Security

A 269-post collection

Self-hosted vBulletin - you're doing it wrong! (and why you should be using managed hosting services)

Another day, another data breach: Full news on the GTAGaming breach is here: https://t.co/KuNSuol442 (vBulletin again)— Troy Hunt (@troyhunt) August 23, 2016 Yesterday it was a different one: vBulletin... "Epic Games: Information Regarding Recent Forum Compromise" https://t.co/YqQlSRbtLU— Troy Hunt (@troyhunt) August 23, 2016 A couple of weeks ago it was this one: vBulletin... again https://t.co/dNBbuzRHbW— Troy Hunt (@troyhunt) August 10, 2016 A little before that there was this: In news that should surprise absolutely nobody, Disney's hacked forum software was running on vBulletin https://t.co/s6Uw4xXyl0— Troy Hunt (@troyhunt) July 30, 2016 A fortnight earlier: In the year's least surprising...

Understanding account enumeration, the video tutorial edition

I've been running my Hack Yourself First workshop all over the world where I talk to software developers about various security risks which they then get to exploit firsthand. It's a lot of fun and very hands on and practical which inevitably means spending time looking at real world implementations of security. After running a couple of these workshops last week, I wrote Website enumeration insanity: how our personal data is leaked which highlighted a couple of really bad examples of enumeration that attendees had discovered. That Strawberrynet one in particular... wow! But the post did lead to some questions about how to properly protect against enumeration risks so as I've done in the past with modules from the workshop,...

Website enumeration insanity: how our personal data is leaked

I've just wrapped up a couple of Hack Yourself First workshops down closer to home in Australia and true to usual form, attendees found some absolute zinger security implementations. Previous workshops have found various vulnerabilities ranging from realestate.com.au's lack of HTTPS in their Android app (pro tip: don't 301 HTTP requests to APIs!) to the one that really made headlines earlier this year which was the insecure Nissan LEAF app. One of the modules in the workshop looks at enumeration risks, that is the ability to check the existence of someone's account on a website. There's a perfect illustration of this in the post I did on Ashley Madison last year which showed that even before the data...

What you should and shouldn't worry about when you complete today's census

There's a lot of people getting themselves worked up about the Australian census whose five-yearly cycle falls due today. For the most part, it's like any other normal census we've done ever since I can remember, but what's changed this year is the duration for which names and addresses will be retained against the census answers. There are some good reasons to question the whole thing, plus some good reasons why it's really a non-event. Let me share my view of things. About the census I've just literally been handed the census paperwork by the property managers at the place we're staying at while trying to get in a bit of snowboarding. Here's an example of what we're talking about:...

Stop the madness! Ridiculous security scare tactics revealed

You know the best way to sell security products? Scare the shit out of people. I mean make them really genuinely fearful that if they don't have the thing you're pushing that a bunch of nasty stuff will happen to them. It's the Donald Trump school of winning hearts and minds. Which brings me to CUJO, an Indiegogo campaign for a "security in a box" product. Strap yourself in and watch the video: Are we terrified yet? Yes? Good. Scary music, a hacker dude in a hoodie and just for good measure, a beauty queen and a kid (won't someone please think of the children?!) Around the 40 second mark you get a bit of "you may not know it,...

I wanna go fast: HTTPS' massive speed advantage

I tweeted this the other day, and the internet was not pleased: HTTPS is slow. No - wait - is it HTTP that's slow?! https://t.co/T49GG7oCaK pic.twitter.com/cfnYOpXMWc— Troy Hunt (@troyhunt) July 8, 2016 In fact, a bunch of the internet was pretty upset. "It's not fair!", they cried. "You're comparing apples and oranges!", they raged. No, it's not fair, the internet is not fair. But that's just how the web is today and whilst you might not like that it's not fair, that's the ballgame we're playing. When it comes to performance tests, I don't care about "fair", I only care about one thing: Let's take just a moment to put how...

Why am I in a data breach for a site I never signed up to?

This question in the title of this post comes up after pretty much every data breach I load so I thought I'd answer it here once and for all then direct inquisitive Have I been pwned (HIBP) users when confusion ensues in the future. Let me outline a number of different root causes for the "why is my data on a site I never signed up to?" question. You forgot you signed up Let's start with the simplest explanation because it's often the correct one - you've simply forgotten you signed up. We leave a huge trail of accounts behind us on the web over the many years we've been online for and there's no doubt whatsoever that most of...

Round 4 of Europe for 2016: More talks, more workshops

If you follow my Twitters, you may have noticed I can be a bit, well, "despondent" about the climate in Europe. No, not the whole Brexit political climate situation, I mean more like this: Crowds of people in Birmingham waiting for summer before they go outside: pic.twitter.com/7ImjmCt4Bf— Troy Hunt (@troyhunt) June 16, 2016 Yet I keep ending up back there so either it's my poor judgement or... I secretly enjoy it. Back in Jan (when it was much easier to complain about the weather), I was over in England, Scotland and Norway for four weeks then in May it was Belgium and Spain and last month was Norway and England again plus a few days in...

Getting to grips with cloud computing security on Pluralsight

Two of the things you'll have found me most frequently writing about on this blog are "cloud" and "security". Whilst the latter seems to have been what I've gravitated towards most in recent years, the former is something I'm very heavily involved in, particularly with my work on Have I been pwned (HIBP). I'm enormously happy to see the very last course in the Ethical Hacking series I've been building out with Pluralsight now complete with the 8th and final one being Ethical Hacking: Cloud Computing. Overwhelmingly excited. Ecstatic! I'll come back to why I'm so happy that the entire thing has now been wrapped up, but let me start with my favourite cloud question of all: Is "the cloud"...

Everything you need to know about loading a free Let's Encrypt certificate into an Azure website

Let us start with what's wrong with the world today, and that's certificate authorities. Just take a look at the trusted root CAs running on a Windows 10 machine: The very premise of having these root CAs on your machine is that they ultimate get to decide which websites your browser will consider to have a valid SSL certificate. The root CAs serve other purposes too, but that's what I'm especially interested in here. Edit: As Tom points out below, there are hundreds of other root certs the OS will happily trust as required. Microsoft documents this on the Microsoft Trusted Root Certificate Program page. Now here's the point I'm driving at - if QuoVadis wants to sign a certificate...