Sponsored by:

Security

A 332-post collection

New Pluralsight Play by Play: What You Need to Know About HTTPS Today

As many followers know, I run a workshop titled Hack Yourself First where I spend a couple of days with folks running through all sorts of common security issues and, of course, how to fix them. I must have run it 50 times by now so it's a pretty well-known quantity, but there's one module more than any other that changes at a fierce rate - HTTPS. I was thinking about it just now when considering how to approach this post launching the new course because let's face it, I've got a lot of material focusing on the topic already. But then I started thinking about the rate of change; just since the beginning of last year, here's a bunch...

The Trouble with Politicians Sharing Passwords

Yesterday I had a bunch of people point me at a tweet from a politician in the UK named Nadine Dorries. As it turns out, some folks were rather alarmed about her position on sharing what we would normally consider to be a secret. In this case, that secret is her password and, well, just read it: My staff log onto my computer on my desk with my login everyday. Including interns on exchange programmes. For the officer on @BBCNews just now to claim that the computer on Greens desk was accessed and therefore it was Green is utterly preposterous !!— Nadine Dorries (@NadineDorries) December 2, 2017 For context, the back story to this is that another British pollie (Damian...

Here's What I'm Telling US Congress about Data Breaches

Last week I wrote about my upcoming congressional testimony and wow - you guys are awesome! Seriously, the feedback there was absolutely sensational and it's helped shape what I'll be saying to the US Congress, including lifting specific wording and phrases provided by some of you. Thank you! As I explained in that first blog post, I'm required to submit a written testimony 48 hours in advance of the event. That testimony is now publicly accessible and reproduced below. Do keep in mind that the context here is the impact on identity verification in "a post-breach world". My task is to ensure that the folks at the hearing understand how prevalent breaches are, how broadly they're distributed and...

I'm Testifying in Front of Congress in Washington DC about Data Breaches - What Should I Say?

Edit: I'm putting this up front as a lot of people are asking for it - the hearing will be live-streamed on YouTube and there's already an embedded video on the hearing page. There's a title I never expected to write! But it's exactly what it sounds like and on Thursday next week, I'll be up in front of US congress on the other side of the world testifying about the impact of data breaches. It's an amazing opportunity to influence decision makers at the highest levels of government and frankly, I don't want to stuff it up which is why I'm asking the question - what should I say? For a bit more context, I've been chatting with folks...

Locking Down Your Website Scripts with CSP, Hashes, Nonces and Report URI

I run a workshop titled Hack Yourself First in which people usually responsible for building web apps get to try their hand at breaking them. As it turns out, breaking websites is a heap of fun (with the obvious caveats) and people really get into the exercises. The first one that starts to push people into territory that's usually unfamiliar to builders is the module on XSS. In that module, we cover reflected XSS which relies on the premise of untrusted data in the request being reflected back in the response. For example, if we take the sample vulnerable site I use in the exercises and search for "foobar", we see the following: You can see the search...

The One Valuable Thing All Websites Have: Reputation (and Why It's Attractive to Phishers)

Here's something I hear quite a bit when talking about security things: Our site isn't a target, it doesn't have anything valuable on it This is usually the retort that comes back in defence of some pretty shady practices and in the mind of the defendant, it's a perfectly reasonable position. They don't collect any credentials, they don't have any payment info and in many cases, the site is simply a static representation of content that rarely changes. So what upside is there for an attacker? Reputation. More specifically, a non-negative reputation because that's a valuable thing to attackers wanting to mount a phishing campaign. This happens on an alarmingly regular basis and there was a perfect illustration of precisely...

Bypassing Browser Security Warnings with Pseudo Password Fields

It seems that there is no limit to human ingenuity when it comes to working around limitations within one's environment. For example, imagine you genuinely wanted to run a device requiring mains power in the centre of your inflatable pool - you're flat out of luck, right? Wrong! Or imagine there's a fire somewhere but the hydrant is on the other side of train tracks and you really want to put that fire out but trains have still gotta run too - what options are you left with? None? Wrong again! Seeing a theme here? Let's extend that into the digital world and we'll talk about HTTPS for a bit. You should use it. No really, if you're not HTTPS'ing...

Questions about the Massive South African "Master Deeds" Data Breach Answered

This week, I started looking into a large database backup file which turned out to contain the personal data of a significant portion of the South African population. It's an explosive situation with potentially severe ramifications and I've been bombarded by questions about it over the last 48 hours. This post explains everything I know. Who Am I and Why Do I Have This Data? Some background context is important as I appreciate there's a lot of folks out there who haven't heard of me or what I do before. I'm an independent Australian (I have a Microsoft Regional Director title but RDs don't actually work for Microsoft) and I specialise in security training folks who build online systems. For...

The 6-Step "Happy Path" to HTTPS

It's finally time: it's time the pendulum swings further towards the "secure by default" end of the scale than what it ever has before. At least insofar as securing web traffic goes because as of this week's Chrome 62's launch, any website with an input box is now doing this when served over an insecure connection: It's not doing it immediately for everyone, but don't worry, it's coming very soon even if it hasn't yet arrived for you personally and it's going to take many people by surprise. It shouldn't though because we've known it's coming for quite a while now starting with Google's announcement back in April. That was then covered pretty extensively by the tech press...

What Would It Look Like If We Put Warnings on IoT Devices Like We Do Cigarette Packets?

A couple of years ago, I was heavily involved in analysing and reporting on the massive VTech hack, the one where millions of records were exposed including kids' names, genders, ages, photos and the relationship to parents' records which included their home address. Part of this data was collected via an IoT device called the InnoTab which is a wifi connected tablet designed for young kids; think Fisher Price designing an iPad... then totally screwing up the security. Anyway, I read a piece today about VTech asking the court to drop an ongoing lawsuit that came about after the hack. In that story, the writer recalled how VTech has updated their terms and conditions after the attack in an attempt...