Sponsored by:

The Ethereum forum was hacked and they've voluntarily submitted the data to Have I been pwned

The title says it all and the details are on their blog, but there's still a lot to talk about. Self-submission to HIBP is not a new thing (TruckersMP was the first back in April), but it's extremely unusual as here you have an organisation saying "we got hacked, we'd now like you to make that data searchable". This is in an era when most organisations are doing their utmost to downplay the significance of an event like this too. This incident comes at a time when I'm writing up a fairly heft blog post on how organisations should communicate in the wake of a data breach. There's a lot of examples in there from previous incidents - mostly around...

Journey to an extended validation certificate

Trust is a really difficult thing to define. Think about it in the web security context - how do you "trust" a site? Many people would argue that trust decisions are made on the familiarity you have with the brand, you know, brands like LinkedIn, Dropbox, Adobe... who've all had really serious data breaches. Others will look for the padlock in the address bar and imply by its presence that the site is trustworthy... without realising that it makes no guarantees about the security profile of the services sitting behind it. Then there's the security seals placed on the page and, well, just go and read clubbing seals if you're not already aware of just how fundamentally irrelevant (and even...

Weekly update 13

This week begins with the biggest of big breaches - the one that finally broke the big "B" - Yahoo (version 2). It's a massive story and I spent a lot of time yesterday answering media queries about hacker things related to data breaches. I talk about that at the start of this weekly update as well pursuing a career in security, providing an internet basics course for free via Varonis and how my blog on Ubiquiti network bits is still getting massive traction. iTunes podcast | Google Play Music podcast | RSS podcast References The crazy, massive, huge Yahoo breach (there's a heap of angles to this, short interview with me there, longer set of thoughts in the weekly update video)...

Get to grips with internet security basics, courtesy of Varonis

Most readers here understand security fundamentals. They know what makes a strong password, what the padlock in the address bar above means, why software updates are important, the value of locking their mobile devices and some of dangers we face with the internet of things. But equally, most of our friends, relatives and significant others don't. We know this because we're continually doing tech support for them and we experience the horrors of their security profiles first hand! Recently, Varonis asked if I could build a course for these folks, the ones that really need it. It's a change of pace to most of my courses that are targeted at technology professionals and obviously that means covering the fundamentals is...

Careers in security, ethical hacking and advice on where to get started

Many people will disagree with this post, not so much because it's flat out wrong but because there are so many different approaches one can take. It's a very subjective realm but I'm going to put forward some suggestions, make some considered arguments and leave it at that. The context is twofold as suggested by the title: Firstly, I get a lot of people asking me about how to get a start in the security industry. I've regularly reverted with "stay tuned, I'm writing something" and this blog post is it. Secondly, over most of last year and the first half of this one, I've been creating material to help people who want to pursue security careers. It's the Ethical...

Weekly update 12

This was a pretty jam-packed week which kicked off with the crazy, crazy Indian pathology data leak. You'll sense my frustration with the whole thing and frankly, I still can't quite get over it. Be that as it may, stuff like this provides us with endless material that speaks to how badly wrong it can all go with any data that gets digitised. There's that and a bunch of HIBP bits in relation to the AMA I did earlier this week and the 1.4 billion records I made available for analysis. All that and more this week! iTunes podcast | Google Play Music podcast | RSS podcast References Pathology data spilled all over the place in India (down syndrome tests, HIV...

How Chrome's buggy content security policy implementation cost me money

Content security policies (CSPs) can be both a blessing and a curse. A blessing because they can do neat stuff like my recent piece on upgrading insecure requests yet a curse because they can also do screwy things like break your site. Now in fairness, the breaking bit linked to there was more because of Safari's screwy implementation than because of the CSP spec itself, but that brings me to today's post on yet another screwy browser implementation of CSP. This time, it's Chrome's turn and it didn't just cause content to be blocked, it actually cost me money. Let me explain. I have a donate page on Have I been pwned (HIBP). I honestly didn't expect people to give...

Here's 1.4 billion records from Have I been pwned for you to analyse

I get a lot of requests from people for data from Have I been pwned (HIBP) that they can analyse. Now obviously, there are a bunch of people up to no good requesting the data but equally, there are many others who just want to run statistics. Regardless, the answer has always been "no", I'm not going to redistribute data to you. In fact, the requests were happening so frequently that I even wrote the blog post No, I cannot share data breaches with you. However, as part of HIBP's 3rd birthday celebrations, I am going to share data with you, quite a lot of it. In fact, I'm opening up almost all the data in HIBP with a few...

43,203 Indian patient pathology reports were left publicly exposed by Health Solutions

I'm used to seeing large amounts of personal data left inadvertently exposed to the web. Recently, the Red Cross Blood Service down here left a huge amount of data exposed (well, at least the company doing their tech things did). Shortly afterwards, the global recruitment company Michael Page also lost a heap (also due to a partner, Capgemini). Both cases were obviously extremely embarrassing for the companies involved and they did exactly what you'd expect them to do once they found out about it - they pulled the data offline as fast as humanly possible. And this is how it generally goes with incidents like this; lots of embarrassment, lots of scrambling to fix then lots of apologising afterwards. Which...

Weekly update 11

A bit of a quieter week this time blog wise, but a very busy week in terms of HIBP traffic. It went pretty nuts on Tuesday with a spike the scale I'd never seen before which made things, well, "interesting". I also put the word out about an "ask me anything" live stream event I'm going to do early next week which should be a lot of fun. Oh - and the Indian pathology results exposed to the world - that's unfolding as I write this but the position from the lab exposing things like patient HIV results to the world right now is "we'll get around to it in Jan". The latest is that BuzzFeed has just written about...