Sponsored by:

Security

A 293-post collection

Pragmatic thoughts on #CloudBleed

It has a cool name and a logo - this must be serious! Since Heartbleed, bug branding has become a bit of a thing and more than anything, it points to the way vulnerabilities like these are represented by the press. It helps with headlines and I'm sure it does wonderful things for bug (brand?) recognition, but it also has a way of drumming up excitement and sensationalism in a way that isn't always commensurate with the actual risk. That said, the Cloudflare bug is bad, but the question we need to be asking is "how bad"? I saw the news break yesterday morning my time and I've been following it closely since. As I've written a lot about Cloudflare...

HTTPS adoption has reached the tipping point

That's it - I'm calling it - HTTPS adoption has now reached the moment of critical mass where it's gathering enough momentum that it will very shortly become "the norm" rather than the exception it so frequently was in the past. In just the last few months, there's been some really significant things happen that have caused me to make this call, here's why I think we're now at that tipping point. We've already passed the halfway mark for requests served over HTTPS This was one of the first signs that we'd finally hit that tipping point and it came a few months ago: Yesterday, for the first time, @Mozilla telemetry shows more than 50% of page loads were encrypted...

A data breach investigation blow-by-blow

Someone has just sent me a data breach. I could go and process the whole thing, attribute it to a source, load it into Have I been pwned (HIBP) then communicate the end result, but I thought it would be more interesting to readers if I took you through the whole process of verifying the legitimacy of the data and pinpointing the source. This is exactly the process I go through, unedited and at the time of writing, with a completely unknown outcome. Warning: This one is allegedly an adult website and you're going to see terms and concepts related to exactly the sort of thing you'd expect from a site like that. I'm not going to censor words or...

All websites have something of value for attackers: reputation

I was shopping around for a new exhaust system for the car the other day and I found exactly what I wanted via a seller on Facebook. I really wanted to get some more specs on it though so I did what any normal person would do and Googled for it, finding a result titled "Boost Logic Nissan R35 GT-R 4" Titanium Exhaust" and linking through to a page on the official Boost Logic website. However... Now this, clearly, isn't a good look. This is the official site and not a spoof or phishing site, yet Google had just put up a massive barrier to entry. It got me thinking about the old adage we hear so many times in...

The Ethereum forum was hacked and they've voluntarily submitted the data to Have I been pwned

The title says it all and the details are on their blog, but there's still a lot to talk about. Self-submission to HIBP is not a new thing (TruckersMP was the first back in April), but it's extremely unusual as here you have an organisation saying "we got hacked, we'd now like you to make that data searchable". This is in an era when most organisations are doing their utmost to downplay the significance of an event like this too. This incident comes at a time when I'm writing up a fairly heft blog post on how organisations should communicate in the wake of a data breach. There's a lot of examples in there from previous incidents - mostly around...

Journey to an extended validation certificate

Trust is a really difficult thing to define. Think about it in the web security context - how do you "trust" a site? Many people would argue that trust decisions are made on the familiarity you have with the brand, you know, brands like LinkedIn, Dropbox, Adobe... who've all had really serious data breaches. Others will look for the padlock in the address bar and imply by its presence that the site is trustworthy... without realising that it makes no guarantees about the security profile of the services sitting behind it. Then there's the security seals placed on the page and, well, just go and read clubbing seals if you're not already aware of just how fundamentally irrelevant (and even...

Get to grips with internet security basics, courtesy of Varonis

Most readers here understand security fundamentals. They know what makes a strong password, what the padlock in the address bar above means, why software updates are important, the value of locking their mobile devices and some of dangers we face with the internet of things. But equally, most of our friends, relatives and significant others don't. We know this because we're continually doing tech support for them and we experience the horrors of their security profiles first hand! Recently, Varonis asked if I could build a course for these folks, the ones that really need it. It's a change of pace to most of my courses that are targeted at technology professionals and obviously that means covering the fundamentals is...

Careers in security, ethical hacking and advice on where to get started

Many people will disagree with this post, not so much because it's flat out wrong but because there are so many different approaches one can take. It's a very subjective realm but I'm going to put forward some suggestions, make some considered arguments and leave it at that. The context is twofold as suggested by the title: Firstly, I get a lot of people asking me about how to get a start in the security industry. I've regularly reverted with "stay tuned, I'm writing something" and this blog post is it. Secondly, over most of last year and the first half of this one, I've been creating material to help people who want to pursue security careers. It's the Ethical...

How Chrome's buggy content security policy implementation cost me money

Content security policies (CSPs) can be both a blessing and a curse. A blessing because they can do neat stuff like my recent piece on upgrading insecure requests yet a curse because they can also do screwy things like break your site. Now in fairness, the breaking bit linked to there was more because of Safari's screwy implementation than because of the CSP spec itself, but that brings me to today's post on yet another screwy browser implementation of CSP. This time, it's Chrome's turn and it didn't just cause content to be blocked, it actually cost me money. Let me explain. I have a donate page on Have I been pwned (HIBP). I honestly didn't expect people to give...

43,203 Indian patient pathology reports were left publicly exposed by Health Solutions

I'm used to seeing large amounts of personal data left inadvertently exposed to the web. Recently, the Red Cross Blood Service down here left a huge amount of data exposed (well, at least the company doing their tech things did). Shortly afterwards, the global recruitment company Michael Page also lost a heap (also due to a partner, Capgemini). Both cases were obviously extremely embarrassing for the companies involved and they did exactly what you'd expect them to do once they found out about it - they pulled the data offline as fast as humanly possible. And this is how it generally goes with incidents like this; lots of embarrassment, lots of scrambling to fix then lots of apologising afterwards. Which...