Sponsored by:

Security

A 291-post collection

Data breach claims are often poorly researched, unsubstantiated and ultimately fake

I have multiple Yahoo data breaches. I have a Twitter data breach. I have Facebook data breaches. I know they are data breaches from those sources because people told me they are, ergo, they're data breaches. Except they're not - they're all fake. Problem is though, fake data breaches don't make for a very good headline nor do they give you something worth trading; for many people, it's not in their best interests to establish what's fake and what's not. Earlier this year I wrote about how I verify data breaches and gave an example of Zoosk, the "data breach" that turned out to be anything but. It would have been easy for me to loads the tens of millions...

Disqus' mixed content problem and fixing it with a CSP

I write a blog with a lot of security things on it so understandably, it upsets me somewhat when my site throws security warnings: I'd had a number of people report this and indeed I'd seen it myself, albeit transiently. Diving into the console, I found the source of the problem: Who the hell is Circulate?! And what are they doing in my blog? Let's find out: Right... I don't have any ads on my blog these days (just sponsor messages) so there shouldn't be any third-party monetisation going on. However, what I'd noticed about this issue is that it always seemed to occur when loading Disqus comments and certainly they do some ad things, albeit ad things that I'd...

New Pluralsight course: Exploring the Internet of Vulnerabilities

I've done a number of "Play by Play" courses for Pluralsight this year on a range of topics including Social Engineering with my mate Lars Klint, Deconstructing the Hack with my mate Gary Eimerman, Modernizing Your Deployment Strategy with Octopus Deploy with my mate Damo Brady and the latest one that's just landed, Exploring the Internet of Vulnerabilities with my mate Niall Merrigan. Lot of Play by Plays, lot of mates and frankly, that's what makes all these courses work; they're all friends I spend time with both in a professional capacity and in a drinking beer capacity. The Play by Play courses are all about the dialogue between two people talking through technology concepts and the chemistry is really...

Apple's desensitisation of the human race to fundamental security practices

My son turned 7 earlier this month. I've been getting him into coding and teaching him the fundamentals of using a PC which I reckon is a pretty essential life skill these days. Part of that is helping him to understand the principle of secrets, namely that he should protect the PIN he's using to sign in to his Windows 10 machine. He's good at it too, being sure to shield the little laptop from view whenever he uses it with others around. But based on my experience today, if he was to walk into an Apple store today with a faulty iPhone, he'd be taught a very different lesson: Tried to get a faulty iPhone speaker looked at in...

The Red Cross Blood Service: Australia's largest ever leak of personal data

I don't give blood as much as I should. My wife has a much better track record than me, regularly donating not just blood but plasma and platelets as well. I know this not just because it's the sort of thing we talk about, but because her data - along with mine - has been leaked publicly in what I believe is the largest ever leak of Aussie data from a local service. Because of the coverage this incident will inevitably receive, I'm writing this piece in advance of them publicly disclosing it in order to answer as many of the inevitable questions which will arise as possible. I also want to make it abundantly clear up front that this...

Should you care about the quality of your neighbours on a SAN certificate?

We've all had bad neighbours before. Perhaps they were noisy, maybe the kids ran riot or they could have been just continually snaring all the visitor parking spots in your apartment building (bastards). But last week, someone popped up with another bad neighbour story which was quite different to usual... Fellow MVP Paul Cunningham runs a blog over at paulcunningham.me and for the most part, it looks like any other ordinary blog: Now being a forward-thinking bloke, Paul has elected to serve his blog over HTTPS and as I've advocated for many times in the past, he chose to go with Cloudflare to do it. It would have been a 5-minute job for Paul; create the site on Cloudflare,...

New Pluralsight Course: Deconstructing the Hack

I was on another whirlwind trip back in July, this time to a bunch of spots in the US which included Chicago where Pluralsight has one of their offices. The last time I was there I'd recorded a "Play by Play" course which is video recorded rather than a screen cast like so many of my others. It meant myself and someone else (in this case, Gary Eimerman who's part of the Pluralsight team) actually sitting in front of the camera talking about security as well as recording snippets of screens to illustrate the discussion. I really loved the format of that course as it's very candid and feels like an organic discussion rather than a carefully rehearsed presentation. So...

Here's how broken today's web will feel in Chrome's secure-by-default future

Last week Google announced some changes to Chrome, specifically that come January 2017, practices like this are going to start resulting is browser warnings: That's just one of many such examples I've called out in the past and frankly, I have about zero sympathy for those who are doing this in the first place so a browser warning is only right. But here's the really interesting bit - that's just the beginning because Google has a plan: a long-term plan to mark all HTTP sites as non-secure I want to show you the significance of this on everyday websites and we can do that today by virtue of jumping into chrome://flags then scrolling down to "Mark non-secure origins as...

Someone just lost 324k payment records, complete with CVVs

Edit: A day and a half after publishing this post, the source of the data was eventually identified and a statement issued. Do see the updates at the end of this post. I see a lot of data breaches. I see a lot of legit ones and I see a lot of fake ones and because of that, I always verify them before making any claims that an organisation has been hacked. Usually I'll verify and then in conjunction with journalists I know and trust, there'll be a private disclosure to the company involved. Good journos are very adept at getting answers to these things and when it's going to be a story that hits the news anyway, it ensures...

The Dropbox hack is real

Earlier today, Motherboard reported on what had been rumoured for some time, namely that Dropbox had been hacked. Not just a little bit hacked and not in that "someone has cobbled together a list of credentials that work on Dropbox" hacked either, but proper hacked to the tune of 68 million records. Very shortly after, a supporter of Have I been pwned (HIBP) sent over the data which once unzipped, looked like this: What we've got here is two files with email address and bcrypt hashes then another two with email addresses and SHA1 hashes. It's a relatively even distribution of the two which appears to represent a transition from the weaker SHA variant to bcrypt's adaptive workload approach at...