Security

Heard of SSW’s FireBootCamp [http://firebootcamp.com/] before? It’s like those boot camps you see down at the local beaches and parks each morning, you know, the ones where a bunch of (apparently) willing participants are incessantly hammered by some drill-sergeant-like personal trainer for 30 minutes of blood, sweat and tears (I assume). But unlike this mob, the FireBootCamp folks don’t then towel off and chill for the rest of the day, instead they do this day after day, week after week for a w...

I just had an absolutely tremendous trip over to Salt Lake City for the annual Pluralsight authors’ summit where 100 or so of us got together with the Pluralsight folks and talked about many wonderful things. Included in that time was a number of “lightening talks” or in other words, presos limited to 5 minutes during which you make as much impact as you possibly can. Clearly this called for me to break out the trusty wifi Pineapple [https://www.troyhunt.com/2013/04/the-beginners-guide-to-breaki...

As prophesised, it has happened – Tesco has had a serious security incident [http://www.bbc.co.uk/news/technology-26171130]. The prophecy, for new readers, was my piece on Lessons in website security anti-patterns by Tesco [https://www.troyhunt.com/2012/07/lessons-in-website-security-anti.html] from a couple of years back. The catalyst for that post was this now infamous tweet in response to my pointing out that they had mixed content on an otherwise secure page: [https://twitter.com/Tesco/sta...

This content is now available in the Pluralsight course "Ethical Hacking: SQL Injection" [http://www.pluralsight.com/courses/ethical-hacking-sql-injection]Yes, yes, it’s happened again – OWASP’s number one risk in the Top 10 [https://www.troyhunt.com/2010/05/owasp-top-10-for-net-developers-part-1.html] has featured prominently in a high-profile attack this time resulting in the leak of over 40,000 records from Bell in Canada [http://o.canada.com/technology/bell-canada-security-breach-391451/]. I...

Let’s just start here [https://www.smashwords.com/about/supportfaq]: Allow me to provide a technical security perspective on this – it’s complete bullshit. More specifically, you’re seeing this because whoever designed the Smashwords site screwed up and embedded insecure content in a page loaded over a secure connection. So what does this look like? Here’s an example in Internet Explorer: But more importantly, what does it actually mean? Short answer: you can’t trust the page any more tha...

It’s about six weeks into the life of Have I been pwned? [https://haveibeenpwned.com] now and I’m enormously pleased with the reception its received. The fact that I’ve had to write posts like the micro optimisation one [https://www.troyhunt.com/2013/12/micro-optimising-web-content-for.html] or the one about getting too big for Google [https://www.troyhunt.com/2013/12/too-big-for-google-when-analytics-fails.html] and had to deal with all the problems I’ve discussed there has actually been a very...

I was amused (and frankly a little bewildered) the other day to see this bloke in the paper [http://www.couriermail.com.au/news/queensland/brisbane-motorist-fined-for-leaving-car-window-slightly-down-on-hot-day/story-fnihsrf2-1226793936291] : What he’s holding there is a fine… for leaving his car windows down a little. You see, the police down here took a view that in doing so he was inviting criminals to break into his car by very clearly leaving his security in a compromised state. This, in...

Did you know that every time you submit a Web Forms page it sends a hash-based message authentication code with it so that the website can ensure the View State hasn’t been tampered with? Or that every time you use the MVC Razor syntax to emit anything to the page it HTML encodes it? Unless, of course, you’re using the Html.Raw helper – oh and that none of that does you any good in the JavaScript and CSS contexts or the HTML attribute context? Were you aware that ASP.NET limits the size of the...

Well we almost made it through the first day of the new year without a major data breach; it got to about mid-afternoon my time then wammo! The 2014 breach count was off and racing. If I’m honest, I actually spent some procrastinating over whether this could really be considered a breach and indeed if the data was even of any functional value to an attacker. I came to the conclusion that it is and, well, it is. Let me explain the thinking and why I’ve made it searchable via Have I been pwned? [...

Just under three weeks ago now, I launched Have I been pwned? [https://www.troyhunt.com/2013/12/introducing-have-i-been-pwned.html] which could tell you if you owned one of 154 million email addresses that had been caught up in recent data breaches. Subsequently, the site turned out to be wildly popular [https://www.troyhunt.com/2013/12/introducing-have-i-been-pwned.html] and as with such things, a lot of good ideas came up in terms of features people would like to see. Without doubt, the numbe...