Security

Earlier this year I wrote about 5 ways to implement HTTPS in an insufficient manner (and leak sensitive data) [https://www.troyhunt.com/2013/04/5-ways-to-implement-https-in.html]. The entire premise of the post was that following a customer raising concerns about their SSL implementation, Top CashBack went on to assert that everything that needed to be protected, was. Except it wasn’t, at least not sufficiently and that’s the rub with SSL; it’s not about having it or not having it, it’s about un...

This content is now available in the Pluralsight course "Ethical Hacking: SQL Injection" [http://www.pluralsight.com/courses/ethical-hacking-sql-injection]Put on your black hats folks, it’s time to learn some genuinely interesting things about SQL injection. Now remember – y’all play nice with the bits and pieces you’re about to read, ok? SQL injection is a particularly interesting risk for a few different reasons: 1. It’s getting increasingly harder to write vulnerable code due to frameworks...

Last week I had a video chat with the guys over on PaulDotCom [http://pauldotcom.com/] (which, of course is at pauldotcom.com [http://pauldotcom.com/]) on a whole bunch of app sec related issues, specifically around how developers can become more security aware. We also spoke quite a bit on how developers and security people can generally get along with each other better than what they tend to at present which IMHO, is often a rather corrosive current state of affairs. There's a bit of banter i...

As regular readers will know by now, I’m not real fond of virus call centre scammers. You know, the ones who call you up while you’re making dinner or bathing and kids and tell you they’re from Microsoft and that your PC is infected with blah blah polymorphic blah? There’s a bunch of material on this blog already under the Scam tag [https://www.troyhunt.com/search/label/Scam] where I’ve captured the experience and shared it for fun and education. Thing is, the bloody galahs keep calling me so I...

As part of my general wish to be a good netizen and advocate of website security, I made a responsible disclosure the other day, you know, the kind where you privately email an organisation and pass on security flaws in their online presence that they might not otherwise be aware of. Anyway, the response was, well, you decide: > To date we've not had a single security issue stemming from [insert risk I sent to them here] Really? Not a single one? Clearly whatever defences this particular org...

I’ve been doing a number of smaller presentations to user groups and private audiences lately and one of the things I’ve been focussing on is trying to give a sense of how fundamentally broken the security of much of what we’re working with is. I’ve been focussing on three areas: broken web (easily discoverable flaws), broken developers (fundamental misunderstandings about important security concepts) and broken devices (vulnerable equipment on the web). This presentation was to the CIAOPS Virt...

This content is now available in the Pluralsight course "Secure Account Management Fundamentals" [http://www.pluralsight.com/courses/secure-account-management-fundamentals] Here’s the scenario – a user logs in to your website, comes back tomorrow and… has to log in again. The idea of the “remember me” feature – and let’s face it, we’ve all seen this before – is that their authenticated state is persisted beyond the immediate scope of use. What this means is that they can close the browser, turn...

A little while back I wrote about Hacking yourself first [https://www.troyhunt.com/2013/05/hack-yourself-first-how-to-go-on.html] and detailed a bunch of different ways for developers to seek out risks in their own apps, hopefully before attackers find them first. I’m extremely enthusiastic about this approach and believe that developers need to hone cyber-offence skills in order to properly understand – and protect their apps from – risks on the web. There’s a heap more content coming from me a...

I’ve been writing a bunch of content around HTTPS lately and recording videos to demonstrate the ease with which insecure implementations of SSL can be broken. For example, there was the piece on why you can’t trust SSL logos [https://www.troyhunt.com/2013/05/heres-why-you-cant-trust-ssl-logos-on.html], then how loading login forms over HTTP but posting to HTTPS is pointless [https://www.troyhunt.com/2013/05/your-login-form-posts-to-https-but-you.html] and most recently, why those mixed content...

Here’s the thing about security – you can’t just “do it” then move on. What I mean by this is that it’s a continuous process and thinking that you only need to just implement some secure coding standards or scan the website once before go live leaves a great big hole in your process. For example, the other day I wrote about how insecurity is easy [https://www.troyhunt.com/2013/05/security-is-hard-insecurity-is-easy.html] where I talked about how Black and Decker had exposed ELMAH logs. This is...