Security

Now I swear this is entirely coincidental, but only this month I wrote a very tongue-in-cheek piece titled Good news – your credit card is fine and only your irreplaceable things were hacked! [https://www.troyhunt.com/2015/09/good-news-your-credit-card-is-fine-and.html] The basic premise of this piece was that when you see a company proudly asserting that your credit card is fine even though they’ve just been pwned six ways from Sunday (hi Ashley Madison!), that assurance is of little consequenc...

Hey, I really hate to tell you this, but we were hacked and your account containing a bunch of really sensitive personal data was exposed. I know, it’s enormously inconvenient but I have good news for you – your credit card is fine! Now yes, banks do have very good fraud protection these days and they would almost certainly have reversed any illegitimate charges, but isn’t this great news! Oh yeah – they’ll also issue you a new card too and don’t worry, that won’t cost you a cent. Yes, you’ll n...

I’ve been doing this fantastic demo about browser security headers in a lot of my recent talks and workshops. It’s always a lot of fun and it’s very interactive – you can try this out for yourself right now – and it works like this: So cross site scripting (XSS) is still a big thing. Yes it’s been around for ages and yes we should be on top of it by now, but here we are. Anyway, I was at the AppSecEU conference in the Netherlands a few months ago and a local guy called Breno de Winter did a fan...

This was always going to be a huge incident given not just the scale of the number of accounts impacted by the Ashley Madison breach [https://krebsonsecurity.com/2015/08/was-the-ashley-madison-database-leaked/] (well over 30M), but the sensitivity of the data within it. However the interest has surprised even me – I loaded the breached data into Have I been pwned? [https://haveibeenpwned.com/] (HIBP) about 8 hours ago and I’m presently seeing about 30k visitors an hour to the site. I’ve had a c...

I run a workshop which I often do privately for organisations or as a part of various conferences which I title “Hack Yourself First”. I wrote about what I do in these recently in relation to my upcoming US workshops next month [https://www.troyhunt.com/2015/07/its-app-sec-in-usa-and-hack-yourself.html] and the ones I’ll be doing in London in Jan [https://www.troyhunt.com/2015/07/its-time-to-visit-london.html] but in short, it’s a couple of days of very hands-on exercises where we look at a heap...

I’ve often received feedback from people about this SSL Labs test of Have I been pwned? [https://haveibeenpwned.com/] (HIBP): Just recently I had an email effectively saying “drop this cipher, do that other thing, you’re insecure kthanksbye”. Precisely what this individual thought an attacker was going to do with an entirely public site wasn’t quite clear (and I will come back to this later on), but regardless, if I’m going to have SSL then clearly I want good SSL and this report bugged me....

I see literally millions of compromised records from online systems every week courtesy of maintaining Have I been pwned? [https://haveibeenpwned.com/] (HIBP), in fact I’ve seen well over 200M of them since starting the service just under two years ago. I’ve gotten used to seeing both seriously sensitive personal data (the Adult Friend Finder breach [http://fortune.com/2015/05/22/adultfriendfinder-hackers/] is a good example of that) as well as “copycat” breaches (the same data dumped under diff...

The web is going HTTPS only. In theory. The idea is that unless we encrypt all the transport things, we can have no confidence in the confidentiality, integrity or authenticity of the traffic and services we’re talking to. There’s growing awareness of how essential secure transport comms are (thank you NSA for your part in helping us come to this realisation), and indeed we’re being continually pushed in this direction. For example, last year Google said they’d start using the presence of HTTPS...

A couple of months ago I wrote about how fellow author Dale Meredith and myself are building out an ethical hacking series on Pluralsight [https://www.troyhunt.com/2015/05/its-ethical-hacking-with-sql-injection_21.html] and in that post I launched the first course I had written for the series on SQL injection. You can read about the ethical hacking series in that blog post and what my approach to covering the CEH syllabus has been (hint: I have my own take on it), but what I will again point out...

This morning I was reading a piece on the Ashley Madison hack [http://www.inquisitr.com/2281408/ashley-madison-hack-customer-service-impact-team-complaints-was-he-on-ashley-madison-site-down-as-users-turn-to-private-investigators/] which helped cement a few things in my mind. The first thing is that if this data ends up being made public (and it’s still an “if”) then it will rapidly be shared far and wide. Of course this happens with many major data breaches, but the emergence already of domain...