This was always going to be a huge incident given not just the scale of the number of accounts impacted by the Ashley Madison breach [https://krebsonsecurity.com/2015/08/was-the-ashley-madison-database-leaked/] (well over 30M), but the sensitivity of the data within it. However the interest has surprised even me – I loaded the breached data into Have I been pwned? [https://haveibeenpwned.com/] (HIBP) about 8 hours ago and I’m presently seeing about 30k visitors an hour to the site. I’ve had a c...

I’ve often received feedback from people about this SSL Labs test of Have I been pwned? [https://haveibeenpwned.com/] (HIBP): Just recently I had an email effectively saying “drop this cipher, do that other thing, you’re insecure kthanksbye”. Precisely what this individual thought an attacker was going to do with an entirely public site wasn’t quite clear (and I will come back to this later on), but regardless, if I’m going to have SSL then clearly I want good SSL and this report bugged me....

I run a workshop which I often do privately for organisations or as a part of various conferences which I title “Hack Yourself First”. I wrote about what I do in these recently in relation to my upcoming US workshops next month [https://www.troyhunt.com/2015/07/its-app-sec-in-usa-and-hack-yourself.html] and the ones I’ll be doing in London in Jan [https://www.troyhunt.com/2015/07/its-time-to-visit-london.html] but in short, it’s a couple of days of very hands-on exercises where we look at a heap...

I see literally millions of compromised records from online systems every week courtesy of maintaining Have I been pwned? [https://haveibeenpwned.com/] (HIBP), in fact I’ve seen well over 200M of them since starting the service just under two years ago. I’ve gotten used to seeing both seriously sensitive personal data (the Adult Friend Finder breach [http://fortune.com/2015/05/22/adultfriendfinder-hackers/] is a good example of that) as well as “copycat” breaches (the same data dumped under diff...

I regularly share files with people that I want them to grab over HTTP from a location without any auth or other hurdles. They’re not sensitive files, they’re things like exercises I might be running in workshops which I want people to download from a common location. I normally put them in Dropbox, “Share Dropbox Link” then shorten it with my custom troy.hn short URL so they can read it from the screen in a meeting room and point them there. In fact this is exactly what I did last week – just a...

The web is going HTTPS only. In theory. The idea is that unless we encrypt all the transport things, we can have no confidence in the confidentiality, integrity or authenticity of the traffic and services we’re talking to. There’s growing awareness of how essential secure transport comms are (thank you NSA for your part in helping us come to this realisation), and indeed we’re being continually pushed in this direction. For example, last year Google said they’d start using the presence of HTTPS...

As I’ve now widely publicised, I left Pfizer a few months back [https://www.troyhunt.com/2015/04/today-marks-two-important-milestones.html] after 14 years with the firm. You build up a lot of dependencies over 14 years, a lot of access to systems and a lot of people who count on you. As I was preparing to exit, I made a bunch of notes in a draft blog post because firstly, as I recently wrote in How I optimised my life to make my job redundant [https://www.troyhunt.com/2015/07/how-i-optimised-my-...

That’s right folks, I’m finally getting over to London! I’ve made so many awesome connections there over the years (hi Tesco [https://www.troyhunt.com/2012/07/lessons-in-website-security-anti.html]!) and despite getting around quite a bit of late, I haven’t had the opportunity to actually spend time in the UK. All that changes in Jan and it’s thanks to the awesome guys at NDC [http://www.ndc-london.com/]! [http://www.ndc-london.com/] I actually spent a year living in London over the turn of t...

A couple of months ago I wrote about how fellow author Dale Meredith and myself are building out an ethical hacking series on Pluralsight [https://www.troyhunt.com/2015/05/its-ethical-hacking-with-sql-injection_21.html] and in that post I launched the first course I had written for the series on SQL injection. You can read about the ethical hacking series in that blog post and what my approach to covering the CEH syllabus has been (hint: I have my own take on it), but what I will again point out...

This morning I was reading a piece on the Ashley Madison hack [http://www.inquisitr.com/2281408/ashley-madison-hack-customer-service-impact-team-complaints-was-he-on-ashley-madison-site-down-as-users-turn-to-private-investigators/] which helped cement a few things in my mind. The first thing is that if this data ends up being made public (and it’s still an “if”) then it will rapidly be shared far and wide. Of course this happens with many major data breaches, but the emergence already of domain...