Sponsored by:

Security

A 323-post collection

The Alarming Prevalence of Data Breach Cover-Ups

Last week, The AA in the UK came spectacularly undone when attempting to cover up a data breach. I wrote about them while describing The 5 Stages of Data Breach Grief but in short, they consciously elected not to notify subscribers after being alerted to the disclosure of 13GB worth of publicly accessible database backups back in April: A follower just advised they recently notified @TheAA_UK about 13GB of exposed DB backups. It's not clear if they ever notified customers. pic.twitter.com/gOGYJSfVep— Troy Hunt (@troyhunt) June 26, 2017 They then sought to play down the severity of the exposure by claiming that no credit card data was compromised: Which was completely and utterly false:...

The 5 Stages of Data Breach Grief

When you see something play out enough times, you start to notice patterns. I was reflecting on this today as I watched The AA rapidly digging themselves in deeper and deeper after publishing 13GB worth of customer data to the internet, including partial credit card data. Which they denied: The AA Shop data issue is now fixed, No Credit Card info was compromised & an independent investigation is under way. We're sorry.— The AA (@TheAA_UK) July 3, 2017 Problems is, this statement is entirely false as Graham Cluley subsequently pointed out: Yes - despite what it says - AA customer credit card data was exposed https://t.co/JJGwjj1DDN pic.twitter.com/R8mMOTzUbS— Graham Cluley...

Password Strength Indicators Help People Make Ill-Informed Choices

I watched a discussion unfold on Twitter recently which started like so many of the security related ones I see: When website errors make no sense! @Argos_Online my password is more complex than your system can handle. What gives? @troyhunt #insecurity pic.twitter.com/64VA7qINGP— Jon Carlos (@billywizz) June 10, 2017 This was a very misleading error message on Argos' part and as it turns out, what it really mean was that they only allowed up to 20 characters in passwords. It's the classic arbitrary limit story; for various reasons which may include legacy dependencies, ignorance or very often, a database column of limited length (which then implies no password hashing and quite likely plain text storage), Argos...

Strawberrynet's privacy insanity

A little while back, I wrote about Website enumeration insanity and how our personal data was being mishandled. In a nutshell, an enumeration risk boils down to a feature on a website allowing anyone to "ask" if a user exists on the website with the site then returning a positive or negative response. For example, to this day you can go to Adult Friend Finder's password reset page, plug in anyone's email address and they'll happily tell you if they'd signed up for a bit of swinger sex action. (Or at least whether their address is on the site, someone else could have entered it into the registration form. Honestly...) Now all that's bad, but as I pointed...

Free course: The GDPR Attack Plan

You know what people really like? Government regulation! ...crickets... Ok, maybe not so much, but this one is actually really important. The General Data Protection Regulation is an EU reg that kicks in on 25 May 2018 so we've got bang on a year to get organised. It's important within the EU because it relates to how data of their citizens and residents is handled and it's important outside the EU because the regulation can impact non-EU organisations too. I've been interested in GDPR for some time on a couple of fronts. For one, I like the idea of a regulation having some serious teeth when it comes to issuing penalties. This means up to €20M or 4% of annual...

Don't tell people to turn off Windows Update, just don't

You know what really surprised me about this whole WannaCry ransomware problem? No, not how quickly it spread. Not the breadth of organisations it took offline either and no, not even that so many of them hadn't applied a critical patch that landed a couple of months earlier. It was the reactions to this tweet that really surprised me: Why is malware effective? Because of idiotic advice like this: "Stop Windows 10 from automatically updating your PC" https://t.co/cRygHYMPNh— Troy Hunt (@troyhunt) May 13, 2017 When you position this article from a year ago next to the hundreds of thousands of machines that have just had their files encrypted, it's hard to conclude that it...

Everything you need to know about the WannaCry / Wcry / WannaCrypt ransomware

I woke up to a flood of news about ransomware today. By virtue of being down here in Australia, a lot happens in business hours around the world while we're sleeping but conversely, that's given me some time to collate information whilst everyone else is taking a break. The WannaCry incident is both new and scary in some ways and more of the same old stuff in others. Here's what I know and what the masses out there need to understand about this and indeed about ransomware in general. The ransomware problem Firstly, if ransomware is a foreign enough concept and you genuinely want to understand what it's about, I made a free course for Varonis last year titled "...

Password reuse, credential stuffing and another billion records in Have I been pwned

The short version: I'm loading over 1 billion breached accounts into HIBP. These are from 2 different "combo lists", collections of email addresses and passwords from all sorts of different locations. I've verified their accuracy (including my own record in one of them) and many hundreds of millions of the email addresses are not already in HIBP. Because of the nature of the data coming from different places, if you're in there then treat it as a reminder that your data is out there circulating around and that you need to go and get yourself a password manager and create strong, unique passwords. And before you ask for your password from the data, read about all the reasons...

Reckon you've seen some stupid security things? Here, hold my beer...

My mate Lars Klint shared this tweet the other day: Your password is not unique. pic.twitter.com/ga4GwxtzrQ— Lars Klint (@larsklint) April 16, 2017 Naturally, I passed it on because let's face it, that's some crazy shit going on right there. To which the Twitters responded with equal parts abject horror and berating comments for not having already identified this as a joke circulating on Reddit. But here's the thing - it's feasible. No really, I've seen some very stupid security stuff out there the likes of which make the above example not just believable, but likely. Don't believe me? Here, hold my beer... Remember me Let's say you want to build a "remember me" feature,...

Mandatory ISP data retention and the law of unintended consequences

Well, good one Australia, UK and whoever else has embarked on this hare-brained scheme, you've just made things a whole lot worse. Our respective governments (in all their ivory-towered wisdom), have decided that because one of us could one day decide to become a terrorist, they'd better keep a big whack of our internet browsing history just in case. The theory these genius policy makers have is that if they can probe into all our lives far enough, they'll be able to see when we're doing terrorist kinda stuff. And really, what better way is there than siphoning up info on the websites we go to? Job done, beer o'clock, glad we solved that one. Except no, they've just made...