Sponsored by:

Security

A 304-post collection

Mandatory ISP data retention and the law of unintended consequences

Well, good one Australia, UK and whoever else has embarked on this hare-brained scheme, you've just made things a whole lot worse. Our respective governments (in all their ivory-towered wisdom), have decided that because one of us could one day decide to become a terrorist, they'd better keep a big whack of our internet browsing history just in case. The theory these genius policy makers have is that if they can probe into all our lives far enough, they'll be able to see when we're doing terrorist kinda stuff. And really, what better way is there than siphoning up info on the websites we go to? Job done, beer o'clock, glad we solved that one. Except no, they've just made...

New Pluralsight Course: What Every Developer Must Know About HTTPS

It's a great time for HTTPS. Actually, there's never been a better time and as each day goes by, we see constant reminders of how important it is. Someone sent me a great example of this just the other day by virtue of a bug that had been lodged with Mozilla: Your notice of insecure password and/or log-in automatically appearing on the log-in for my website, Oil and Gas International is not wanted and was put there without our permission. Please remove it immediately. We have our own security system and it has never been breached in more than 15 years. Your notice is causing concern by our subscribers and is detrimental to our business. If this sounds a...

Random thoughts on the use of breach data for protection of accounts

Someone sent me an email today which essentially boiled down to this: Hey, Microsoft's Azure Active Directory alerted me to leaked credentials but won't give me any details so there's very little I can do about it This is a really interesting scenario and it relates to the way Microsoft reports risk events, one of which is the discovery of leaked credentials that match those within AD. In other words, they've identified that someone used the same email address and password in multiple places and they've let the administrator of this particular AD instance know. As you can imagine from my work with Have I been pwned (HIBP), I have many thoughts on the subject. Rather than keep them to...

Here's where the Apple accounts hackers are threatening to wipe came from

The tech news recently has seen quite a lot of chatter about an alleged haul of Apple credentials, apparently about 250 million of them in all. Allegedly. Maybe. Or was it 300 million?. No - wait - it might have only been 200 million. The number itself has been the source of plenty of debate even within the members of the Turkish Crime Family (TCF) themselves. Now who really knows if they're Turkish or a family, the only part of the name we can get any consensus on is the "crime" component courtesy of them attempting to extort Apple as they threaten to delete account contents and remote-wipe Apple devices if payment isn't forthcoming by... today. The 7th of April....

The importance of trust and integrity in a VPN provider (and how MySafeVPN blew it)

I went to Helsinki a couple of years ago. I was there running a security workshop for a local company and whilst in town, I caught up with Mikko Hypponen: Troy Hunt (@troyhunt) in Helsinki today. Troy's http://t.co/zOiZnkMpNo service is highly recommended! Use it. pic.twitter.com/lf59Hz7zvI— Mikko Hypponen (@mikko) May 28, 2015 Now Mikko is a very interesting bloke having been around in the security industry since just about forever so he's seen a few things. There's a great TED talk where he talks about the first PC virus and actually travels to Pakistan to track down the guys who wrote it. He's also the Chief Research Officer at F-Secure who make...

Password managers don't have to be perfect, they just have to be better than not having one

LastPass had an issue the other day, a rather nasty one by all accounts that under certain (undisclosed) circumstances, it looks like it could lead to someone's password (or possibly passwords) being disclosed by virtue of a remote code execution vulnerability. This is not a good thing - nobody wants an RCE vuln in their software - but as is prone to happen with these incidents, some people went about promptly losing their minds. This prompted me to suggest the following: Password managers don't need to be perfect, they just need to be better than *not* using them which they unequivocally still are https://t.co/nVG5G6RAWx— Troy Hunt (@troyhunt) April 1, 2017 The mind-losing generally centred...

Is this hooded cyber-bandit the web's most prolific hacker?

I've been watching the cyber-news pretty closely lately and one of the biggest challenges we seem to have is attribution. I mean, stuff is getting hacked left right and centre but who's actually responsible?? I started paying closer attention and I reckon I've worked it out - it's mostly this guy: He fits the profile to a tee - hoodie, obfuscated face and an apparent love of binary, all calling cards of the modern day cyber-hacker. As you can clearly see from the image, he's suspected of perpetrating the massive Yahoo breach which is very serious business indeed. But it's when you start digging deeper that you realise how far this individual's cyber-raiding goes. For example, there was real concern...

Data breach disclosure 101: How to succeed after you've failed

Organisations don't plan to fail. Probably the closest we get to that in the security space is password hashing, which for all intents and purposes is an acknowledgement that one day, you may well lose them. But organisations rarely plan for how they should handle data breaches and when an incident does happen (and that seems to be a near certainty these days), they're left unprepared; they're in unfamiliar territory, there's enormous stress and pressures on them and frankly, they usually react pretty badly. I've seen a lot of examples of how organisations have dealt with incidents over the years. I've been inside the organisation, advising the organisation, often disclosing incidents to the organisation and of course like everyone else,...

I just added another 140 data breaches to Have I been pwned

There's a seemingly endless flood of data breaches these days. Pretty much every day I get sent dumps from somewhere or other, usually websites I've never heard of and often dating back to compromises from years ago. They vary in size from thousands of accounts to many millions - and this is just the ones I've looked at. In short, there's way more data than I have time to process. Occasionally though, an incident floats to the top of the others which is what's happened over the last few days. There was news just recently of a large number of vBulletin forums having been compromised by an actor known as "CrimeAgency" and the data consequently circulating. I had, in fact,...

We’ve lost control of our personal data (including 33M NetProspex records)

Earlier this week, I read a really interesting piece on 3 things that need to be done to save the web. The first observation was that "we’ve lost control of our personal data" and the author went on to observe the following: As our data is then held in proprietary silos, out of sight to us, we lose out on the benefits we could realise if we had direct control over this data and chose when and with whom to share it. What’s more, we often do not have any way of feeding back to companies what data we’d rather not share Now this wasn't written by just some random bloke on the internet, it was by...