Mastodon

Security

A 407-post collection

I'm Partnering with NordVPN as a Strategic Advisor

I love security. I love privacy. Consequently, it will come as no surprise that I love tools that help people achieve those objectives. Equally, I have no patience for false promises, and I've been very vocal about my feelings there: > But one of them is literally called “Secure VPN”, how is this possible?! “Are You Using These VPN Apps? Personal Info Of 20 Million Users Leaked: That’s 1.2TB Data” https://t.co/BPDww70Pgo — Troy Hunt (@troyhunt) July 20, 2020 [https://twitter.com/troyhunt/stat...

How BeerAdvocate Learned They'd Been Pwned

I love beer. This comes as no surprise to regular followers, nor should it come as a surprise that I maintain an Untappd [https://untappd.com/] account, logging my beer experiences as I (used to 😢) travel around the world partaking in local beverages. When I received an email from someone over that way who happened to be a happy Have I Been Pwned (HIBP) user and wanted some cyber-assistance, I was intrigued. You'll never believe what happened next... The tl;dr is that someone with a BeerAdvoca...

Analysing the (Alleged) Minneapolis Police Department "Hack"

The situation in Minneapolis at the moment (and many other places in the US) following George Floyd's death [https://en.wikipedia.org/wiki/Death_of_George_Floyd] is, I think it's fair to say, extremely volatile. I wouldn't even know where to begin commentary on that, but what I do have a voice on is data breaches which prompted me to tweet this out earlier today: > I'm seeing a bunch of tweets along the lines of "Anonymous leaked the email addresses and passwords of the Minneapolis police" with...

COVIDSafe App Teardown & Panel Discussion

I've written a bunch about COVID-19 contact tracing apps recently as they relate to security and privacy, albeit in the form of long tweets. I'm going to avoid delving into the details here because they're covered more comprehensively in the resources I want to consolidate below, firstly the original thread from a fortnight ago as news of an impending app in Australia was breaking: > Ok folks, let's talk about the Coronavirus tracking app as news of Australia adopting Singapore's "TraceTogether...

Reassuring Words and Good Intentions Don't Mean Good Security

How much can you trust the assertions made by an organisation regarding their security posture? I don't mean to question whether the statements are truthful or not, but rather whether they provide any actual assurance whatsoever. For example, nearly 5 years ago now I wrote about how "we take security seriously" was a ridiculous statement to make immediately after a data breach [https://www.troyhunt.com/we-take-security-seriously-otherwise/]. It seems that not much has changed since then: > “At...

There is a Serious Lack of Corporate Responsibility During Breach Disclosures

Subject: Data Breach of [your service] Hi, my name is Troy Hunt and I run the ethical data breach notification service known as Have I Been Pwned: https://haveibeenpwned.com People regularly send me data from compromised systems which are being traded amongst individuals who collect breaches. Recently, a collection of data allegedly taken from the [your service] was sent to me and I believe there’s a high likelihood your site was indeed hacked. The data consists of an extensive number of recor...

Everything is Cyber-Broken, The Online Edition!

We're live! Video embedded below: Under normal circumstances, we'd be sitting on a stage, beers in hands and doing our (I think we can use this term now) "world famous" Cyber-broken talk. > It's like Top gear for nerds. @troyhunt [https://twitter.com/troyhunt?ref_src=twsrc%5Etfw] #NDCLondon [https://twitter.com/hashtag/NDCLondon?src=hash&ref_src=twsrc%5Etfw] pic.twitter.com/wxzhM6uOCG [https://t.co/wxzhM6uOCG] — HarryMiller (@HarryMillerr) January 31, 2019 [https://twitter.com/HarryMillerr/s...

Hack Yourself First Workshops in Australia, Denmark and Portugal (Virtually, of Course)

Of course it's virtual because let's face it, nobody is going anywhere at the moment. Plenty of you aren't even going into an office any more let alone fronting up to a conference with hundreds or even thousands of people. That sucks for you because you end up both missing out on events and sooner or later, suffering from cabin fever (I've always found that difficult across many years of remote work). It also sucks for companies like NDC Conferences [https://ndcconferences.com/] whose entire liv...

The Difficulty of Disclosure, Surebet247 and the Streisand Effect

This is a blog post about disclosure, specifically the difficulty with doing it in a responsible fashion as the reporter whilst also ensuring the impacted organisation behaves responsibly themselves. It's not a discussion we should be having in 2020, a time of unprecedented regulatory provisions designed to prevent precisely the sort of behaviour I'm going to describe in this post. Here you're going to see - blow by blow - just how hard it is for those of us with the best of intentions to deal w...

Promiscuous Cookies and Their Impending Death via the SameSite Policy

Cookies like to get around. They have no scruples about where they go save for some basic constraints relating to the origin from which they were set. I mean have a think about it: If a website sets a cookie then you click a link to another page on that same site, will the cookie be automatically sent with the request? Yes. What if an attacker sends you a link to that same website in a malicious email and you click that link, will the cookie be sent? Also yes. Last one: what if an attacker di...