Security

A 376-post collection

Here's Why [Insert Thing Here] Is Not a Password Killer

These days, I get a lot of messages from people on security related things. Often it's related to data breaches or sloppy behaviour on behalf of some online service playing fast and loose with HTTPS or passwords or some other easily observable security posture. But on a fairly regular basis, I get an email from someone which effectively boils down to this: Hey, have you seen [insert thing here]? It's totally going to kill passwords!No, it's not and to save myself from repeating the same message over and over again, I want to articulate precisely why passwords have a lot of life left in them yet. But firstly, let me provide a high-level overview of the sort of product...

New Pluralsight Course: Adapting to the New Normal: Embracing a Security Culture of Continual Change

I take more pleasure than I probably should in watching the bewilderment within organisations as the technology landscape rapidly changes and rushes ahead of them. Perhaps "pleasure" isn't the right word, is it more "amusement"? Or even "curiosity"? Whichever it is, I find myself rhetorically asking "so you just expected everything to stay the same forever, did you?" A case in point: you should look for the green padlock on a website so that you know it's safe. Except that you can't say that anymore because so many phishing sites are using HTTPS (remember, encryption is morally neutral) which is why Barclays Bank had their ad pulled earlier this year. You also can't say "green padlock" anymore because after Chrome...

Extended Validation Certificates are Dead

That's it - I'm calling it - extended validation certificates are dead. Sure, you can still buy them (and there are companies out there that would just love to sell them to you!), but their usefulness has now descended from "barely there" to "as good as non-existent". This change has come via a combination of factors including increasing use of mobile devices, removal of the EV visual indicator by browser vendors and as of today, removal from Safari on iOS (it'll also be gone in Mac OS Mojave when it lands next week): I chose Comodo's website to illustrate this change as I was reminded of the desperation involved in selling EV just last month when...

The 42M Record kayo.moe Credential Stuffing Data

This is going to be a brief blog post but it's a necessary one because I can't load the data I'm about to publish into Have I Been Pwned (HIBP) without providing more context than what I can in a single short breach description. Here's the story: Kayo.moe is a free, public, anonymous hosting service. The operator of the service (Kayo) reached out to me earlier this week and advised they'd noticed a collection of files uploaded to the site which appeared to contain personal data from a breach. Let me be crystal clear about one thing early on: This is not about a data breach of kayo.moe - there's absolutely no indication of any sort of security...

The Effectiveness of Publicly Shaming Bad Security

Here's how it normally plays out: It all begins when a company pops up online and makes some sort of ludicrous statement related to their security posture, often as part of a discussion on a public social media platform such as Twitter. Shortly thereafter, the masses descend on said organisation and express their outrage at the stated position. Where it gets interesting (and this is the whole point of the post), is when another group of folks pop up and accuse the outraged group of doing a bit of this: Shaming. Or chastising, putting them in their place or taking them down a peg or two. Whatever synonym you choose, the underlying criticism is that the outraged group is wrong...

New Pluralsight Course: Modern Browser Security Reports

Rounding out a recent spate of new Pluralsight courses is one final one: Modern Browser Security Reports. This time, it's with Scott Helme who for most of my followers, needs no introduction. You may remember Scott from such previous projects as securityheaders.io, Report URI and, as it relates to this course, our collective cleaning up at a couple of recent UK awards nights: With @Scott_Helme (at a different awards night) learning we both just scored at the European Cyber Security Blogger Awards! pic.twitter.com/RbCoLsKTja — Troy Hunt (@troyhunt) June 5, 2018 That particular awards night relates to this course because at that particular event, our little Report URI project won the SC Award for Best Emerging...

New Pluralsight Course: Defending Against JavaScript Keylogger Attacks on Payment Card Information

Only a few weeks ago, I wrote about a new GDPR course with John Elliott. We've been getting fantastic feedback on that course and I love the way John has been able to explain GDPR in a way that's actually practical and makes sense! In my experience, that's a bit of a rare talent in GDPR land... When we recorded that course in London a couple of months back, we also recorded another one on Defending Against JavaScript Keylogger Attacks on Payment Card Information. John has a background in payment systems and he's seen more than his fair share of attacks against them, particularly those which scrape card data straight out of the client side. As luck would have it...

New Pluralsight Course: Bug Bounties for Researchers

Earlier this year, I spent some time in San Fran with friend and Bugcrowd founder Casey Ellis where we recorded a Pluralsight "Play by Play" titled Bug Bounties for Companies. I wrote about that in the aforementioned post which went out in May and I mentioned back then that we'd also created a second course targeted directly at researchers. We had to pull together some additional material on that one but I'm please to now share the finished product with you: Bug Bounties for Researchers This course covers many of the issues folks considering getting involved in bug bounties often ask: How do they find bounties? How do they stay out of legal trouble? How successful can good...

Why No HTTPS? Questions Answered, New Data, Path Forward

So that little project Scott Helme and I took on - WhyNoHTTPS.com - seems to have garnered quite a bit of attention. We had about 81k visitors drop by on the first day and for the most part, the feedback has been overwhelmingly positive. Most people have said it's great to have the data surfaced publicly and they've used that list to put some pressure on sites to up their game. We're already seeing some sites on the Day 1 list go HTTPS (although frankly, if the site is that large and they've done it that quickly then I doubt it's because of our list), and really, that's the best possible outcome of this project - seeing websites drop...

Why No HTTPS? Here's the World's Largest Websites Not Redirecting Insecure Requests to HTTPS

As of today, Google begins shipping Chrome 68 which flags all sites served over the HTTP scheme as being "not secure". This is because the connection is, well, not secure so it seems like a fairly reasonable thing to say! We've known this has been coming for a long time now both through observing the changes in the industry and Google specifically saying "this is coming". Yet somehow, we've arrived at today with a sizable chunk of the web still serving traffic insecurely: The majority of the Internet’s top 1M most popular sites will show up as “Not Secure” in @GoogleChrome starting July 24th. Make sure your site redirects to #HTTPS, so you don’t...