Security

More than 3 years ago now, Scott Helme [https://scotthelme.co.uk/] and I launched a little project called Why No HTTPS? [https://www.troyhunt.com/why-no-https-heres-the-worlds-largest-websites-not-redirecting-insecure-requests/] It listed the world's largest websites that didn't properly redirect insecure requests to secure ones. We updated it December before last [https://www.troyhunt.com/still-why-no-https/] and pleasingly, noted that more websites than ever were doing the right thing and for...

This post has been brewing for a while, but the catalyst finally came after someone (I'll refer to him as Jimmy) recently emailed me regarding the LOQBOX data breach from 2020 [https://www.theregister.com/2020/03/02/financial_startup_loqbox_data_breach/]. Their message began as follows: > I am currently in the process of claiming compensation for a severe data breach which occurred on the 20th February 2020 Now I'll be honest - I had to Google this one. There are so many data breaches today tha...

If you've landed on this page because you saw a strange message on a completely different website then followed a link to here, drop a note to the site owner and let them know what happened. If, on the other hand, you're on this page because you're interested in reading about the illicit use of cryptomining on compromised websites and how through fortuitous circumstances, I now own coinhive.com and am doing something useful with it, read on. You know how people don't like ads? Yeah, me either (...

I've investigated hundreds of data breaches over the years (there are 514 of them in Have I Been Pwned [https://haveibeenpwned.com/] as I write this), and for the most part, the situation with Gab is just another day on the internet. But Gab is also different, having grown dramatically in recent months as an alternative to mainstream incumbent platforms such as Twitter and Facebook and drawing a crowd primarily focused on right wing American politics. A couple of days ago, I posted a thread abo...

In part 1 [https://www.troyhunt.com/iot-unravelled-part-1-its-a-mess-but-then-theres-home-assistant/] of this series, I posited that the IoT landscape is an absolute mess but Home Assistant (HA) does an admirable job of tying it all together. In part 2 [https://www.troyhunt.com/iot-unravelled-part-2-ip-addresses-network-zigbee-custom-firmware-and-soldering/] , I covered IP addresses and the importance of a decent network to run all this stuff on, followed by Zigbee and the role of low power, lo...

It's increasingly hard to know what to do with data like that from Cit0Day. If that's an unfamiliar name to you, start with Catalin Cimpanu's story on the demise of the service followed by the subsequent leaking of the data [https://www.zdnet.com/article/23600-hacked-databases-have-leaked-from-a-defunct-data-breach-index-site/] . The hard bit for me is figuring out whether it's pwn-worthy enough to justify loading it into Have I Been Pwned (HIBP) or if it's just more noise that ultimately doesn'...

Almost a decade ago now, I wrote what would become one of my most career-defining blog posts: The Only Secure Password is the One You Can't Remember [https://www.troyhunt.com/only-secure-password-is-one-you-cant/]. I had come to the realisation that I simply had too many accounts across too many systems to ever have any chance of creating decent unique passwords I could remember. So, I set out to find a password manager and 10 Christmas holidays ago now, I spent the best 50 bucks ever: I chose...

Been a lot of "victim blaming" going on these last few days. The victim, through no fault of their own, has been the target of numerous angry tweets designed to ridicule their role in internet security and suggest they are incapable of performing their duty. Here's where it all started: > This is a great example of how bad people are at reading and understanding even the domain part of the URL then making decisions based on that which affect their security and privacy (see the answer under the...

Sexuality, relationships and online dating are all rather personal things. They're aspects of our lives that many people choose to keep private or at the very least, share only with people of our choosing. Grindr [https://www.grindr.com/] is "The World's Largest Social Networking App for Gay, Bi, Trans, and Queer People" which for many people, makes it particularly sensitive. It's sensitive not just because by using the site it implies one's sexual orientation, but because of the sometimes sev...

I want a "secure by default" internet with all the things encrypted all the time such that people can move freely between networks without ever needing to care about who manages them or what they're doing with them. I'm a massive proponent of Let's Encrypt's and Cloudflare's missions to secure the web and of browser paradigms such as HSTS [https://www.troyhunt.com/understanding-http-strict-transport/] and upgrade-insecure-requests via content security policies [https://www.troyhunt.com/the-6-st...