Security

I’ve just launched my latest Pluralsight course titled Ethical Hacking, Denial of Service [https://app.pluralsight.com/library/courses/ethical-hacking-denial-service/table-of-contents] but before I explain what’s in it, let’s kick off with some trivia: DDoS attacks have increased massively in size in recent years: This is from Arbor Networks’ latest Worldwide Infrastructure Security Report [https://www.arbornetworks.com/images/documents/WISR2016_EN_Web.pdf] and that was current in October wh...

Cross site request forgery is one of those attacks which remains enormously effective yet is frequently misunderstood. I’ve been running a bunch of security workshops for web developers around the globe recently and this is one of the topics we cover that often results in blank stares when I first ask about it. It usually unfolds that the developers have multiple resources at risk of a CSRF attack and if it’s not a classic web form style resource, then it’s frequently an API somewhere (you’re pa...

I get a lot of people popping up with data breaches for Have I been pwned [https://haveibeenpwned.com/] (HIBP). There’s an interesting story in that itself actually, one I must get around to writing in the future as folks come from all sorts of different backgrounds and offer up data they’ve come across in various locations. Recently someone sent me a list of various data breaches they’d obtained, including this one: > InstantCheckmate 2015 - 80M entries On the surface of it, that’s a phenom...

I spend a lot of time on Have I been pwned [https://haveibeenpwned.com/] (HIBP) which consists of both maintaining and building out the software with new features as well as obviously sourcing new data for it on a regular basis. I make it freely available to the community and some time ago at the suggestion of some of those who’d found it useful, I stood up a donations page [https://haveibeenpwned.com/Donate]. Whilst the service is cheap to run courtesy of Azure being pretty cost efficient, it’s...

Last month I was over in Norway doing training for ProgramUtvikling, [http://programutvikling.no/] the good folks who run the NDC conferences I've become so attached to. I was running my usual “Hack Yourself First” workshop [https://www.troyhunt.com/2016/02/more-europe-even-more-again-and-more.html] which is targeted at software developers who’d like to get up to speed on the things they should be doing to protect their apps against today’s online threats. Across the two days of training, I cov...

There was a piece in the news the other day on how a high school teacher videod his sexual exploits then stored them on Dropbox, after which it was summarily compromised. The video was then posted to the school’s faculty page which obviously caused him enormous embarrassment then to top it off, the school fired him. This is a newsworthy story with regards to privacy and security and was worth sharing: > Probably don't put these in Dropbox: "Teacher’s sex tape stolen from hacked Dropbox, posted...

Some days, the news is dominated by a single security story and not just in the tech news either, but today the consumer news is all about Apple’s message to their customers [http://www.apple.com/customer-letter/]. I’ve been getting a heap of media requests and seeing some really interesting things said about the story so let me distill all the noise into the genuinely interesting things that are worth knowing. There are way more angles to this than initially meet the eye, and it’s a truly signi...

The other day, a hacker compromised someone’s email account. It was almost certainly a phishing attack, he probably just sent them over an email claiming to be from the victim’s organisation and then just, well, asked for their credentials. From there, the attacker wandered over to the web portal of the victim’s organisation and attempted to logon, which unfortunately for him didn’t work. No worries, they simply called up the helpdesk who kindly gave him access. So now he’s logged in to the vict...

I just spent almost a month in Europe and did an insane number of events: 7 workshops of 2 days each, 6 conference talks, video interviews, Pluralsight courses, media events, multiple user groups and amazingly, absolutely everything went perfectly to plan! Trips like that are both very intensive and very fulfilling and whilst 27 days was longer than I’d ideally like, I had a fantastic time in Europe so I’m coming back again – twice – in the coming months. I’ve give you the tl;dr version first t...

We tend to get very focused on digital security controls; firewalls, antivirus, software updates and then all the usual practices I spend so much time talking to developers about, stuff like defending against SQL injection, cross site scripting and a whole raft of other attacks against systems. But the bigger risk – and it’s one that doesn’t get near as much coverage – is attacks against humans. Whereas most of the time we’re thinking about attacks against the systems, we tend to neglect weaknes...