Security

You know what people really like? Government regulation! ...crickets... Ok, maybe not so much, but this one is actually really important. The General Data Protection Regulation is an EU reg that kicks in on 25 May 2018 so we've got bang on a year to get organised. It's important within the EU because it relates to how data of their citizens and residents is handled and it's important outside the EU because the regulation can impact non-EU organisations too. I've been interested in GDPR for some time on a couple of fronts. For one, I like the idea of a regulation having some serious teeth when it comes to issuing penalties. This means up to €20M or 4% of annual...

You know what really surprised me about this whole WannaCry ransomware problem? No, not how quickly it spread. Not the breadth of organisations it took offline either and no, not even that so many of them hadn't applied a critical patch that landed a couple of months earlier. It was the reactions to this tweet that really surprised me: Why is malware effective? Because of idiotic advice like this: "Stop Windows 10 from automatically updating your PC" https://t.co/cRygHYMPNh— Troy Hunt (@troyhunt) May 13, 2017 When you position this article from a year ago next to the hundreds of thousands of machines that have just had their files encrypted, it's hard to conclude that it...

I woke up to a flood of news about ransomware today. By virtue of being down here in Australia, a lot happens in business hours around the world while we're sleeping but conversely, that's given me some time to collate information whilst everyone else is taking a break. The WannaCry incident is both new and scary in some ways and more of the same old stuff in others. Here's what I know and what the masses out there need to understand about this and indeed about ransomware in general. The ransomware problem Firstly, if ransomware is a foreign enough concept and you genuinely want to understand what it's about, I made a free course for Varonis last year titled "Introduction...

The short version: I'm loading over 1 billion breached accounts into HIBP. These are from 2 different "combo lists", collections of email addresses and passwords from all sorts of different locations. I've verified their accuracy (including my own record in one of them) and many hundreds of millions of the email addresses are not already in HIBP. Because of the nature of the data coming from different places, if you're in there then treat it as a reminder that your data is out there circulating around and that you need to go and get yourself a password manager and create strong, unique passwords. And before you ask for your password from the data, read about all the reasons I don't...

My mate Lars Klint shared this tweet the other day: Your password is not unique. pic.twitter.com/ga4GwxtzrQ— Lars Klint (@larsklint) April 16, 2017 Naturally, I passed it on because let's face it, that's some crazy shit going on right there. To which the Twitters responded with equal parts abject horror and berating comments for not having already identified this as a joke circulating on Reddit. But here's the thing - it's feasible. No really, I've seen some very stupid security stuff out there the likes of which make the above example not just believable, but likely. Don't believe me? Here, hold my beer... Remember me Let's say you want to build a "remember me" feature, you know,...

Well, good one Australia, UK and whoever else has embarked on this hare-brained scheme, you've just made things a whole lot worse. Our respective governments (in all their ivory-towered wisdom), have decided that because one of us could one day decide to become a terrorist, they'd better keep a big whack of our internet browsing history just in case. The theory these genius policy makers have is that if they can probe into all our lives far enough, they'll be able to see when we're doing terrorist kinda stuff. And really, what better way is there than siphoning up info on the websites we go to? Job done, beer o'clock, glad we solved that one. Except no, they've just made...

It's a great time for HTTPS. Actually, there's never been a better time and as each day goes by, we see constant reminders of how important it is. Someone sent me a great example of this just the other day by virtue of a bug that had been lodged with Mozilla: Your notice of insecure password and/or log-in automatically appearing on the log-in for my website, Oil and Gas International is not wanted and was put there without our permission. Please remove it immediately. We have our own security system and it has never been breached in more than 15 years. Your notice is causing concern by our subscribers and is detrimental to our business. If this sounds a...

Someone sent me an email today which essentially boiled down to this: Hey, Microsoft's Azure Active Directory alerted me to leaked credentials but won't give me any details so there's very little I can do about it This is a really interesting scenario and it relates to the way Microsoft reports risk events, one of which is the discovery of leaked credentials that match those within AD. In other words, they've identified that someone used the same email address and password in multiple places and they've let the administrator of this particular AD instance know. As you can imagine from my work with Have I been pwned (HIBP), I have many thoughts on the subject. Rather than keep them to...

The tech news recently has seen quite a lot of chatter about an alleged haul of Apple credentials, apparently about 250 million of them in all. Allegedly. Maybe. Or was it 300 million?. No - wait - it might have only been 200 million. The number itself has been the source of plenty of debate even within the members of the Turkish Crime Family (TCF) themselves. Now who really knows if they're Turkish or a family, the only part of the name we can get any consensus on is the "crime" component courtesy of them attempting to extort Apple as they threaten to delete account contents and remote-wipe Apple devices if payment isn't forthcoming by... today. The 7th of April....

I went to Helsinki a couple of years ago. I was there running a security workshop for a local company and whilst in town, I caught up with Mikko Hypponen: Troy Hunt (@troyhunt) in Helsinki today. Troy's http://t.co/zOiZnkMpNo service is highly recommended! Use it. pic.twitter.com/lf59Hz7zvI— Mikko Hypponen (@mikko) May 28, 2015 Now Mikko is a very interesting bloke having been around in the security industry since just about forever so he's seen a few things. There's a great TED talk where he talks about the first PC virus and actually travels to Pakistan to track down the guys who wrote it. He's also the Chief Research Officer at F-Secure who make...