Mastodon

Security

A 403-post collection

Breach Disclosure Blow-by-Blow: Here's Why It's so Hard

For many years now, I've lamented about how much of my time is spent attempting to disclose data breaches to impacted companies. It's by far the single most time-consuming activity in processing breaches for Have I Been Pwned [https://haveibeenpwned.com/] (HIBP) and frankly, it's about the most thankless task I can imagine. Finding contact details is hard. Getting responses is hard. Not having an organisation just automatically assume you're trying to shake them down for cash is hard. So hard, i...

How Everything We're Told About Website Identity Assurance is Wrong

I have a vehement dislike for misleading advertising. We see it every day; weight loss pills, make money fast schemes and if you travel in the same circles I do, claims that extended validation (EV) certificates actually do something useful: > Why are you still claiming this @digicert [https://twitter.com/digicert?ref_src=twsrc%5Etfw]? This is extremely misleading, anyone feel like reporting this to the relevant advertising standards authority in their jurisdiction? https://t.co/enzJUodhdG pic...

Beg Bounties

When someone passed me hundreds of thousands of records on kids taken from CloudPets a few years ago [https://www.troyhunt.com/data-from-connected-cloudpets-teddy-bears-leaked-and-ransomed-exposing-kids-voice-messages/] , I had a nightmare of a time getting in touch with the company. They'd left a MongoDB instance exposed to the public without a password and someone had snagged all their data. Within the data were references that granted access to voice recordings made by children, stored in an...

You Don't Need to Burn off Your Fingertips (and Other Biometric Authentication Myths)

111 years ago almost to the day, a murder was committed which ultimately led to the first criminal trial to use fingerprints as evidence [https://www.smithsonianmag.com/history/first-case-where-fingerprints-were-used-evidence-180970883/] . We've all since watched enough crime shows to understand that fingerprints are unique personal biometric attributes and to date, no two people have ever been found to have a matching set [https://www.healthline.com/health/do-identical-twins-have-the-same-fing...

Hello CISO - Brought to You in Collaboration with 1Password

Today I'm really excited to announce a big piece of work 1Password and I have been focusing on this year, a totally free video series called "Hello CISO". This is a multi-part series that launched with part 1 and when I say "free", I don't mean "give us your personal data so we can market to you", I mean here it is, properly free: This is intended to be a very practical, broadly accessible series and whilst it has "CISO" in the title, we expect it'll be relevant well beyond the pointy end of th...

Why No HTTPS? The 2021 Version

More than 3 years ago now, Scott Helme [https://scotthelme.co.uk/] and I launched a little project called Why No HTTPS? [https://www.troyhunt.com/why-no-https-heres-the-worlds-largest-websites-not-redirecting-insecure-requests/] It listed the world's largest websites that didn't properly redirect insecure requests to secure ones. We updated it December before last [https://www.troyhunt.com/still-why-no-https/] and pleasingly, noted that more websites than ever were doing the right thing and for...

Data Breaches, Class Actions and Ambulance Chasing

This post has been brewing for a while, but the catalyst finally came after someone (I'll refer to him as Jimmy) recently emailed me regarding the LOQBOX data breach from 2020 [https://www.theregister.com/2020/03/02/financial_startup_loqbox_data_breach/]. Their message began as follows: > I am currently in the process of claiming compensation for a severe data breach which occurred on the 20th February 2020 Now I'll be honest - I had to Google this one. There are so many data breaches today tha...

I Now Own the Coinhive Domain. Here's How I'm Fighting Cryptojacking and Doing Good Things with Content Security Policies.

If you've landed on this page because you saw a strange message on a completely different website then followed a link to here, drop a note to the site owner and let them know what happened. If, on the other hand, you're on this page because you're interested in reading about the illicit use of cryptomining on compromised websites and how through fortuitous circumstances, I now own coinhive.com and am doing something useful with it, read on. You know how people don't like ads? Yeah, me either (...

Gab Has Been Breached

I've investigated hundreds of data breaches over the years (there are 514 of them in Have I Been Pwned [https://haveibeenpwned.com/] as I write this), and for the most part, the situation with Gab is just another day on the internet. But Gab is also different, having grown dramatically in recent months as an alternative to mainstream incumbent platforms such as Twitter and Facebook and drawing a crowd primarily focused on right wing American politics. A couple of days ago, I posted a thread abo...

IoT Unravelled Part 3: Security

In part 1 [https://www.troyhunt.com/iot-unravelled-part-1-its-a-mess-but-then-theres-home-assistant/] of this series, I posited that the IoT landscape is an absolute mess but Home Assistant (HA) does an admirable job of tying it all together. In part 2 [https://www.troyhunt.com/iot-unravelled-part-2-ip-addresses-network-zigbee-custom-firmware-and-soldering/] , I covered IP addresses and the importance of a decent network to run all this stuff on, followed by Zigbee and the role of low power, lo...