Mmm... Pi-hole...

I have a love-hate relationship with ad blockers. On the one hand, I despise the obnoxious ads that are forced down our throats at what seems like every turn. On the other hand, I appreciate the need for publishers to earn a living so that I can consume their hard-earned work for free. Somewhere in the middle is a responsible approach, for example the sponsorship banner you see at the top of this blog. Companies I choose to partner with get to appear there and they get themselves 140 characters and a link. That is all. No images. No video. No script. No HTML tags. No tracking. Sponsors are happy as they get exposure, visitors are happy because there's none...

Weekly Update 105

It's another day-late weekly update courtesy of another hectic week. Scott and I were at NDC Sydney doing a bunch of talks and other events and I just simply didn't get time to push this out until sitting at the airport waiting for the plan home. This week's update is a little different as we did it at SSW's recording setup in front of a live audience. Better video, better audio and some questions asked in the process too. Other than that, it's business as usual: more keyloggers on payment forms, more data breaches and a massive extended validation smack-down. References Scott published his blog post about Magecart coming for you (then right after that the NewEgg breach was announced)...

Extended Validation Certificates are Dead

That's it - I'm calling it - extended validation certificates are dead. Sure, you can still buy them (and there are companies out there that would just love to sell them to you!), but their usefulness has now descended from "barely there" to "as good as non-existent". This change has come via a combination of factors including increasing use of mobile devices, removal of the EV visual indicator by browser vendors and as of today, removal from Safari on iOS (it'll also be gone in Mac OS Mojave when it lands next week): I chose Comodo's website to illustrate this change as I was reminded of the desperation involved in selling EV just last month when...

Weekly Update 104

We're on a boat! This week, Scott Helme is back in town so I'm treating him to a rare sight for the Englishman - sunshine ☀️ We're also talking about my .NET Conf talk, Chrome's visual changes (and rolling back some of them), the FreshMenu data breach, getting better at filtering CSP reports, the effectiveness of public shaming, the kayo.moe credential stuffing list and lastly, Scott talks about his blog post on protecting sites from modified JavaScript (now linked to in the references below). Next week, we're in Sydney for NDC so we'll do another joint update then. References I spoke at .NET Conf on pwning your cloud costs (link through to the recorded talk) FreshMenu had a breach and...

The 42M Record kayo.moe Credential Stuffing Data

This is going to be a brief blog post but it's a necessary one because I can't load the data I'm about to publish into Have I Been Pwned (HIBP) without providing more context than what I can in a single short breach description. Here's the story: Kayo.moe is a free, public, anonymous hosting service. The operator of the service (Kayo) reached out to me earlier this week and advised they'd noticed a collection of files uploaded to the site which appeared to contain personal data from a breach. Let me be crystal clear about one thing early on: This is not about a data breach of kayo.moe - there's absolutely no indication of any sort of security...

The Effectiveness of Publicly Shaming Bad Security

Here's how it normally plays out: It all begins when a company pops up online and makes some sort of ludicrous statement related to their security posture, often as part of a discussion on a public social media platform such as Twitter. Shortly thereafter, the masses descend on said organisation and express their outrage at the stated position. Where it gets interesting (and this is the whole point of the post), is when another group of folks pop up and accuse the outraged group of doing a bit of this: Shaming. Or chastising, putting them in their place or taking them down a peg or two. Whatever synonym you choose, the underlying criticism is that the outraged group is wrong...

Weekly Update 103

It's been a week of travel for me with API Days in Melbourne on Tuesday, Fortinet Fast & Secure in Sydney on Wednesday then the Varonis webinar yesterday (recorded, I'll share once it's online). Be that as it may, I did manage to pump out a long-awaited blog post on the total cost of running Pwned Passwords in HIBP and its... 2.6c per day 😎 This week there's also a few random things ranging from online authenticity (the human kind), changes in Chrome 69 (there's some major visual security indicators gone), yet another spyware breach (just don't...), British Airways being hacked (still light on detail only half a day later) and my ongoing struggles with breach disclosure in a responsible...

Serverless to the Max: Doing Big Things for Small Dollars with Cloudflare Workers and Azure Functions

As time has gone by, one of the things I've enjoyed the most in running Have I Been Pwned (HIBP) is seeing how far I could make the dollars stretch. How big can it go whilst at the same time, running it on a shoestring? I keep finding new ways of optimising cost and the two most significant contributions to that since launching almost 5 years ago have come via serverless technology provided by 2 of my favourite tech companies: Cloudflare and Microsoft. By way of (very brief) background, one of the features in HIBP is Pwned Passwords. This is a repository of 517M passwords from previous data breaches that organisations can refer to in order to stop people from...

Weekly Update 102

A few little bits and pieces this week ranging from a new web cam (primarily to do Windows Hello auth), teaching my 8-year-old son HTML, progress with Firefox and HIBP, some really ridiculous comments from Namecheap re SSL (or TLS or HTTPS) and a full set of Pwned Passwords as NTLM hashes. I didn't mention it when I recorded, but there's already a bunch of sample code on how to dump your AD hashes and compare them to the Pwned Passwords list in the comments on that blog post. Also, just in case you're in the area, I'll be speaking at API Days in Melbourne on Tuesday then at Fortinet's Fast and Secure conference in Sydney the following day. For...

Pwned Passwords, Now As NTLM Hashes!

I'm still pretty amazed at how much traction Pwned Passwords has gotten this year. A few months ago, I wrote about Pwned Passwords in Practice which demonstrates a whole heap of great use cases where they've been used in registration, password reset and login flows. Since that time, another big name has come on board too: I love that a service I use every day has taken something I've built and is doing awesome things with it! GitHub has actually downloaded the entire 517M set of passwords rather than hitting the API like many other users, and that's just fine. In fact, I've had a heap of requests for more downloadable data, namely password hashes in NTLM format. If you're...