Tuesday, 28 July 2015

It’s app sec in the USA! (And “Hack Yourself First” workshops too)

Tuesday, 28 July 2015

I’m very happy to be heading back to the US in a couple of months, this time to keynote at OWASP’s AppSecUSA in San Fransisco.

AppSec USA

I had a great time in Amsterdam only a couple of months ago keynoting at AppSecEU as well and the whole event was just a heap of fun. It was a really good mix of security pros and developers, each bringing their own strengths to the show and making for some really interesting talks at different levels.

As I did on my recent European tours, I’m making the most of the time I have stateside because frankly, everything is a long way from Australia! I’ll be at the OWASP event for some of the time during the week of September 21 and I’ll be in Monterey the week before talking at SECURITYintersection on Azure and other security bits. But I’m also making time to run some workshops. I’ve been holding these across Europe and Australia for various organisations that want to get their development teams up to speed with the dos and don’ts of modern web security constructs. Let me share what I’m doing.

Read more

Tuesday, 21 July 2015

“Have I been pwned?” goes (a little bit) commercial

Tuesday, 21 July 2015

If I’m honest, the success of Have I been pwned? (HIBP) took me by surprise. It started out as an intriguing exercise to look at how the same accounts were being compromised across multiple data breaches and morphed into something well beyond that in pretty short order. The unexpected success of the service made for some really intriguing technology challenges and provided me with an excellent opportunity to push Microsoft’s Azure to the limits, not just in terms of performance, but in how I could engineer the whole thing to cost me just about nothing to run.

For example, within the first week after I launched it, the service got too big for Google Analytics as it was already tracking over 10 million hits a month. I had to optimise quickly for the unexpected success as unforeseen things began happening, things like serving tens of GB of jQuery in a day which is not something I needed to pay for if I used a CDN. As I rolled out new features, I found new challenges. The API is a great example; automation of queries makes for a system that can go from hundreds of requests a minute to tens of thousands in the blink of an eye. How do you support that massive change in scale and not break the bank, particularly when the service is out there for free? As I wrote recently, this challenge lead to me optimising the storage to the point where it returns records in single digit milliseconds and only costs $2.50 a month for the Table Storage mechanism that drives it.

One of the things that really surprised me is the amount of media coverage the service got. I’m not into plastering the logos of the various organisations that covered it over the homepage, but I do track the larger ones on a press page. There’s not even a link to this on the site but I wanted a record of it and I reckon it’s a pretty good one; a couple of Time magazine articles, USA Today, multiple pieces from Forbes, various other consumer-centric stories then of course lots of tech coverage like ZDNet, Gizmodo, Ars Technica, PC World etc. There’s a huge amount of foreign language coverage too which was a bit unexpected.

I’ve also use HIBP as an opportunity to write extensively about how I’ve pulled together all the technology bits to make this work as well as it does. If you have a spin through the tag on my blog, you’ll find a huge amount of info which by all accounts, has been enormously useful for other people building online services. I’ve also been as open as I can about this but there’s one piece that’s been ticking away in the background that I’ve not shared and that’s what I want to write about today because it signals a new chapter for HIBP.

Read more

Monday, 20 July 2015

Your affairs were never discreet – Ashley Madison always disclosed customer identities

Monday, 20 July 2015

I always find data breaches like today’s Ashley Madison one curious in terms of how people react. But this one is particularly curious because of the promise of “discreet” encounters:

Ashley Madison is the world's leading married dating service for discreet encounters

Of course when the modus operandi of the site is to facilitate extramarital affairs then “discreet” is somewhat of a virtue… if they actually were discreet about their customers’ identities! This all made me think back to the Adult Friend Finder breach of a couple of months ago. Once that one hit the public air, I proceeded to load the data into Have I been pwned? as I usually do after a data breach has gone public and then… I got a couple of emails. Emails like this:

My association with that service (AFF) is private, is it possible to remove my email from that list, or change it’s association to another breach?

And a somewhat less polite one:

Please remove my email from your database IMMEDIATELY

([redacted]@gmail.com).

NO ONE HAS THE RIGHT TO MY HACKED information.

Otherwise, I will seek legal counsel.

Read more

Friday, 17 July 2015

How I optimised my life to make my job redundant

Friday, 17 July 2015

If you’re a regular reader, you may have noticed a rather major job change on my behalf recently. The day to day office grind has gone and corporate life is now well and truly behind me, where it will firmly stay. One of the things that amazed me most when I finally wrote about this is how surprised so many people were that I actually had a normal day job:

I want to write about how I did this. This is not just about how I managed my time to do so much, but how it enabled me to get to the point where I could no longer justify working in the corporate world. I made my job redundant long before Pfizer did and by good fortunate (and admittedly some good management as well), I exited in the best way possible. Here’s how I managed to do so much in the lead-up to that so that when the time finally came, I was in better shape than I could have ever imagined.

Read more

Wednesday, 15 July 2015

It’s not about “supporting password managers”, it’s about not consciously breaking security

Wednesday, 15 July 2015

So this has been getting quite a bit of airtime today:

Yes, it’s ridiculous and British Gas are getting the lambasting they so deserve, but egregious security faux pas is hardly a new thing for them:

Read more

Tuesday, 14 July 2015

How I got XSS’d by my ad network

Tuesday, 14 July 2015

This is really not what you ever want to see on your own site:

It’s a JavaScript prompt and no, it’s not meant to be there. Someone had successfully mounted an XSS attack against this very website!

Read more

Monday, 13 July 2015

32k email addresses from the Hacking Team breach are now in “Have I Been pwned?”

Monday, 13 July 2015

Over the last week, the Hacking Team story has absolutely exploded. It’s dominated the security news, featured heavily in tech publications and regularly appeared in the mainstream press. The 400GB of data leaked has been extensively torrented, mirrored and reproduced then of course commentated on at length in various articles and social media pieces. In terms of public breaches, this is as exposed as data gets.

Clearly, this incident is also highly controversial. Hacking Team has long been under suspicion for selling to dystopian nations supressing human rights and this breach sheds an all new light on that. But by the same token, they’ve also sold to governments using the software for legal intercepts in ways that most of us would deem quite reasonable; there’s a class of criminal we want off the streets who was being monitored via exploits which are now being patched. I wrote about some of the angles last week in my Security Sense column on Windows IT Pro and made a bunch of other points then and I don’t want to dwell on those here, let me instead focus on how I’m handling this with Have I been pwned? (HIBP).

Read more

Friday, 10 July 2015

Dissecting a tech talk: How I topped the charts at NDC

Friday, 10 July 2015

Recent I wrote about Speaker style bingo which called out a bunch of common anti-patterns I see (and indeed have done myself) in technical talks. If I’m honest, I’m a bit surprised at how much attention that post garnered and it appears to have really resonated with people. When I wrote that post, I was back home but between speaking events in Europe so was both reflecting on the talks I’d just done and preparing for the upcoming ones. I find that writing material like that really helps me crystallise things in my mind so whilst it’s great that many people found it useful, I was also using that exercise as preparation for my next big talk, an all-new one on the other side of the world, one I’d never done before.

This post is the flip side that – the post-talk post, if you like. The talk I was preparing for is Making Hacking Child’s Play which I delivered to a packed out room of over 500 people at NDC in Oslo. So how did it go? Well out after 150 speakers delivered over 200 talks, here’s where it wound up on the leader board:

Top talks at NDC Oslo

Read more

Thursday, 2 July 2015

“We take security seriously”, otherwise known as “We didn’t take it seriously enough”

Thursday, 2 July 2015

I hate getting notices like this one from a few hours ago:

Sadly, we became aware this afternoon that the server which hosts our forums and blog was compromised. We are still investigating, but as far as we know, the attacker only gained access to these parts of our systems. Rest assured that credit card and other payment data are not stored on our servers at all.

I’ve had many of these already over the years and I’m sure I’ll see many more in the years to come, that’s just how the web seems to work these days. But here’s what really got my attention in Plex’s email today:

We're sorry for the inconvenience, but both your privacy and security are very important to us

Oh good, feeling much better now! So privacy and security are important, but with the benefit of hindsight, probably not important enough. Which got me thinking about all the other times I’d seen similar statements and just how hollow they’ve now become; it’s corporate speak personified. To demonstrate, let me stand back and let others to do the talking in this post…

Read more

Tuesday, 30 June 2015

.NET Rocking in Oslo!

Tuesday, 30 June 2015

I had a crazy trip to the Norwegian Developers Conference in Oslo this month; 2 days of workshops, a user group presentation, 2 conference talks, a podcast and a panel discussion. Despite the craziness of it all though, I was massively pleased that after the dust settled on the more than 150 speakers presenting over 200 talks, I found myself up here:

Top talks at NDC Oslo

Those little buzzers in front of the screen were hit on the way out and it so happened that I had a huge number of the green ones selected for my second talk on “Making Hacking Child’s Play” which put it way up in the top ranked spot. Mind you, the first talk on “50 Shades of AppSec” although did rather well coming in at number 5 so I’d call that an altogether rather successful event!

Read more