Security

A 390-post collection

Hacking Grindr Accounts with Copy and Paste

Sexuality, relationships and online dating are all rather personal things. They're aspects of our lives that many people choose to keep private or at the very least, share only with people of our choosing. Grindr is "The World's Largest Social Networking App for Gay, Bi, Trans, and Queer People" which for many people, makes it particularly sensitive. It's sensitive not just because by using the site it implies one's sexual orientation, but because of the sometimes severe ramifications of fitting within Grindr's target demographic. For example, in 2014 Egypt's police were found to be using Grindr to "trap gay people" which was particularly concerning in a country not exactly up to speed with LGBT equality. Another demonstration of how valuable...

Padlocks, Phishing and Privacy; The Value Proposition of a VPN

I want a "secure by default" internet with all the things encrypted all the time such that people can move freely between networks without ever needing to care about who manages them or what they're doing with them. I'm a massive proponent of Let's Encrypt's and Cloudflare's missions to secure the web and of browser paradigms such as HSTS and upgrade-insecure-requests via content security policies to help make it a reality. Yet I also find myself constantly using VPNs for a variety of security and privacy related reasons and it got me thinking - why? I mean what's the remaining gap? Last month I announced I've partnered with NordVPN as a strategic adviser and as part of that effort, I...

We Didn't Encrypt Your Password, We Hashed It. Here's What That Means:

You've possibly just found out you're in a data breach. The organisation involved may have contacted you and advised your password was exposed but fortunately, they encrypted it. But you should change it anyway. Huh? Isn't the whole point of encryption that it protects data when exposed to unintended parties? Ah, yes, but it wasn't encrypted it was hashed and therein lies a key difference: Saying that passwords are “encrypted” over and over again doesn’t make it so. They’re bcrypt hashes so good job there, but the fact they’re suggesting everyone changes their password illustrates that even good hashing has its risks. https://t.co/21V6Vte6Wa — Troy Hunt (@troyhunt) September 2, 2020 I see this over...

I'm Partnering with NordVPN as a Strategic Advisor

I love security. I love privacy. Consequently, it will come as no surprise that I love tools that help people achieve those objectives. Equally, I have no patience for false promises, and I've been very vocal about my feelings there: But one of them is literally called “Secure VPN”, how is this possible?! “Are You Using These VPN Apps? Personal Info Of 20 Million Users Leaked: That’s 1.2TB Data” https://t.co/BPDww70Pgo — Troy Hunt (@troyhunt) July 20, 2020 VPNs are a great example of where a tool can be used to enhance security and privacy but often, they fall short of delivering on the promise. When you use a VPN, you're trusting a third party with...

How BeerAdvocate Learned They'd Been Pwned

I love beer. This comes as no surprise to regular followers, nor should it come as a surprise that I maintain an Untappd account, logging my beer experiences as I (used to 😢) travel around the world partaking in local beverages. When I received an email from someone over that way who happened to be a happy Have I Been Pwned (HIBP) user and wanted some cyber-assistance, I was intrigued. You'll never believe what happened next... The tl;dr is that someone with a BeerAdvocate account was convinced the service had been pwned as they'd seen evidence of an email address and password they'd used on the service being abused. They reached out to my guy (we'll call him that for...

Analysing the (Alleged) Minneapolis Police Department "Hack"

The situation in Minneapolis at the moment (and many other places in the US) following George Floyd's death is, I think it's fair to say, extremely volatile. I wouldn't even know where to begin commentary on that, but what I do have a voice on is data breaches which prompted me to tweet this out earlier today: I'm seeing a bunch of tweets along the lines of "Anonymous leaked the email addresses and passwords of the Minneapolis police" with links and screen caps of pastes as "evidence". This is almost certainly fake for several reasons: — Troy Hunt (@troyhunt) May 31, 2020 I was CC'd into a bunch of threads that were redistributing the...

COVIDSafe App Teardown & Panel Discussion

I've written a bunch about COVID-19 contact tracing apps recently as they relate to security and privacy, albeit in the form of long tweets. I'm going to avoid delving into the details here because they're covered more comprehensively in the resources I want to consolidate below, firstly the original thread from a fortnight ago as news of an impending app in Australia was breaking: Ok folks, let's talk about the Coronavirus tracking app as news of Australia adopting Singapore's "TraceTogether" gains momentum. I'd willingly run it and I want to explain why because there's also some very valid concerns. Let's begin: — Troy Hunt (@troyhunt) April 16, 2020...

Reassuring Words and Good Intentions Don't Mean Good Security

How much can you trust the assertions made by an organisation regarding their security posture? I don't mean to question whether the statements are truthful or not, but rather whether they provide any actual assurance whatsoever. For example, nearly 5 years ago now I wrote about how "we take security seriously" was a ridiculous statement to make immediately after a data breach. It seems that not much has changed since then: “At Comodo we take security very seriously and it is our highest priority.” A classic opening to an all too familiar announcement. Not a good day for any #CyberSecurity company.@comododesktop @troyhunt #InfoSec #DataBreach pic.twitter.com/JxGzS9evtT — Nigel Cox (@Harlekwin_UK) October 2, 2019 “We take security...

There is a Serious Lack of Corporate Responsibility During Breach Disclosures

Subject: Data Breach of [your service] Hi, my name is Troy Hunt and I run the ethical data breach notification service known as Have I Been Pwned: https://haveibeenpwned.com People regularly send me data from compromised systems which are being traded amongst individuals who collect breaches. Recently, a collection of data allegedly taken from the [your service] was sent to me and I believe there’s a high likelihood your site was indeed hacked. The data consists of an extensive number of records containing personal information. I wanted to send you what’s been sent to me and give you the opportunity to respond before I notify my subscribers impacted in the incident. Could someone responsible for information security...

Everything is Cyber-Broken, The Online Edition!

We're live! Video embedded below: Under normal circumstances, we'd be sitting on a stage, beers in hands and doing our (I think we can use this term now) "world famous" Cyber-broken talk. It's like Top gear for nerds. @troyhunt #NDCLondon pic.twitter.com/wxzhM6uOCG — HarryMiller (@HarryMillerr) January 31, 2019 Scott and I have been doing these for a couple of years now, initially as a bit of a space-filler at NDC Security on the Gold Coast. We did it again at NDC Oslo a few months later, turned it into the party talk in London earlier last year (tweet above) and have continued to do it at every NDC event we've done since. Normally, it'd look something...