Sponsored by:

Security

A 350-post collection

IRL Analogies Explaining Digital Concepts are Terrible

Remember the anti-piracy campaign from years back about "You Wouldn't Steal a Car"? This was the rather sensationalist piece put together by the Motion Picture Association of America in an attempt to draw parallels between digital piracy and what they viewed as IRL ("In Real Life") equivalents. Here's a quick recap: The very premise that the young girl sitting in her bedroom in the opening scene is in any way relatable to the guy in the dark alley sliding a slim jim down the Merc's door is ridiculous. As expected, the internet responded with much hilarity because no-way, no-how are any of the analogies in that video even remotely equivalent to digital piracy: And even if...

Is Enumerating Resources on a Website "Hacking"?

I saw a story pop up this week which made a bunch of headlines and upon sharing it, also sparked some vigorous debate. It all had to do with a 19-year-old bloke in Canada downloading some publicly accessible documents which, as it later turned out, shouldn't have been publicly accessible. Let's start with this video as it pretty succinctly explains the issue in consumer-friendly terms: VIDEO: Nova Scotia's government is accusing a 19-year-old of breaching their government website's security ~ Privacy experts disagree. Oh, and here's how the teen did it: pic.twitter.com/FQ2qXJoP89— Brett Ruskin (@Brett_CBC) April 13, 2018 So the crux of the matter seems to be that the guy...

Aussie Telcos are Failing at Some Fundamental Security Basics

Recently, I've witnessed a couple of incidents which have caused me to question some pretty fundamental security basics with our local Aussie telcos, specifically Telstra and Optus. It began with a visit to the local Telstra store earlier this month to upgrade a couple of phone plans which resulted in me sitting alone by this screen whilst the Telstra staffer disappeared into the back room for a few minutes: Is it normal for @Telstra to display customer passwords on publicly facing terminals in their stores? (You know, the same password people give their bank.) This is the user-selected password used for identity verification with store customers wandering past it. pic.twitter.com/KiaGNKhaig— Troy Hunt (@troyhunt) March 1, 2018...

A Scammer Tried to Scare Me into Buying Their Security Services - Here's How It Went Down

Here's the tl;dr - someone named "Md. Shofiur R" found troyhunt.com on a "free online malware scanner" and tried to scare me into believing my site had security vulnerabilities then shake me down for a penetration test. It didn't work out so well for him, here's the blow-by-blow account of things then I'll add some more thoughts afterwards: Should I respond? 😂 pic.twitter.com/lifCZRcICF— Troy Hunt (@troyhunt) March 20, 2018 I couldn’t help myself pic.twitter.com/zvx3myyItn— Troy Hunt (@troyhunt) March 20, 2018 Ooh, he’s good! Suggestions? This feels like it’ll be more fun crowd-sourced 😎 pic.twitter.com/i2EFDFgLem— Troy Hunt (@troyhunt) March 20, 2018 Your...

I've Just Launched "Pwned Passwords" V2 With Half a Billion Passwords for Download

Last August, I launched a little feature within Have I Been Pwned (HIBP) I called Pwned Passwords. This was a list of 320 million passwords from a range of different data breaches which organisations could use to better protect their own systems. How? NIST explains: When processing requests to establish and change memorized secrets, verifiers SHALL compare the prospective secrets against a list that contains values known to be commonly-used, expected, or compromised. They then go on to recommend that passwords "obtained from previous breach corpuses" should be disallowed and that the service should "advise the subscriber that they need to select a different secret". This makes a lot of sense when you think about it:...

Making Light of the "Dark Web" (and Debunking the FUD)

I'll start this post where I start many of my talks - what does a hacker look like? Or perhaps more specifically, what do people think a hacker looks like? It's probably a scary image, one that's a bit mysterious, a shady character lurking in the hidden depths of the internet. People have this image in their mind because that's what they've been conditioned to believe: These are the images that adorn the news pieces we read and we've all seen them before. Hell, we've seen literally the same guy over and over again. See that bloke in the bottom right? He's the guy! No really, I wrote about him last year and exposed his involvement in everything from state-sponsored...

The JavaScript Supply Chain Paradox: SRI, CSP and Trust in Third Party Libraries

A couple of years back as the US presidential campaign was ramping up, the Trump camp did something stupid. I know, we're all shocked but bear with me because it's an important part of the narrative of this post. One of their developers embedded this code in the campaign's donation website: <script src="https://github.com/igorescobar/jQuery-Mask-Plugin/blob/gh-pages/js/jquery.mask.min.js" type="text/javascript></script> See the problem? This tag was in the source code over at secure.donaldjtrump.com/donate-homepage yet it was pulling script directly off Igor Escobar's GitHub repository for the project. Now, imagine if Igor took a dislike to Trump. Or someone else took issue with the bloke...

How Long is Long Enough? Minimum Password Lengths by the World's Top Sites

I've been giving a bunch of thought to passwords lately. Here we have this absolute cornerstone of security - a paradigm that every single person with an online account understands - yet we see fundamentally different approaches to how services handle them. Some have strict complexity rules. Some have low max lengths. Some won't let you paste a password. Some force you to regularly rotate it. It's all over the place. Last year, I wrote about authentication guidance for the modern era and I talked about many of the aforementioned requirements. I particularly focused on how today's thinking is at odds with many of the traditional views of how passwords should be handled. That post has a lot of guidance...

My Blog Now Has a Content Security Policy - Here's How I've Done It

I've long been a proponent of Content Security Policies (CSPs). I've used them to fix mixed content warnings on this blog after Disqus made a little mistake, you'll see one adorning Have I Been Pwned (HIBP) and I even wrote a dedicated Pluralsight course on browser security headers. I'm a fan (which is why I also recently joined Report URI), and if you're running a website, you should be too. But it's not all roses with CSPs and that's partly due to what browsers will and will not let you do and partly due to what the platforms running our websites will and will not let you do. For example, this blog runs on Ghost Pro which is a managed...

We're Doing an All New Series on Pluralsight: Creating a Security-centric Culture

Usually when we talk about information security, we're talking about the mechanics of how things work. The attacker broke into a system due to a reused password, there was SQL injection because queries weren't parameterised or the company got ransomware'd because they didn't patch their things. These are all good discussions - essential discussions - but there's a broader and perhaps even more important one that we need to have and that's about the security culture within organisations. This is something that's been on my mind for a while, but it really hit me back in September when I was over in Salt Lake City for Pluralsight's LIVE conference. I did a bunch of customer meetings which essentially meant saying...