Security

Update, 14 Feb 2014: A year and a half on from writing this, Tesco has indeed suffered a serious security incident almost certainly as a result of some of the risks originally detailed here. Read more about it in The Tesco hack – here’s how it (probably) happened [https://www.troyhunt.com/2014/02/the-tesco-hack-heres-how-it-probably.html]. -------------------------------------------------------------------------------- Let me set the scene for this post by sharing a simple tweet from last nig...

Last month I wrote about our password hashing having no clothes [https://www.troyhunt.com/2012/06/our-password-hashing-has-no-clothes.html] which, to cut to the chase, demonstrated how salted SHA hashes (such as created by the ASP.NET membership provider), offered next to no protection from brute force attacks. I’m going to assume you’re familiar with the background story on this (read that article before this one if not), but the bottom line was that cryptographic hashing of passwords needs to...

It happened again last week. No, not Yahoo! Voices [https://www.troyhunt.com/2012/07/what-do-sony-and-yahoo-have-in-common.html], not the Phandroid Android forums [http://www.zdnet.com/android-forums-hacked-1-million-user-credentials-stolen-7000000817/] , not NVidia [http://www.zdnet.com/nvidia-confirms-hackers-swiped-up-to-400000-user-accounts-7000000903/] and not Formspring [http://www.zdnet.com/formspring-resets-millions-of-passwords-amid-breach-7000000643/] , this time it was Billabong, ou...

Another week, another breach. This time Yahoo! was the target with 453,491 email addresses and passwords from their Voices service being exposed for all to see [https://www.trustedsec.com/july-2012/yahoo-voice-website-breached-400000-compromised/] . Whilst unfortunate for those involved, these breaches do give us some unique insight into password practices and as is usually the case, it’s not pretty. Back in June last year after one of many Sony breaches I conducted a brief analysis [https://ww...

In the beginning, there was password hashing and all was good. The one-directional nature of the hash meant that once passed through a hashing algorithm the stored password could only be validated by hashing another password (usually provided at logon) and comparing them. Everyone was happy. Then along came those pesky rainbow tables. Suddenly, huge collections of passwords could be hashed and stored in these colourful little tables then compared to existing hashed passwords (often breached fro...

No really, this is my LinkedIn password: y>8Q^<6mqKEA4hac Well it was my LinkedIn password until earlier today when it became apparent that LinkedIn had suffered what could only be described as a massive security breach [http://money.cnn.com/2012/06/06/technology/linkedin-password-hack/index.htm?iid=SF_T_Lead] . The disclosure of 6 million passwords used in one of the world’s premier social networking sites is nothing short of astonishing. But what’s also astonishing is that this exercise onc...

There’s a pattern in the following stills from various scammer videos, see if you can spot it. Here’s one run by Comantra I captured back in Feb [http://www.youtube.com/watch?v=kjKjyMKj3n4&feature=player_detailpage#t=2403s]: And here’s another one [http://www.youtube.com/watch?v=nhqxOFH2rmI&feature=player_detailpage#t=713s] from when an unknown scammer called me in late April: Now here’s one from Noah Magram [http://www.youtube.com/watch?v=jb69H7l0vJA&feature=player_detailpage#t=20s] wh...

This content is now available in the Pluralsight course "Secure Account Management Fundamentals" [http://www.pluralsight.com/courses/secure-account-management-fundamentals] Recently I’ve had a couple of opportunities to think again about how a secure password reset function should operate, firstly whilst building this functionality into ASafaWeb [https://asafaweb.com/] and secondly when giving some direction for someone else doing a similar thing. In that second instance, I wanted to point them...

I’ve been writing and speaking about OWASP for long enough now that it was probably about time I contributed to the podcast so when Jim Manico [http://twitter.com/manicode] invited me to talk, it was a no-brainer! I had a good chat with Jim about a range of aspects related to ASP.NET; good stuff in the framework, not such good stuff in the framework, where I’m seeing people go wrong with .NET security and then a bit about some of the things I’m doing in terms of writing the OWASP Top 10 for .NET...

If you live in a western country and have a landline telephone with a listed phone number, chances are you’ve been “cold called” by someone on the other side of the world with an introduction that goes something like this: > “Hello, I am from the Microsoft technical support division and I am calling you because we have detected some problems with your computer. This is very important – I need you to go and turn your computer on right away…” It doesn’t matter if you have a computer, in fact i...