Security

In case you haven't noticed, we're on a rapid march towards a "secure by default" web when it comes to protecting traffic. For example, back in Feb this year, 20% of the Alexa Top 1 Million sites were forcing the secure scheme: These figures are from Scott Helme's biannual report [https://scotthelme.co.uk/alexa-top-1-million-analysis-feb-2017/] and we're looking at a 5-month-old number here. I had a quiet chat with him while writing this piece and apparently that number is now at 28% of the T...

Last week, The AA in the UK came spectacularly undone when attempting to cover up a data breach. I wrote about them while describing The 5 Stages of Data Breach Grief [https://www.troyhunt.com/the-5-stages-of-data-breach-grief/] but in short, they consciously elected not to notify subscribers after being alerted to the disclosure of 13GB worth of publicly accessible database backups back in April: > A follower just advised they recently notified @TheAA_UK [https://twitter.com/TheAA_UK] about 13...

When you see something play out enough times, you start to notice patterns. I was reflecting on this today as I watched The AA rapidly digging themselves in deeper and deeper after publishing 13GB worth of customer data to the internet, including partial credit card data. Which they denied: > The AA Shop data issue is now fixed, No Credit Card info was compromised & an independent investigation is under way. We're sorry. — The AA (@TheAA_UK) July 3, 2017 [https://twitter.com/TheAA_UK/status/88...

I watched a discussion unfold on Twitter recently which started like so many of the security related ones I see: > When website errors make no sense! @Argos_Online [https://twitter.com/Argos_Online] my password is more complex than your system can handle. What gives? @troyhunt [https://twitter.com/troyhunt] #insecurity [https://twitter.com/hashtag/insecurity?src=hash] pic.twitter.com/64VA7qINGP [https://t.co/64VA7qINGP] — Jon Carlos (@billywizz) June 10, 2017 [https://twitter.com/billywizz/sta...

A little while back, I wrote about Website enumeration insanity [https://www.troyhunt.com/website-enumeration-insanity-how-our-personal-data-is-leaked/] and how our personal data was being mishandled. In a nutshell, an enumeration risk boils down to a feature on a website allowing anyone to "ask" if a user exists on the website with the site then returning a positive or negative response. For example, to this day you can go to Adult Friend Finder's password reset page [https://adultfriendfinder...

You know what people really like? Government regulation! ...crickets... Ok, maybe not so much, but this one is actually really important. The General Data Protection Regulation [https://en.wikipedia.org/wiki/General_Data_Protection_Regulation] is an EU reg that kicks in on 25 May 2018 so we've got bang on a year to get organised. It's important within the EU because it relates to how data of their citizens and residents is handled and it's important outside the EU because the regulation can im...

You know what really surprised me about this whole WannaCry ransomware problem [https://www.troyhunt.com/everything-you-need-to-know-about-the-wannacrypt-ransomware/]? No, not how quickly it spread. Not the breadth of organisations it took offline either and no, not even that so many of them hadn't applied a critical patch that landed a couple of months earlier. It was the reactions to this tweet that really surprised me: > Why is malware effective? Because of idiotic advice like this: "Stop Wi...

I woke up to a flood of news about ransomware today. By virtue of being down here in Australia, a lot happens in business hours around the world while we're sleeping but conversely, that's given me some time to collate information whilst everyone else is taking a break. The WannaCry incident is both new and scary in some ways and more of the same old stuff in others. Here's what I know and what the masses out there need to understand about this and indeed about ransomware in general. The ransom...

The short version: I'm loading over 1 billion breached accounts into HIBP. These are from 2 different "combo lists", collections of email addresses and passwords from all sorts of different locations. I've verified their accuracy (including my own record in one of them) and many hundreds of millions of the email addresses are not already in HIBP. Because of the nature of the data coming from different places, if you're in there then treat it as a reminder that your data is out there circulating...

My mate Lars Klint shared this tweet the other day: > Your password is not unique. pic.twitter.com/ga4GwxtzrQ [https://t.co/ga4GwxtzrQ] — Lars Klint (@larsklint) April 16, 2017 [https://twitter.com/larsklint/status/853507749488975873] Naturally, I passed it on [https://twitter.com/troyhunt/status/853517036131041280] because let's face it, that's some crazy shit going on right there. To which the Twitters responded with equal parts abject horror and berating comments for not having already iden...