Mastodon

Security

A 415-post collection

We’ve lost control of our personal data (including 33M NetProspex records)

Earlier this week, I read a really interesting piece on 3 things that need to be done to save the web [https://www.theguardian.com/technology/2017/mar/11/tim-berners-lee-web-inventor-save-internet] . The first observation was that "we’ve lost control of our personal data" and the author went on to observe the following: > As our data is then held in proprietary silos, out of sight to us, we lose out on the benefits we could realise if we had direct control over this data and chose when and with...

Data from connected CloudPets teddy bears leaked and ransomed, exposing kids' voice messages

Only a couple of weeks ago, there were a lot of news headlines about how Germany had banned an internet-connected doll called "Cayla" over fears hackers could target children [http://www.telegraph.co.uk/news/2017/02/17/germany-bans-internet-connected-dolls-fears-hackers-could-target/] . One of their primary concerns was the potential risk to the privacy of children: > conversations between the child and others can be recorded and forwarded The Germans had a good point: kids' toys which record...

Pragmatic thoughts on #CloudBleed

It has a cool name and a logo - this must be serious! Since Heartbleed [https://en.wikipedia.org/wiki/Heartbleed], bug branding has become a bit of a thing and more than anything, it points to the way vulnerabilities like these are represented by the press. It helps with headlines and I'm sure it does wonderful things for bug (brand?) recognition, but it also has a way of drumming up excitement and sensationalism in a way that isn't always commensurate with the actual risk. That said, the Cloud...

HTTPS adoption has reached the tipping point

That's it - I'm calling it - HTTPS adoption has now reached the moment of critical mass [https://en.wikipedia.org/wiki/The_Tipping_Point] where it's gathering enough momentum that it will very shortly become "the norm" rather than the exception it so frequently was in the past. In just the last few months, there's been some really significant things happen that have caused me to make this call, here's why I think we're now at that tipping point. We've already passed the halfway mark for request...

A data breach investigation blow-by-blow

Someone has just sent me a data breach. I could go and process the whole thing, attribute it to a source, load it into Have I been pwned [https://haveibeenpwned.com] (HIBP) then communicate the end result, but I thought it would be more interesting to readers if I took you through the whole process of verifying the legitimacy of the data and pinpointing the source. This is exactly the process I go through, unedited and at the time of writing, with a completely unknown outcome. Warning: This one...

All websites have something of value for attackers: reputation

I was shopping around for a new exhaust system for the car the other day and I found exactly what I wanted [https://www.youtube.com/watch?v=9YvnsHsjPMY&index=1&list=FL48lBbLOUJzOkCg_4AV7N5w] via a seller on Facebook. I really wanted to get some more specs on it though so I did what any normal person would do and Googled for it, finding a result titled "Boost Logic Nissan R35 GT-R 4" Titanium Exhaust" and linking through to a page on the official Boost Logic website. However... Now this, clea...

The Ethereum forum was hacked and they've voluntarily submitted the data to Have I been pwned

The title says it all and the details are on their blog [https://blog.ethereum.org/2016/12/19/security-alert-12192016-ethereum-org-forums-database-compromised/] , but there's still a lot to talk about. Self-submission to HIBP is not a new thing (TruckersMP was the first back in April [https://www.troyhunt.com/100-data-breaches-later-have-i-been-pwned-gets-its-first-self-submission/] ), but it's extremely unusual as here you have an organisation saying "we got hacked, we'd now like you to make th...

Journey to an extended validation certificate

Trust is a really difficult thing to define. Think about it in the web security context - how do you "trust" a site? Many people would argue that trust decisions are made on the familiarity you have with the brand, you know, brands like LinkedIn, Dropbox, Adobe... who've all had really serious data breaches. Others will look for the padlock in the address bar and imply by its presence that the site is trustworthy... without realising that it makes no guarantees about the security profile of the...

Get to grips with internet security basics, courtesy of Varonis

Most readers here understand security fundamentals. They know what makes a strong password, what the padlock in the address bar above means, why software updates are important, the value of locking their mobile devices and some of dangers we face with the internet of things. But equally, most of our friends, relatives and significant others don't. We know this because we're continually doing tech support for them and we experience the horrors of their security profiles first hand! Recently, Var...

Careers in security, ethical hacking and advice on where to get started

Many people will disagree with this post, not so much because it's flat out wrong but because there are so many different approaches one can take. It's a very subjective realm but I'm going to put forward some suggestions, make some considered arguments and leave it at that. The context is twofold as suggested by the title: Firstly, I get a lot of people asking me about how to get a start in the security industry. I've regularly reverted with "stay tuned, I'm writing something" and this blog po...