Mastodon

Security

A 407-post collection

Data Breaches, Class Actions and Ambulance Chasing

This post has been brewing for a while, but the catalyst finally came after someone (I'll refer to him as Jimmy) recently emailed me regarding the LOQBOX data breach from 2020 [https://www.theregister.com/2020/03/02/financial_startup_loqbox_data_breach/]. Their message began as follows: > I am currently in the process of claiming compensation for a severe data breach which occurred on the 20th February 2020 Now I'll be honest - I had to Google this one. There are so many data breaches today tha...

I Now Own the Coinhive Domain. Here's How I'm Fighting Cryptojacking and Doing Good Things with Content Security Policies.

If you've landed on this page because you saw a strange message on a completely different website then followed a link to here, drop a note to the site owner and let them know what happened. If, on the other hand, you're on this page because you're interested in reading about the illicit use of cryptomining on compromised websites and how through fortuitous circumstances, I now own coinhive.com and am doing something useful with it, read on. You know how people don't like ads? Yeah, me either (...

Gab Has Been Breached

I've investigated hundreds of data breaches over the years (there are 514 of them in Have I Been Pwned [https://haveibeenpwned.com/] as I write this), and for the most part, the situation with Gab is just another day on the internet. But Gab is also different, having grown dramatically in recent months as an alternative to mainstream incumbent platforms such as Twitter and Facebook and drawing a crowd primarily focused on right wing American politics. A couple of days ago, I posted a thread abo...

IoT Unravelled Part 3: Security

In part 1 [https://www.troyhunt.com/iot-unravelled-part-1-its-a-mess-but-then-theres-home-assistant/] of this series, I posited that the IoT landscape is an absolute mess but Home Assistant (HA) does an admirable job of tying it all together. In part 2 [https://www.troyhunt.com/iot-unravelled-part-2-ip-addresses-network-zigbee-custom-firmware-and-soldering/] , I covered IP addresses and the importance of a decent network to run all this stuff on, followed by Zigbee and the role of low power, lo...

Inside the Cit0Day Breach Collection

It's increasingly hard to know what to do with data like that from Cit0Day. If that's an unfamiliar name to you, start with Catalin Cimpanu's story on the demise of the service followed by the subsequent leaking of the data [https://www.zdnet.com/article/23600-hacked-databases-have-leaked-from-a-defunct-data-breach-index-site/] . The hard bit for me is figuring out whether it's pwn-worthy enough to justify loading it into Have I Been Pwned (HIBP) or if it's just more noise that ultimately doesn'...

I've Joined the 1Password Board of Advisers

Almost a decade ago now, I wrote what would become one of my most career-defining blog posts: The Only Secure Password is the One You Can't Remember [https://www.troyhunt.com/only-secure-password-is-one-you-cant/]. I had come to the realisation that I simply had too many accounts across too many systems to ever have any chance of creating decent unique passwords I could remember. So, I set out to find a password manager and 10 Christmas holidays ago now, I spent the best 50 bucks ever: I chose...

Humans are Bad at URLs and Fonts Don’t Matter

Been a lot of "victim blaming" going on these last few days. The victim, through no fault of their own, has been the target of numerous angry tweets designed to ridicule their role in internet security and suggest they are incapable of performing their duty. Here's where it all started: > This is a great example of how bad people are at reading and understanding even the domain part of the URL then making decisions based on that which affect their security and privacy (see the answer under the...

Hacking Grindr Accounts with Copy and Paste

Sexuality, relationships and online dating are all rather personal things. They're aspects of our lives that many people choose to keep private or at the very least, share only with people of our choosing. Grindr [https://www.grindr.com/] is "The World's Largest Social Networking App for Gay, Bi, Trans, and Queer People" which for many people, makes it particularly sensitive. It's sensitive not just because by using the site it implies one's sexual orientation, but because of the sometimes sev...

Padlocks, Phishing and Privacy; The Value Proposition of a VPN

I want a "secure by default" internet with all the things encrypted all the time such that people can move freely between networks without ever needing to care about who manages them or what they're doing with them. I'm a massive proponent of Let's Encrypt's and Cloudflare's missions to secure the web and of browser paradigms such as HSTS [https://www.troyhunt.com/understanding-http-strict-transport/] and upgrade-insecure-requests via content security policies [https://www.troyhunt.com/the-6-st...

We Didn't Encrypt Your Password, We Hashed It. Here's What That Means:

You've possibly just found out you're in a data breach. The organisation involved may have contacted you and advised your password was exposed but fortunately, they encrypted it. But you should change it anyway. Huh? Isn't the whole point of encryption that it protects data when exposed to unintended parties? Ah, yes, but it wasn't encrypted it was hashed and therein lies a key difference: > Saying that passwords are “encrypted” over and over again doesn’t make it so. They’re bcrypt hashes so g...