Security

Last week Google announced some changes to Chrome, specifically that come January 2017, practices like this are going to start resulting is browser warnings: That's just one of many such examples I've called out in the past and frankly, I have about zero sympathy for those who are doing this in the first place so a browser warning is only right. But here's the really interesting bit - that's just the beginning because Google has a plan: a long-term plan to mark all HTTP sites as non-secure I want to show you the significance of this on everyday websites and we can do that today by virtue of jumping into chrome://flags then scrolling down to "Mark non-secure origins as...

Edit: A day and a half after publishing this post, the source of the data was eventually identified and a statement issued. Do see the updates at the end of this post. I see a lot of data breaches. I see a lot of legit ones and I see a lot of fake ones and because of that, I always verify them before making any claims that an organisation has been hacked. Usually I'll verify and then in conjunction with journalists I know and trust, there'll be a private disclosure to the company involved. Good journos are very adept at getting answers to these things and when it's going to be a story that hits the news anyway, it ensures...

Earlier today, Motherboard reported on what had been rumoured for some time, namely that Dropbox had been hacked. Not just a little bit hacked and not in that "someone has cobbled together a list of credentials that work on Dropbox" hacked either, but proper hacked to the tune of 68 million records. Very shortly after, a supporter of Have I been pwned (HIBP) sent over the data which once unzipped, looked like this: What we've got here is two files with email address and bcrypt hashes then another two with email addresses and SHA1 hashes. It's a relatively even distribution of the two which appears to represent a transition from the weaker SHA variant to bcrypt's adaptive workload approach at...

Let's start with a quick quiz: Take a look at haveibeenpwned.com (HIBP) and tell me where the traffic is encrypted between: You see HTTPS which is good so you know it's doing crypto things in your browser, but where's the other end of the encryption? I mean at what point is the traffic decrypted? Many people would say it's at the web server but it's not, it's upstream of there at Microsoft's appliances that sits in front of the web application PaaS offering. You might see a padlock, but your traffic is not encrypted all the way to the server. But it's not just HIBP and it's not just Microsoft either, many of the websites you visit every day...

CDNs are good. You get to put your web things all over the world and then have them served to your global audience from a location close to them. For example, because this blog is served through CloudFlare and about two thirds of the requests to my site come direct from their cache, you're probably downloading all the images on this page from whichever point in the map below is closest to you: But what's even better than CDNs when it comes to cost and performance is public CDNs. For example, on Have I been pwned (HIBP) I serve various CSS and JavaScript files that are public libraries. It's stuff like jQuery and Bootstrap and my files are in no...

Another day, another data breach: Full news on the GTAGaming breach is here: https://t.co/KuNSuol442 (vBulletin again)— Troy Hunt (@troyhunt) August 23, 2016 Yesterday it was a different one: vBulletin... "Epic Games: Information Regarding Recent Forum Compromise" https://t.co/YqQlSRbtLU— Troy Hunt (@troyhunt) August 23, 2016 A couple of weeks ago it was this one: vBulletin... again https://t.co/dNBbuzRHbW— Troy Hunt (@troyhunt) August 10, 2016 A little before that there was this: In news that should surprise absolutely nobody, Disney's hacked forum software was running on vBulletin https://t.co/s6Uw4xXyl0— Troy Hunt (@troyhunt) July 30, 2016 A fortnight earlier: In the year's least surprising...

I've been running my Hack Yourself First workshop all over the world where I talk to software developers about various security risks which they then get to exploit firsthand. It's a lot of fun and very hands on and practical which inevitably means spending time looking at real world implementations of security. After running a couple of these workshops last week, I wrote Website enumeration insanity: how our personal data is leaked which highlighted a couple of really bad examples of enumeration that attendees had discovered. That Strawberrynet one in particular... wow! But the post did lead to some questions about how to properly protect against enumeration risks so as I've done in the past with modules from the workshop,...

I've just wrapped up a couple of Hack Yourself First workshops down closer to home in Australia and true to usual form, attendees found some absolute zinger security implementations. Previous workshops have found various vulnerabilities ranging from realestate.com.au's lack of HTTPS in their Android app (pro tip: don't 301 HTTP requests to APIs!) to the one that really made headlines earlier this year which was the insecure Nissan LEAF app. One of the modules in the workshop looks at enumeration risks, that is the ability to check the existence of someone's account on a website. There's a perfect illustration of this in the post I did on Ashley Madison last year which showed that even before the data...

There's a lot of people getting themselves worked up about the Australian census whose five-yearly cycle falls due today. For the most part, it's like any other normal census we've done ever since I can remember, but what's changed this year is the duration for which names and addresses will be retained against the census answers. There are some good reasons to question the whole thing, plus some good reasons why it's really a non-event. Let me share my view of things. About the census I've just literally been handed the census paperwork by the property managers at the place we're staying at while trying to get in a bit of snowboarding. Here's an example of what we're talking about:...

You know the best way to sell security products? Scare the shit out of people. I mean make them really genuinely fearful that if they don't have the thing you're pushing that a bunch of nasty stuff will happen to them. It's the Donald Trump school of winning hearts and minds. Which brings me to CUJO, an Indiegogo campaign for a "security in a box" product. Strap yourself in and watch the video: Are we terrified yet? Yes? Good. Scary music, a hacker dude in a hoodie and just for good measure, a beauty queen and a kid (won't someone please think of the children?!) Around the 40 second mark you get a bit of "you may not know it,...