Saturday, 30 January 2016

Thank you Waitrose, now fix your insecure site

Saturday, 30 January 2016

I had a follower send me a curious question the other day which if I paraphrase, went like this:

Hi, I was worried about the security of the Waitrose login form so I contacted them about it. They sent me a response but I’m not sure if it’s correct – can you shed some light on it?

Actually, yes, I can and frankly, it’s a bit of a comedy of errors. For those not familiar with Waitrose, they’re a large British supermarket chain bringing in somewhere around five and a half billion (with a “b”) British pounds a year. They’re huge and they have access to more than enough funds to have smart people get their security right… or so you’d think. Let’s start at the beginning and look at the front page of waitrose.com:

Waitrose login page served over HTTP

Read more

Tuesday, 26 January 2016

XSS’ing the security speaker panel via sli.do

Tuesday, 26 January 2016

One of the things I really enjoy about doing live events is the entirely random, unexpected things that can occur without any warning. In fact, I’m increasingly structuring my talks to present these opportunities, but this one was entirely unexpected:

This was whilst answering questions on a panel – a security panel – at ProgramUtvikling’s security day in Oslo last week (they’re the guys who run the NDC conferences around the world). I was sitting up there on the stage with Erlend Oftedal and Einar Otto Stangvik whilst the big screen behind us scrolled through questions asked by the audience using the sli.do app. The questions were being read out by Niall Merrigan until… he stopped in his tracks and I can’t recall whether his reaction was amusement or horror or a mix of the two, but turning around, we all saw the screen adorned with the XSS alert.

Read more

Tuesday, 19 January 2016

The impact of “Have I been pwned” on the data breach marketplace

Tuesday, 19 January 2016

I’ve been running “Have I been pwned?” (HIBP) for just over a couple of years now and to say that it’s exceeded my wildest expectations of what it might achieve is somewhat of an understatement. The volume of data it now holds is one thing, the many hundreds of thousands of notification subscribers is another and yet another again is the volume of traffic it serves, sometimes in the millions of visitors a day. But recently, the penny has dropped on something else it’s managed to achieve that I never expected; it’s impacting the market price of breached data.

Identities are valuable. Email addresses, passwords, physical addresses and phone numbers to name but a few data attributes all pose value to criminal elements. They enable access to accounts well beyond just those breached thanks to both password reuse and weak verification processes (read Brian Krebs’ piece last month on PayPal’s lazy authentication for a great example) plus of course provide malicious actors with essential elements required for identity theft. Whilst individual identities are valuable, full data breaches with potentially millions of identities can be a gold mine.

For example, back when I was dealing with the 000webhost breach, someone sent me this DM:

Tweet about 000webhost selling for $2k

Read more

Friday, 8 January 2016

PayPal and zero dollar invoice spam

Friday, 8 January 2016

I got a rather odd invoice via PayPal the other day, it looks like this:

PayPal spam email in a $0 invoice

Naturally the first thing I did was to look for spoof email indicators, but none of the usual suspects were showing up:

  1. It was from member@paypal.com.au
  2. The mail headers were legit
  3. The “View and Pay Invoice” button linked directly to https://www.paypal.com/

Read more

Monday, 4 January 2016

It’s 2016 already, how are websites still screwing up these user experiences?!

Monday, 4 January 2016

We’re a few days into the new year and I’m sick of it already. This is fundamental web usability 101 stuff that plagues us all and makes our online life that much more painful than it needs to be. None of these practices – none of them – is ever met with “Oh how nice, this site is doing that thing”. Every one of these is absolutely driving the web into a dismal abyss of frustration and much ranting by all.

And before anyone retorts with “Oh you can just install this do-whacky plugin which rewrites the page or changes the behaviour”, no, that’s entirely not the point. Not only does it not solve a bunch of the problems, it shouldn’t damn well have to! How about we all just agree to stop making the web a less enjoyable place and not do these things from the outset?

Allow me to totally lose my cool for a bit and tell you just what’s wrong with the web today:

Tags:

Read more

Thursday, 31 December 2015

2015 retrospective

Thursday, 31 December 2015

I don’t normally do the year in review thing, but then I don’t normally have a year like this either. Whilst it may not seem like it to the casual observer, life changed in so many significant ways in 2015, more so than any time in probably the last 15.

The other day I was having a spin back through my tweets with media and I realised just how nuts things had been, so I thought I might capture a bunch of them here as they really tell the story. This is as much for me to reflect on the year as it is for other people to see what I’ve been up to; I hope you find it interesting.

Speaking at Ignite 2015

Read more

Tuesday, 29 December 2015

No, you can’t join my wifi network

Tuesday, 29 December 2015

I’ve had a couple of experiences recently where guests have come to stay and then requested to jump on my wifi. In each case, I’ve declined and in turn they have expressed some degree of shock and outrage. Because it will happen again and because I don’t want upset guests staying in my house, allow me to articulate clearly and objectively why my network is off limits and why perhaps you too want to think twice about allowing access to yours.

Read more

Thursday, 10 December 2015

Hacking Gary – a Pluralsight Play by Play

Thursday, 10 December 2015

Every now and then, a Pluralsight course completely defies the odds of what I expected it to do. Now it’s not that I don’t think this latest one is a good course, rather it’s that it’s a play-by-play which effectively went like this:

Pluralsight: Hey, how about you hack Gary Eimerman and we record it?

Me: You had me at “hack”!

And that’s about it – now it’s one of the top-rated courses in the library having been watched by thousands of people in only 5 days! All it entailed was jotting down some notes about stuff that would look good on camera and then sitting down with Gary and recording it. Oh yeah – it’s a video recording and not just a screencast like most Pluralsight courses so we’re talking about this:

Gary Eimerman and myself

Read more

Friday, 4 December 2015

Get more awesome Pluralsight content than ever for zero dollars!

Friday, 4 December 2015

Pluralsight content remains enormously popular among a growing audience of technology pros not just because of the breadth of content (we’re talking about well over 4,000 courses now), but because it’s so cheap to get into. Less than a dollar a day and you’ve got access to some really top notch content that’s created by some of the best in the business then scrutinised and peer reviewed to ensure it’s right up there as the best possible training material you can find on the web. It’s amazing the lengths people will go to get their hands on Pluralsight courses…

But here’s the good bit – more content than ever is now available without spending a cent and there are two reasons for that.

Firstly, if you’re an MSDN subscriber there’s 15 courses you can go and watch right now that are free with your subscription:

  1. SOLID Principles of Object Oriented Design
  2. Building a Web App with ASP.NET 5, MVC 6, EF7 and AngularJS
  3. Getting Started with JSON in C# Using Json.NET
  4. C# Fundamentals with Visual Studio 2015
  5. C# Best Practices: Improving on the Basics
  6. WCF End-to-End
  7. Visual Studio 2015: Essentials to the Power-User
  8. Visual Studio Code
  9. Building Highly Scalable Web Applications in Azure
  10. Modernizing Your Websites with Azure Platform as a Service
  11. LINQ Fundamentals
  12. Getting Started with Entity Framework 6
  13. Building Cross-Platform iOS/Android Apps with Xamarin, Visual Studio, and C# – Part 1
  14. Building Cross-Platform iOS/Android Apps with Xamarin, Visual Studio, and C# – Part 2
  15. Building Cross Platform Mobile Apps with C#, Xamarin, and Azure

My obvious bias has lead me to highlight one in particular and I’m really pleased to see my Azure course being made available to so many people. This is a real practical “from the trenches” style course with a heap of knowledge from building and running Have I been pwned? now available to everyone in that course.

Read more

Wednesday, 2 December 2015

The ongoing scourge that is SQL injection and Azure’s new SQL Database Threat Detection

Wednesday, 2 December 2015

Hey, did you hear about this new security risk? It’s called SQL injection and attackers can just suck all your datas out of your system if you screw it up badly enough. Allegedly there’s like, millions of websites at risk and even kids can easily break into them!

Wait – this isn’t a new risk?! Well how come it’s all over the news and these seriously large companies keep getting pwned by it?! How is that even possible?!

And here we are at that reality of today; SQL injection, whilst well understood for a good decade and a half, remains the number one risk on the web today. Certainly it’s there according to OWASP and their Top 10 Web Application Security Risks and there for several reasons:

  1. It’s easy to discover. Kids – yes kids – are running Googledorks, finding at-risk systems and then just grabbing all the data which brings me to the next point:
  2. It’s easy to exploit. Watch my Hacking is child’s play video where I taught my 3 year old how to undertake a SQL injection attack. It’s that easy.
  3. The prevalence is common. SQL injection is all over the place and not just in the old stuff either, there’s new risks being built every day and indeed even tutorials aimed at developers which already have SQL injection risks in them.
  4. The impact is severe. You get pwned by SQL injection and it could mean everything in your database gets extracted. Or modified. Or deleted. Or the attacker runs commands on the server itself. Or pivots to other machines in the network. Or… or… or… it goes on.

Some notable incidents in recent times include TalkTalk in the UK getting well and truly rolled by a 15 year old (a couple of 16 year olds and an elderly gent of 20 were later also arrested) and the really big one in the news this week, VTech. Thanks to good old SQL injection, they lost hold of not only 4.8 million customer details, but 6.3 million children’s details. That’s not just a massive hack, that’s simply unprecedented. SQL injection is the exploit that just keeps on giving.

Read more