Troy Hunt

Phishing scams are getting tougher to pull off these days. All those damn email client and browser defences are getting in the way of hardworking phishermen and women going about their daily business. But – dear phisherpeople – you’re also not doing yourselves any favours when it comes to crafting a veneer of decency and honesty in your communications, in fact I propose that you’re missing a significant number of opportunities by neglecting some basics. So let me share some insight, if you will...

No really, this is my LinkedIn password: y>8Q^<6mqKEA4hac Well it was my LinkedIn password until earlier today when it became apparent that LinkedIn had suffered what could only be described as a massive security breach [http://money.cnn.com/2012/06/06/technology/linkedin-password-hack/index.htm?iid=SF_T_Lead] . The disclosure of 6 million passwords used in one of the world’s premier social networking sites is nothing short of astonishing. But what’s also astonishing is that this exercise onc...

There’s a pattern in the following stills from various scammer videos, see if you can spot it. Here’s one run by Comantra I captured back in Feb [http://www.youtube.com/watch?v=kjKjyMKj3n4&feature=player_detailpage#t=2403s]: And here’s another one [http://www.youtube.com/watch?v=nhqxOFH2rmI&feature=player_detailpage#t=713s] from when an unknown scammer called me in late April: Now here’s one from Noah Magram [http://www.youtube.com/watch?v=jb69H7l0vJA&feature=player_detailpage#t=20s] wh...

This content is now available in the Pluralsight course "Secure Account Management Fundamentals" [http://www.pluralsight.com/courses/secure-account-management-fundamentals] Recently I’ve had a couple of opportunities to think again about how a secure password reset function should operate, firstly whilst building this functionality into ASafaWeb [https://asafaweb.com/] and secondly when giving some direction for someone else doing a similar thing. In that second instance, I wanted to point them...

Strangely enough, there are time when I talk about things that aren’t directly related to security and yesterday’s guest appearance on the Uhuru podcast was one of these. In fact “the cloud” is something I’m deeply interested in and have spent a lot of time thinking about and working with lately, one significant of example of which has been the use of AppHarbor [http://appharbor.com] for hosting ASafaWeb [https://asafaweb.com/]. Yesterday I had a short chat to Michael Surkan [https://twitter.co...

I’ve been writing and speaking about OWASP for long enough now that it was probably about time I contributed to the podcast so when Jim Manico [http://twitter.com/manicode] invited me to talk, it was a no-brainer! I had a good chat with Jim about a range of aspects related to ASP.NET; good stuff in the framework, not such good stuff in the framework, where I’m seeing people go wrong with .NET security and then a bit about some of the things I’m doing in terms of writing the OWASP Top 10 for .NET...

If you live in a western country and have a landline telephone with a listed phone number, chances are you’ve been “cold called” by someone on the other side of the world with an introduction that goes something like this: > “Hello, I am from the Microsoft technical support division and I am calling you because we have detected some problems with your computer. This is very important – I need you to go and turn your computer on right away…” It doesn’t matter if you have a computer, in fact i...

This ain’t my first rodeo, this ain’t the first I’ve seen this dog and pony show. I first wrote about virus call centre scammers back in October along with my recording titled Anatomy of a virus call centre scam [https://www.troyhunt.com/2011/10/anatomy-of-virus-call-centre-scam.html]. I followed up a couple of months ago with Scamming the scammers – catching the virus call-centre scammers red-handed [https://www.troyhunt.com/2012/02/scamming-scammers-catching-virus-call.html] which screen recor...

It already seems like a lifetime ago, but it was only last month that I was over in Seattle at the 2012 MVP Summit. While I was there, I had a short chat on video with Dave Giard [https://twitter.com/#!/DavidGiard] for his Technology and Friends blog. We predominantly spoke about ASP.NET security and in particular, cryptographic storage of credentials and transport layer security so it’s a little more focussed than many of my talks. The original post is over on Dave’s blog under Episode 207: Tr...

This is a rant; an unapologetic, no holds barred rant on why something that I hold in such high esteem – my iOS devices – could have come from the evildoers who created this spawn of Satan: iTunes. I love my Apple TV, my iPad, my iPhone, my wife loves her iPhone, heck, even our two year old loves his hand-me-down iPhone. They all rock – big time. They’re the best damn devices I’ve ever owned, without exception. But the otherwise joyous experience of ownership is continually crippled by the sear...