Sponsored by:

Security

A 298-post collection

Journey to an extended validation certificate

Trust is a really difficult thing to define. Think about it in the web security context - how do you "trust" a site? Many people would argue that trust decisions are made on the familiarity you have with the brand, you know, brands like LinkedIn, Dropbox, Adobe... who've all had really serious data breaches. Others will look for the padlock in the address bar and imply by its presence that the site is trustworthy... without realising that it makes no guarantees about the security profile of the services sitting behind it. Then there's the security seals placed on the page and, well, just go and read clubbing seals if you're not already aware of just how fundamentally irrelevant (and even...

Get to grips with internet security basics, courtesy of Varonis

Most readers here understand security fundamentals. They know what makes a strong password, what the padlock in the address bar above means, why software updates are important, the value of locking their mobile devices and some of dangers we face with the internet of things. But equally, most of our friends, relatives and significant others don't. We know this because we're continually doing tech support for them and we experience the horrors of their security profiles first hand! Recently, Varonis asked if I could build a course for these folks, the ones that really need it. It's a change of pace to most of my courses that are targeted at technology professionals and obviously that means covering the fundamentals is...

Careers in security, ethical hacking and advice on where to get started

Many people will disagree with this post, not so much because it's flat out wrong but because there are so many different approaches one can take. It's a very subjective realm but I'm going to put forward some suggestions, make some considered arguments and leave it at that. The context is twofold as suggested by the title: Firstly, I get a lot of people asking me about how to get a start in the security industry. I've regularly reverted with "stay tuned, I'm writing something" and this blog post is it. Secondly, over most of last year and the first half of this one, I've been creating material to help people who want to pursue security careers. It's the Ethical...

How Chrome's buggy content security policy implementation cost me money

Content security policies (CSPs) can be both a blessing and a curse. A blessing because they can do neat stuff like my recent piece on upgrading insecure requests yet a curse because they can also do screwy things like break your site. Now in fairness, the breaking bit linked to there was more because of Safari's screwy implementation than because of the CSP spec itself, but that brings me to today's post on yet another screwy browser implementation of CSP. This time, it's Chrome's turn and it didn't just cause content to be blocked, it actually cost me money. Let me explain. I have a donate page on Have I been pwned (HIBP). I honestly didn't expect people to give...

43,203 Indian patient pathology reports were left publicly exposed by Health Solutions

I'm used to seeing large amounts of personal data left inadvertently exposed to the web. Recently, the Red Cross Blood Service down here left a huge amount of data exposed (well, at least the company doing their tech things did). Shortly afterwards, the global recruitment company Michael Page also lost a heap (also due to a partner, Capgemini). Both cases were obviously extremely embarrassing for the companies involved and they did exactly what you'd expect them to do once they found out about it - they pulled the data offline as fast as humanly possible. And this is how it generally goes with incidents like this; lots of embarrassment, lots of scrambling to fix then lots of apologising afterwards. Which...

Get "The Information Security Big Picture" on Pluralsight now!

If you're here reading this then it probably won't come as a big surprise but brace yourself anyway - we have a security problem. Yes, yes, I know, it's all very terrifying and not a day goes by where someone isn't getting cyber-something'd. As best I can tell from the news, it's pretty much all to do with guys in hoodies sitting at green screens pwning all our things. I'm quite sure that's the case, I even did a quick check on Google to confirm: I talk about these crazy hacker perceptions in the intro of my new Pluralsight course and despite the sensationalist and inaccurate imagery in the reporting, security genuinely is a big problem. In my view, much...

8 million GitHub profiles were leaked from GeekedIn's MongoDB - here's how to see yours

Let me make it crystal clear in the opening paragraph: this incident is not about any sort of security vulnerability on GitHub's behalf, rather it relates to a trove of data from their site which was inappropriately scraped and then inadvertently exposed due to a vulnerability in another service. My data. Probably your data if you're in the software industry. Millions of people's data. On Saturday, a character in the data trading scene popped up and sent me a 594MB file called geekedin.net_mirror_20160815.7z. It was allegedly a MongoDB backup from August belonging to a site I'd not heard of before, one called GeekedIn and they apparently do this: A bit of searching around suggested...

Data breach claims are often poorly researched, unsubstantiated and ultimately fake

I have multiple Yahoo data breaches. I have a Twitter data breach. I have Facebook data breaches. I know they are data breaches from those sources because people told me they are, ergo, they're data breaches. Except they're not - they're all fake. Problem is though, fake data breaches don't make for a very good headline nor do they give you something worth trading; for many people, it's not in their best interests to establish what's fake and what's not. Earlier this year I wrote about how I verify data breaches and gave an example of Zoosk, the "data breach" that turned out to be anything but. It would have been easy for me to loads the tens of millions...

Disqus' mixed content problem and fixing it with a CSP

I write a blog with a lot of security things on it so understandably, it upsets me somewhat when my site throws security warnings: I'd had a number of people report this and indeed I'd seen it myself, albeit transiently. Diving into the console, I found the source of the problem: Who the hell is Circulate?! And what are they doing in my blog? Let's find out: Right... I don't have any ads on my blog these days (just sponsor messages) so there shouldn't be any third-party monetisation going on. However, what I'd noticed about this issue is that it always seemed to occur when loading Disqus comments and certainly they do some ad things, albeit ad things that I'd...

New Pluralsight course: Exploring the Internet of Vulnerabilities

I've done a number of "Play by Play" courses for Pluralsight this year on a range of topics including Social Engineering with my mate Lars Klint, Deconstructing the Hack with my mate Gary Eimerman, Modernizing Your Deployment Strategy with Octopus Deploy with my mate Damo Brady and the latest one that's just landed, Exploring the Internet of Vulnerabilities with my mate Niall Merrigan. Lot of Play by Plays, lot of mates and frankly, that's what makes all these courses work; they're all friends I spend time with both in a professional capacity and in a drinking beer capacity. The Play by Play courses are all about the dialogue between two people talking through technology concepts and the chemistry is really...