I've been at the AusCERT conference [https://conference.auscert.org.au/] this week which has presented a rare opportunity to walk to a major event from my home rather than fly to the other side of the world. And what an awesome walk too, right on the turn into "winter", which means something quite different in this part of the world: > Off to #AusCERT2018 [https://twitter.com/hashtag/AusCERT2018?src=hash&ref_src=twsrc%5Etfw]! It’s all blue outside today, what an awesome day for a short walk fro...

Back in August, I pushed out a service as part of Have I Been Pwned [https://haveibeenpwned.com/] (HIBP) to help organisations block bad passwords from their online things. I called it "Pwned Passwords" and released 320M of them from real-world data breaches [https://www.troyhunt.com/introducing-306-million-freely-downloadable-pwned-passwords/] via both a downloadable file and an online service. This was in response to NIST's Digital Identity Guidelines [https://www.nist.gov/itl/tig/special-publ...

A couple of months ago, I shared news of on-boarding the UK and Australian governments to Have I Been Pwned [https://www.troyhunt.com/the-uk-and-australian-governments-are-now-monitoring-their-gov-domains-on-have-i-been-pwned/] (HIBP). As I explained at the time, I wanted to provide the folks there with easy access to their respective government domains which meant providing them with the facility to query at the TLD level - namely, .gov.uk and .gov.au - as well as across a handful of their oth...

Well it's all quietened down here with Scott gone so it's back to business as usual, which means, well, it's not very quiet at all! I've been in Sydney this week talking at one of our big banks and as I say in this week's update, getting out there amongst companies dealing with their unique cyber challenges is always interesting: > #cyber [https://twitter.com/hashtag/cyber?src=hash&ref_src=twsrc%5Etfw] pic.twitter.com/CIMDhPfKIP [https://t.co/CIMDhPfKIP] — Troy Hunt (@troyhunt) May 23, 2018 [...

Try publishing something to the internet - anything - and see how it long it takes before something nasty is probing away at it. Brand new website, new domain and it's mere hours (if not minutes) before requests for wp-admin are in the logs. Yes, I know it's not a Wordpress site but that doesn't matter, the bots don't care. But that's just indiscriminate scanning, nothing personal; how about deliberate and concerted attacks more specifically designed to get into your things? As the value of wha...

We're on a beach! It's the day after 3 pretty intense days of NDC conference and the day before Scott heads back to the UK so beach was an easy decision. The conference went fantastically well and, in all honesty, was the most enjoyable workshop I think I've done out of ~50 of them these last few years. NDC will be back on the Gold Coast next year, plus of course it will be in Oslo in a few weeks' time [https://ndcoslo.com/] then Sydney in September [https://ndcsydney.com/] where we'll both do i...

It's a new Pluralsight course! Yes, I know I said that yesterday too [https://www.troyhunt.com/new-pluralsight-course-owasp-top-10-2017/], but this is a new new Pluralsight course and it's the second part in our series on Creating a Security-centric Culture [https://www.troyhunt.com/were-doing-an-all-new-pluralsight-series-creating-a-security-centric-culture/] . As I wrote there back in Jan, we're doing this course on a quarterly basis and putting it out in front of the paywall so in other words...

Just a tad over 5 years ago, I released my first ever Pluralsight course - OWASP Top 10 Web Application Security Risks for ASP.NET [https://pluralsight.pxf.io/c/1196446/424552/7490?u=https%3A%2F%2Fapp.pluralsight.com%2Flibrary%2Fcourses%2Fowasp-top10-aspdotnet-application-security-risks%2Ftable-of-contents] . More than 32k people have listened to more than 78k hours of content in this course making it not just the most popular course I've ever released, but also keeping it as my most popular in...

This week, Scott Helme is getting bitten by Aussie critters whilst working from a desert island. He's here on the Gold Coast for the NDC Security event [https://ndcsecurity.com.au/] next week so I thought we'd record the update together so we grabbed a couple of cold ones, wandered down to the backyard and recorded there. We cover off a bunch of bits and pieces related to things we're working on together (workshops and Report URI) as well as some (mostly) commonly held views about HTTPS, EV cer...

Remember when web security was all about looking for padlocks? I mean in terms of the advice we gave your everyday people, that's what it boiled down to - "look for the padlock before entering passwords or credit card info into a website". Back in the day, this was pretty solid advice too as it gave you confidence not just in the usual confidentiality, integrity and authenticity of the web traffic, but in the legitimacy of the site as well. If it had a padlock, you could trust it and there's wer...