fundamentals – and it’s all about the things we need to do to properly look after the valuable customers that use the services we developers build. Normally when I launch a new course I’d write up a bunch of detail on what it’s all about but this time, I thought I’d reproduce a collection of the discussions I’ve had with many people over many years about secure account management concepts.

I assure you, I’ve had all these conversations many times and I keep seeing the same fundamental misunderstandings not just with discrete security concepts but with the logic flow that surrounds account management processes. Treat this as “stories from the trenches” which the new Pluralsight course sets out to directly address.

Read more

Friday, 2 January 2015

Sony, North Korea and Cyberwarfare on RunAs Radio

Friday, 2 January 2015

It was the story that got weirder and weirder and will likely remain the high water mark for impactful security breaches for, well, probably not very long given this industry! Be that as it may, the Sony saga was unprecedented in many ways and it provoked some really interesting discussions.

A couple of weeks back I suggested that many of us are working for the next Sony Pictures insofar as a lot of the atrocious practices they followed being pretty much par for the course in large enterprises. This to me is one of the key lessons we should be taking away from all this – you may be nothing more than one bad employee or one nasty piece of malware away from your own place of work suffering the same fate.

Last week I caught up with Richard Campbell and we recorded a RunAs Radio episode on the hack. Whilst only a half hour can barely do it justice, we still covered a lot and I hope you find it interesting listening. Enjoy!

Friday, 19 December 2014

Are you working for the next Sony Pictures? Here’s some things to check at work

Friday, 19 December 2014

Clearly, Sony Pictures has had a rather bad time of it lately. First there were the threats from the alleged attackers, then the beginning of internal data dumps that now total tens of GB already, then the embarrassing internal email leaks, then the threats of 9/11 style attacks and now pulling the launch of “The Interview” because allegedly, the North Koreans don’t share their sense of humour. This is, without a doubt, the bizarrest of hacks in an industry where bizarre is par for the course.

One of the things that keeps hitting the headlines is how bad Sony’s security practices are (or at least “were”, apparently they’re back to fax machines now). But there’s that whole “stones and glass houses” thing which last night, prompted me to suggest this:

This is a very uncomfortable truth. Yes, many of Sony’s practices were atrocious and yes, they deserve to be raked over the coals for them, but are they the exception? Or the norm? I say it’s far more the latter than the former, let me show you what I mean and how you can identify the same risks in your organisation that are probably going to cost Sony hundreds of millions of dollars.

Read more

Thursday, 4 December 2014

Applied Azure: Infographic of how “Have I been pwned?” orchestrates Microsoft’s cloud services

Thursday, 4 December 2014

Remember the good old days when a website used to be nothing more than a bunch of files on a web server and a database back end? Life was simple, easy to manage and gloriously inefficient. Wait – what? That’s right, all we had was a hammer and we consequently treated every challenge like the proverbial nail that it was so we solved it in the same way with the same tools over and over again. It didn’t matter that an ASP.NET website on IIS was woefully inadequate at scheduling events, that’s all we had and we made it work. Likewise with SQL Server; it was massive overkill for many simple data persistence requirements but we’d spent the money on the licenses and we had an unhealthy dose of loss aversion coupled with a dearth of viable alternatives.

This was the old world and if you’re still working this way, you’re missing out big time. You’re probably spending way too much money and making life way too hard on yourself. But let’s also be realistic – there are a heap of bits in the “new world” and that means a lot of stuff to learn and wrap your head around. The breadth and depth of services that constitute what we know of as Microsoft Azure are, without a doubt, impressive. When you look at infographics like this you start to get a sense of just how comprehensive the platform is. You also get a bit overwhelmed with how many services there are and perhaps confused as to how you should tie them together.

I thought I’d take that aforementioned infographic and turn it into what Have I been pwned? (HIBP) is today. Oh – and speaking of today – it’s exactly one year since I launched HIBP! One of the key reasons I built the service in the first place was to get hands on with all the Azure services you’ll read about below. I had no idea how popular the service would be when I set out to build it and how well it would demonstrate the cloud value propositions that come with massively fluctuating scale, large volumes of data storage and a feature set that is distributed across a range of discrete cloud services.

Here’s the infographic, click through for a high-res PNG or go vector with PDF and read on after that for more details on how it’s all put together.

The "Have I been pwned?" Microsoft Azure Ecosystem

So that’s the big picture, now let me fill in the details.

Read more

Friday, 28 November 2014

This is your bank, please verify your details – No, you verify YOUR details!

Friday, 28 November 2014

The phone rings from a concealed number and you pick up:

Hello?

Silence.

More silence.

Eventually a foreign voice enters:

Hi, this is your bank, we need you to verify some details.

This is the point where you should be disclosing absolutely nothing, at least nothing that is not known already which is probably just your phone number and perhaps your name if they’ve greeted you with it. No, I’m not revealing my address or my account numbers or my password because frankly, I don’t trust you. Don’t get me wrong – it’s not because of your foreign accent – but it’s because it’s part of a larger tapestry of suspicious attributes of the call.

This is precisely what happened to me this week and it’s worth explaining why this is worrying, how you should respond and what the bank did wrong. Yes, the bank, the call was actually legit.

Tags:

Read more