Friday, 24 October 2014

Get Cloak. Go Dark. VPN’ing out from the Great Firewall of China

Friday, 24 October 2014

Let’s go through just some of the ways you can hand your valuable datas over to people that want to get somewhere in between you and whatever service it is you want to talk to at the other end.

You can get pineappled and certainly that’s been a favourite of mine to demonstrate because it’s just so damn easy (it’s also kinda cool, if I’m honest).

The router you connect through can be pwned and its DNS changed to help pay for Brazilian hookers (yes, you read that right).

The Tunisian government can just siphon up all your packets as they pass through the ISPs under their control. Ok, maybe you’re not in Tunisia, but I think we’re all a little wary of the American government lately too…

And so on and so forth. I saw a great story today on the risks of public wifi which puts the threat of a man in the middle attack (henceforth an MitM attack) into perspective. As an iOS user, when I read stuff like China's Massive iCloud Hack, I get a little concerned. As an iOS user travelling to China, I get a VPN and that’s where Cloak comes in.

There are many consumer-orientated VPN service and I’m told that many of them are excellent, which I’m sure they are. I decided to give Cloak a go in part because their website made it super simple to understand, in part because the Twitter account actually reached out and made contact when I mentioned it (pro tip: this matters to a lot of people) and also in part because it has a free intro and good pricing plan. It was only after I started using it that I found some other neat tricks as well. It’s a dead simple app and it looks like this:

The Cloak app

This is really, really simply and that’s what really got me excited about Cloak, not much more than the plan you’re on and a few basic settings. Let’s go through them.

Read more

Wednesday, 22 October 2014

.NET Rocks Podcast: The Security of IoT

Wednesday, 22 October 2014

You know how you always wanted a fork with an ARM processor that could upload data wirelessly over the internet? C’mon, you know you want it and now you can get a HAPIfork.

Or how about your light globes? Yes, LIFX totally rocks but no, I wasn’t so keen on the idea once I learned your neighbours could pwn your wifi through them.

This brave new “Internet of Things” world is equal parts awesome and scary and there seems to be no limit to the extent we’ll go to connect our things. We connect these things to the internet via APIs and of course at the end of the day, an API is not much more than a website without a user interface. Because it’s a website it has website vulnerabilities yet when we put these APIs behind our “things”, they’re that much harder to monitor in terms of risks, unless you know where to look…

This is why I wrote the Pluralsight course titled Hack Your API First. I’ve explained why this course rocks before so I won’t dwell on it here, but I did get a good chance to talk to the awesome duo from .NET Rocks again the other day on the security implications of IoT, what it means to connect all our things and why you may no longer be able to trust your toilet.

The podcast is over on the .NET Rocks website or embedded here:


Tuesday, 21 October 2014

Disabling SSL 3 in Azure websites (and why it doesn’t look like you have)

Tuesday, 21 October 2014

Just a quick one as it’s mostly explained in How to Disable SSL 3.0 in Azure Websites, Roles, and Virtual Machines, but there are a few bits worth adding. Oh – just in case POODLE was news to you, go back and read my post on Everything you need to know about the POODLE SSL bug from last week.

Back to Nazim’s guidance above on Azure websites, you can either install a site extension to disable SSL 3 or make a URL rewrite rule that looks at a custom header in the request. My view is that the latter is always preferable as it puts it right into the config of the site. Deploy it somewhere else later and the config is still good (assuming it’s an Azure website that recognises the setting). I can see some people preferring the site extension as it means you don’t need to redeploy the site, but if you’re worried about that then you probably have some bigger problems to deal with!

Now, before deploying the fix, let’s make sure that SSL 3 is indeed enabled because personally, I like to see evidence that changes I’m making actually do something. Here’s a Qualys SSL Labs scan of the site before any changes:

An A- rating on SSL labs with SSL 3 being reported as enabled

Read more

Friday, 17 October 2014

Measure, optimise then measure again: further refining “Have I been pwned?”

Friday, 17 October 2014

As I’ve written in the past, I put an awful lot of effort into making Have I been pwned? (HIBP) fast. Not just a bit fast, blisteringly fast and that includes when it’s under a huge amount of load. But there was something bugging me with the site when it came to performance and it was this:

33 SVG images loaded on HIBP

That’s right, 33 images loaded on the front page. Yes they’re SVG and yes they’re tiny and yes they’re served from a CDN but you simply cannot get past the fact that the browser needs to make a heap of additional requests to load them. Granted, you could sprite them (yes, you can do this with SVGs) but you can’t escape the additional bytes that need to be downloaded nor the additional rendering time in the browser (this is more significant then you might think – we’ll come back to this).

Read more

Wednesday, 15 October 2014

Everything you need to know about the POODLE SSL bug

Wednesday, 15 October 2014

We don’t seem to go far these days without the next “catastrophic” bug hitting the internets. Remember how a few weeks ago Shellshock was going to end the internet as we know it? If you believed all the headlines, that sucker was going to own us through our light globes (I suspect some poetic license was taken on my IoT comments) and the web would never be the same. Scroll forward and it’s already “Shell-what?”

Earlier this year it was Heartbleed and it too was destined to bring the internet to its knees. Except it didn’t. Whilst I’ve no doubt a number of sites got well and truly screwed over by it (Shellshock too, for that matter), it was over-inflated yet in some ways the hysteria served a positive purpose in that it got massive airtime and inevitably more attention than it would have had we all responded a little more rationally.

Which brings us to POODLE. Whilst I doubt we’ll see the same mass hysteria as we did last month, it is (and will continue) hitting the news and like the other two biggies this year, it’s serious enough to warrant attention and obscure enough to result in wild speculation and a general misunderstanding of the underlying risk. Let me share what I know based on the questions I’m hearing.

Read more

Gone Mobile Podcast: Securing Mobile Apps

I’ve learned some rather intriguing things about what our mobile apps are doing while we’re not looking in the six days since I launched the challenge to find crazy stuff in mobile app communications.

For example, there’s the social app that allows you to accept friend requests on behalf of someone else if you call the API in the right way. Sequential user IDs and no rate limiting help that one along nicely.

Then there’s the word game that sends you all the possible solutions via the API whilst you’re playing. That’s rather handy and it only take a little bit of device proxying and wammo! There’s all your answers.

Or how about this detailed overview of how an API passes credentials around in the URL after storing them in clear text and making a vain attempt to thwart SQL injection. Yep.

I recently caught up with Greg Shackles of the Gone Mobile Podcast and we spoke about a heap of these security anti-patterns in mobile APIs. This is off the back of my latest Pluralsight course, Hack Your API First so if you want to know what that’s all about, the podcast will give you a really good sense of why it’s important. You can find it podcast on Gone Mobile’s site or listen to it directly here:

Oh – and if you want to take the course for free, head on over to that little challenge I mentioned earlier, leave a comment on the crazy stuff you’ve found and I’ll send you over a free pass.

Tuesday, 14 October 2014 and ignoring specific Web API exception types

Tuesday, 14 October 2014

In the spirit of “here’s something I couldn’t find an easy answer for so I’m writing it myself”, let me very briefly run you through how to have ignore specific exception types raised by Web API.

Firstly, Web API support came a couple of months ago which is rather important given how much stuff is transitioning to APIs these days. I use Web API fairly extensively in Have I been pwned? (HIBP), partly to enable nice light async requests once pages have already loaded and partly as a dedicated API that others can consume at will.

Setting up was dead simple and it looks like this in the WebApiConfig class which is invoked on Application_Start:

public static void Register(HttpConfiguration config)

Job done, except there’s a problem: The theory is that APIs should be all nice and HTTP semantic which means, for example, that if you were to request a resource via the API and that resource didn’t exist, the API should return a 404. Now I’ve got logging 404s by default because I want to know if I’ve broken a link or someone has linked to a non-existent resource or (and this happens a lot) someone is running a security scanning tool over the site and looking for things that don’t exist. However, I don’t want to log 404s that I’m intentionally throwing during the organic execution of the app.

Read more

Thursday, 9 October 2014

Find crazy stuff in mobile app communications (and get free stuff!)

Thursday, 9 October 2014

Here’s a pop quiz for you: how much data do you reckon this iPad app downloads when it first runs? I don’t mean how big it is to download from the App Store (it’s 25MB), I mean after you download it then simply tap the icon to fire it up, how much data does it pull down if you don’t touch it again? Take a close look and consider the answer before reading on:

Th EVO iPad app

Now you’ve probably done what I would have done – looked what you can see on the screen, speculated about how you’d build it in a way to make it respond quickly to someone flicking through the app (it’s a performance car magazine you can buy subscriptions to) and concluded – what do you reckon, maybe a few meg? Seem fair?

Try 1.8 gigabytes. You heard me, that’s not a typo. You open up this 25MB app and it’ll pull down dozens of files of dozens of meg each when you run it. Won’t someone please think of the bandwidth!!!

Read more

Tuesday, 7 October 2014

Watching “Have I been pwned?” Pastebin notifications in action

Tuesday, 7 October 2014

I imagine this is what it’s like when one of your kids gets old enough to finally beat you at something you’ve poured your heart into teaching them. Yes, I’m proud and it’s awesome that it has turned out so well, but I was still a little disappointed to get this the other day:

Email noification of HIBP paste result

This came totally out of the blue for me which, of course, is exactly how it’s meant to work. If all this is unfamiliar to you, this is the paste monitoring feature of “Have I been pwned?” (HIBP) which I launched last month. As it happens, one of the domains I monitor for work had a hit in a paste titled Email/PW Dump. (7.5k-ish Users.) – it was one of 7,381 unique emails in that paste actually.

Read more

Friday, 3 October 2014

FREE Pluralsight Course: Understanding the Shellshock Bash Bug

Friday, 3 October 2014

Remember Shellshock? How could anyone forget! This thing has totally dominated the news – not just the tech news either – and like Heartbleed before it (inevitably the yardstick we compare it to), the hype has been, well, somewhat overinflated. I get it – it is a big thing – but the press has a way of sensationalising things in a pretty unique way.

Case in point: I wrote Everything you need to know about the Shellshock Bash bug just one week ago. It has since been viewed over 425k times which is rather a record for a blog post on But what I found most telling was how sensationally this bug was reported. My favourite news story was from a press outlet that reported how Shellshock would allow attackers to pwn you through your light globes. Yep. Now I did mention the “Internet of Things” in my post and I did refer to the recent LIFX incident where their light globes were coughing up wifi creds but somehow that translated into Shellshock being in the simplest electrical circuit known to man.

With all the fuss going on and all the FUD flying, Pluralsight asked me to create a course on Shellshock which I had to decline primarily on the basis of existing commitments. Clearly my willpower is weak so only 6 days after that I’m very pleased to present to you: Understanding the Shellshock Bash Bug:

Understanding the Shellshock Bash Bug - FREE Pluralsight course

Read more