Security

The situation in Minneapolis at the moment (and many other places in the US) following George Floyd's death is, I think it's fair to say, extremely volatile. I wouldn't even know where to begin commentary on that, but what I do have a voice on is data breaches which prompted me to tweet this out earlier today: I'm seeing a bunch of tweets along the lines of "Anonymous leaked the email addresses and passwords of the Minneapolis police" with links and screen caps of pastes as "evidence". This is almost certainly fake for several reasons: — Troy Hunt (@troyhunt) May 31, 2020 I was CC'd into a bunch of threads that were redistributing the...

I've written a bunch about COVID-19 contact tracing apps recently as they relate to security and privacy, albeit in the form of long tweets. I'm going to avoid delving into the details here because they're covered more comprehensively in the resources I want to consolidate below, firstly the original thread from a fortnight ago as news of an impending app in Australia was breaking: Ok folks, let's talk about the Coronavirus tracking app as news of Australia adopting Singapore's "TraceTogether" gains momentum. I'd willingly run it and I want to explain why because there's also some very valid concerns. Let's begin: — Troy Hunt (@troyhunt) April 16, 2020...

How much can you trust the assertions made by an organisation regarding their security posture? I don't mean to question whether the statements are truthful or not, but rather whether they provide any actual assurance whatsoever. For example, nearly 5 years ago now I wrote about how "we take security seriously" was a ridiculous statement to make immediately after a data breach. It seems that not much has changed since then: “At Comodo we take security very seriously and it is our highest priority.” A classic opening to an all too familiar announcement. Not a good day for any #CyberSecurity company.@comododesktop @troyhunt #InfoSec #DataBreach pic.twitter.com/JxGzS9evtT — Nigel Cox (@Harlekwin_UK) October 2, 2019 “We take security...

Subject: Data Breach of [your service] Hi, my name is Troy Hunt and I run the ethical data breach notification service known as Have I Been Pwned: https://haveibeenpwned.com People regularly send me data from compromised systems which are being traded amongst individuals who collect breaches. Recently, a collection of data allegedly taken from the [your service] was sent to me and I believe there’s a high likelihood your site was indeed hacked. The data consists of an extensive number of records containing personal information. I wanted to send you what’s been sent to me and give you the opportunity to respond before I notify my subscribers impacted in the incident. Could someone responsible for information security...

We're live! Video embedded below: Under normal circumstances, we'd be sitting on a stage, beers in hands and doing our (I think we can use this term now) "world famous" Cyber-broken talk. It's like Top gear for nerds. @troyhunt #NDCLondon pic.twitter.com/wxzhM6uOCG — HarryMiller (@HarryMillerr) January 31, 2019 Scott and I have been doing these for a couple of years now, initially as a bit of a space-filler at NDC Security on the Gold Coast. We did it again at NDC Oslo a few months later, turned it into the party talk in London earlier last year (tweet above) and have continued to do it at every NDC event we've done since. Normally, it'd look something...

Of course it's virtual because let's face it, nobody is going anywhere at the moment. Plenty of you aren't even going into an office any more let alone fronting up to a conference with hundreds or even thousands of people. That sucks for you because you end up both missing out on events and sooner or later, suffering from cabin fever (I've always found that difficult across many years of remote work). It also sucks for companies like NDC Conferences whose entire livelihood is running the very events that people are now avoiding at all costs. It's a crisis, no doubt, yet... Crisitunity! The opportunity in all this is that we take the events online, massively expand their reach and...

This is a blog post about disclosure, specifically the difficulty with doing it in a responsible fashion as the reporter whilst also ensuring the impacted organisation behaves responsibly themselves. It's not a discussion we should be having in 2020, a time of unprecedented regulatory provisions designed to prevent precisely the sort of behaviour I'm going to describe in this post. Here you're going to see - blow by blow - just how hard it is for those of us with the best of intentions to deal with organisations who have a very different set of priorities. This is a post about how hard disclosure remains and how Surebet247's behaviour now has them experiencing the full blown Streisand effect. It began...

Cookies like to get around. They have no scruples about where they go save for some basic constraints relating to the origin from which they were set. I mean have a think about it: If a website sets a cookie then you click a link to another page on that same site, will the cookie be automatically sent with the request? Yes. What if an attacker sends you a link to that same website in a malicious email and you click that link, will the cookie be sent? Also yes. Last one: what if an attacker directs you to a malicious website and upon visiting it your browser makes a post request to the original website that set the cookie...

Back in July last year, Scott Helme and I shipped a little pet project that tracked the world's largest websites not implementing HTTPS by default. We called it Why No HTTPS? and it gave people a way to see the largest websites not taking transport layer security seriously. We also broke the list down on a country-by-country basis and it quickly became a means of highlighting security gaps and serving as a "list of shame". I've had many organisations reach out and ask to be removed once they'd done their TLS things properly so clearly, the site is driving the right behaviour. Today, we're happy to share the first update since November last year. The Web is More Secure More...

Last month, Disney launched their new streaming service Disney+; "The best stories in the world, all in one place", apparently. The service was obviously rather popular because within days the tech (and mainstream) headlines were proclaiming that thousands of hacked Disney+ accounts were already for sale on hacking forums. This is becoming an alarmingly regular pattern with online services, the cause of which was soon confirmed by Disney: Disney says that there is “no indication” of a security breach on Disney+, and that the source of the problem might be a so-called “credential stuffing” attack, in which hackers obtain passwords and usernames from Dark Web databases, and then use a brute force method to see if those passwords and usernames...