Security

A few months back I had another chat to Today Tonight, a national prime time current affairs program I’ve previously appeared on in relation to call centre scammers taking over unsuspecting victim’s PCs [https://www.troyhunt.com/2012/08/virus-scams-social-engineering-victims.html]. This time it was about the security of internet banking which gave me a chance to collate some good practices, many of which didn’t go to air but I kept hold of with the intention of sharing in the context of the vide...

I write a lot about website security. Sometimes I’ll publicly point out flaws in software but there are many, many other times where it remains a private conversation for various reasons. The one common thread across most of these incidents is that as developers, we often make bad security design decisions. It’s us – the organic matter in the software development process – that despite the best of intentions make bad choices that introduce serious risks. My belief – and one of the key reasons I...

It was a few months back now, but last year I spent a little time with fellow MVP Denny Cherry [http://twitter.com/mrdenny/] on his podcast People Talking Tech [http://peopletalkingtech.com]. We had a great talk about security in general with a lot of focus on SQL Injection in particular. It’s a nice light-hearted 24 minute chat that I enjoyed doing and I hope you enjoy listening to. You can listen online or download from People Talking Tech, Episode 18 – Troy Hunt [http://peopletalkingtech.com...

Last week something a bit unusual happened; Java was found to have a serious vulnerability. Ok, stop laughing, Java has obviously had many serious vulnerabilities over many years, what’s different this time though is that the US government’s Computer Emergency Response Team (CERT) took the unprecedented step of telling folks to stop using it altogether. Here’s the word from Homeland Security [http://www.ibtimes.com/department-homeland-security-advises-computer-users-disable-java-1010998] : >...

I was at the Web Directions South conference [http://south12.webdirections.org/] the other day and you know what really struck me? There is a lot of very cool, very connected stuff either here now or coming very soon. Hackable stuff! So there’s this term going around which is The Internet of Things [http://en.wikipedia.org/wiki/Internet_of_Things] (it has its own Wikipedia page so it must be real), or in human speak, stuff that’s connected to the web. Unusual stuff like domestic appliances and...

So someone sends you a link to the latest Gangnam parody / cat meme / man jumping on frozen pool video and the link looks something like this: http://bit.ly/10PMelv Nothing unusual about this, every second link shared these days uses a bit.ly or t.co (or comparable) URL shortener. Because you have an insatiable desire to participate in the latest social phenomenon, you click through and see this: There’s also nothing unusual about Facebook asking you for credentials, let’s log in. Aw c’mon,...

It happened again – someone tweeted me about a negative security experience and I just had to take a look: [https://twitter.com/andrew_barratt/status/285343903874428928] C’mon, really? This can’t be for real. But a little more investigating and here we are: [https://twitter.com/EE/status/285305896358256640] This is bad (for reasons I’ll discuss shortly), but it’s far from isolated: [https://twitter.com/EE/status/285045909287497730] EE is over in the UK and they’re “the new network for y...

This content is now available in the Pluralsight course "Ethical Hacking: SQL Injection" [http://www.pluralsight.com/courses/ethical-hacking-sql-injection]Everybody knows the easiest way to save yourself from SQL injection is to use object relational mappers (ORMs such as Entity Framework) or stored procedures, right? Often I see this becoming a mantra: “You don’t need to worry about SQLi if you’re using [Entity Framework | stored procedures]”. I also see the mantra blindly repeated and it’s wro...

This week’s post on Disassembling the Woolworths Facebook scam [https://www.troyhunt.com/2012/11/disassembling-woolworths-facebook-scam.html] has had a pretty good run. In part, I suspect this is due to the approaching holiday shopping season and in part because I know this scam is really doing the rounds and being seen by a lot of people. Yesterday I had a chat with Dan Kaplan from Secure Computing Magazine [http://www.scmagazine.com/podcast-the-anatomy-of-a-facebook-gift-card-scam/article/269...

Who wants free stuff? C’mon, everybody wants a free lunch, right? Yes, yes they do and that’s precisely the trigger used in scams like this one. Recently I wrote about the mechanics of another Facebook scam [https://www.troyhunt.com/2012/10/she-did-what-in-school-mechanics-of.html] where the “bait” was photos of a salacious school girl. Many people – including female friends and my mother in law – readily fell for that one. This one takes quite a different and rather cunning approach which chai...