Sponsored by:

Troy Hunt

Hi, I'm Troy Hunt, I write this blog, create courses for Pluralsight and am a Microsoft Regional Director and MVP who travels the world speaking at events and training technology professionals

I'm Testifying in Front of Congress in Washington DC about Data Breaches - What Should I Say?

There's a title I never expected to write! But it's exactly what it sounds like and on Thursday next week, I'll be up in front of US congress on the other side of the world testifying about the impact of data breaches. It's an amazing opportunity to influence decision makers at the highest levels of government and frankly, I don't want to stuff it up which is why I'm asking the question - what should I say? For a bit more context, I've been chatting with folks from the House Energy and Commerce Committee for a while now about the mechanics of data breaches. Obviously, the work I've been doing with Have I Been Pwned (HIBP) has given me a...

Weekly Update 61

A bit of a "business as usual" week this one, but then this business is never really "usual"! I start out with a talk at McAfee's MPOWER conference in Sydney and a bit of chatter about some upcoming ones (including the one I still can't talk about... but will next week!) In terms of new things, I've now got my hands on an iPhone X so I spend a bunch of time talking about that. It only arrived yesterday so I'm still learning and forming opinions, but early feedback is that I love this phone! Well actually, in the video I talk about stuff I love, stuff I'm not real happy about and a bunch of...

Locking Down Your Website Scripts with CSP, Hashes, Nonces and Report URI

I run a workshop titled Hack Yourself First in which people usually responsible for building web apps get to try their hand at breaking them. As it turns out, breaking websites is a heap of fun (with the obvious caveats) and people really get into the exercises. The first one that starts to push people into territory that's usually unfamiliar to builders is the module on XSS. In that module, we cover reflected XSS which relies on the premise of untrusted data in the request being reflected back in the response. For example, if we take the sample vulnerable site I use in the exercises and search for "foobar", we see the following: You can see the search...

Weekly Update 60

Loads of bits and pieces this week ranging from travel (including something truly awesome that I can't go into detail on just yet) to Report URI to HIBP. There's also the competition for the Lenovo ThinkPad where I talk about the 4 finalists and if you're reading this within about 18 hours of me posting it, you can still vote for them here: It's time to vote! I've picked the best 4 projects using the @haveibeenpwned API to do some really cool stuff, whoever comes out top here wins a shiny Lenovo ThinkPad. Check out their work then vote below: https://t.co/kGclEuapyv— Troy Hunt (@troyhunt) November 10, 2017 At the time of me...

The One Valuable Thing All Websites Have: Reputation (and Why It's Attractive to Phishers)

Here's something I hear quite a bit when talking about security things: Our site isn't a target, it doesn't have anything valuable on it This is usually the retort that comes back in defence of some pretty shady practices and in the mind of the defendant, it's a perfectly reasonable position. They don't collect any credentials, they don't have any payment info and in many cases, the site is simply a static representation of content that rarely changes. So what upside is there for an attacker? Reputation. More specifically, a non-negative reputation because that's a valuable thing to attackers wanting to mount a phishing campaign. This happens on an alarmingly regular basis and there was a perfect illustration of precisely...

Weekly Update 59

I've actually had a day off today. Well mostly - I am still writing this piece and publishing a data breach - but I've pretty much spent the day between pool, beach and jet ski hence my being a bit dishevelled today 😀 Be that as it may, it's been a massive week and that's primarily due to the launch of Report URI V2 and in particular, the announcement that I've joined Scott in running the project. I've contributed dollars, social leverage and expertise because I genuinely think it's an awesome project and I'm very happy to be joining my good mate there. Plus, there's the whole "pseudo password fields" thing which is, well, just read it - it's...

Bypassing Browser Security Warnings with Pseudo Password Fields

It seems that there is no limit to human ingenuity when it comes to working around limitations within one's environment. For example, imagine you genuinely wanted to run a device requiring mains power in the centre of your inflatable pool - you're flat out of luck, right? Wrong! Or imagine there's a fire somewhere but the hydrant is on the other side of train tracks and you really want to put that fire out but trains have still gotta run too - what options are you left with? None? Wrong again! Seeing a theme here? Let's extend that into the digital world and we'll talk about HTTPS for a bit. You should use it. No really, if you're not HTTPS'ing...

I'm Joining Report URI!

What if I told you... that you can get visitors to your site to automatically check for a bunch of security issues. And then, when any are found, those visitors will let you know about it automatically. And the best bit is that you can set this up in a few minutes and add it to your site with zero risk. Or if you like, set it up so that it can automatically block certain types of attacks. It's not an expensive appliance, it's not a wacky browser extension and it's not some weird proprietary code implementation. Instead, it's all open standards built into modern web browsers and it's all available for free, right now. Well, it mostly is, the...

Weekly update 58

I'm between (short domestic) trips, I'm playing with my new iPad and I'm working on something really, really cool I'm going to be talking about next week. Seriously, this is a big thing that's been in the works for a while now and I'll be covering it in detail in the next update. For now, I've caught up on the whole IoT warning thing I totally overlooked last week. Frankly, it's just as well given how long that one was, the whole South Africa situation is still a very serious incident that has a long way to play out yet. But moving onto this week, I explain the deal with winning a Lenovo ThinkPad - what it is, how I'm...

Do Something Awesome with Have I Been Pwned and Win a Lenovo ThinkPad!

Current status: The competition has run and been won! Scroll down to the bottom for the result. Friends who follow what I'm up to these days will see that I'm often away from home in far-flung parts of the world. What that means is a lot of time on planes, a lot of time in airports (which is where I'm writing this now) and a lot of time in hotel rooms. Want to know how I churn out so much content? It's using that otherwise wasted down time to do useful things. But to do that, I need to be productive whilst mobile and I owe a lot of that to the machine I use when travelling. Now, to make...