Security

This ain’t my first rodeo, this ain’t the first I’ve seen this dog and pony show. I first wrote about virus call centre scammers back in October along with my recording titled Anatomy of a virus call centre scam [https://www.troyhunt.com/2011/10/anatomy-of-virus-call-centre-scam.html]. I followed up a couple of months ago with Scamming the scammers – catching the virus call-centre scammers red-handed [https://www.troyhunt.com/2012/02/scamming-scammers-catching-virus-call.html] which screen recor...

It already seems like a lifetime ago, but it was only last month that I was over in Seattle at the 2012 MVP Summit. While I was there, I had a short chat on video with Dave Giard [https://twitter.com/#!/DavidGiard] for his Technology and Friends blog. We predominantly spoke about ASP.NET security and in particular, cryptographic storage of credentials and transport layer security so it’s a little more focussed than many of my talks. The original post is over on Dave’s blog under Episode 207: Tr...

A few weeks back there was a great document released by Verizon (yep, the big American telco) titled Verizon 2012 Data Breach Investigations Report [http://www.verizonbusiness.com/resources/reports/rp_data-breach-investigations-report-2012_en_xg.pdf] . This weekend at the OWASP Appsec Asia Pacifica Conference [https://www.owasp.org/index.php/AppSecAsiaPac2012], I sat in on a talk from Mark Goudie from Verizon [https://www.owasp.org/images/6/65/Mark_goudie.pdf] who helped put the whole report in...

A couple of days back I wrote about how 67% of ASP.NET websites have serious configuration related security vulnerabilities [https://www.troyhunt.com/2012/04/67-of-aspnet-websites-have-serious.html]. In the post, I drew on figures collected by ASafaWeb [https://asafaweb.com] and observed that small misconfigurations in config files could very easily disclose information that could be leveraged to exploit the application. Quite a bit of discussion ensued through the comments, via Twitter and on...

Actually, it’s even worse than that – it’s really 67.37% – but let’s not split hairs over that right now. The point is that it’s an alarmingly high number for what amounts to very simple configuration vulnerabilities. The numbers come courtesy of ASafaWeb [http://asafaweb.com], the Automated Security Analyser for ASP.NET Websites which is a free online scanner at asafaweb.com [http://asafaweb.com]. When I built ASafaWeb, I designed it from the ground up to anonymously log scan results. The anon...

[http://tv.ssw.com/] There’s an excellent home-grown Aussie free learning resource which I suspect is a bit new to a lot of developers: SSW TV [http://tv.ssw.com/]. SSW is a local Sydney development shop headed up by Adam Cogan [http://www.adamcogan.com/], a Microsoft Regional Director and ALM MVP. I offered to talk a little about web app security to their user group a couple of months back and we recorded Protecting your Web Apps from the Tyranny of Evil with OWASP [http://tv.ssw.com/1492/pr...

Last week I had the pleasure of catching up with fellow Aussie MVP Robert Crane [https://mvp.support.microsoft.com/profile=55EEF824-B195-49EC-A6EF-80D864CCC840] and recording an episode for his CIAOPS [http://ciaops.podbean.com] (the Computer Information Agency) “Need to Know” podcast. The podcast caters to those working in SMBs (small to medium businesses) and Robert and I have a good chat about a whole range of security considerations these folks should try to keep in mind. You can find the...

When it comes to our personal security, we’ve all grown a bit accustomed to keeping things on the down-low [http://en.wikipedia.org/wiki/Down-low]. For example, we cover the keypad on the ATM when entering our PIN and we shred our sensitive documents rather than throwing them straight in the trash. We do this not because any one single piece of information is going to bring us undone, but rather we try not to broadcast anything which may be used to take advantage of us. That PIN could be used...

A few months back I got a call one evening which was clearly a virus call centre scam; you know, the ones that call you out of the blue, tell you your PC is infected with all sorts of nasties and offer to fix it for you? Or maybe you don’t know, which of course is why these scams have been going on for quite some time and are still very active today. Fortunately I did know about such things so rather than summarily dismissing them with a level of disdain I normally reserve only for telemarketer...

Today I had the pleasure of spending about an hour and a half talking to Peter Shaw [http://shawtyds.wordpress.com/] from LIDNUG [http://lidnug.org] about security, security and, uh, security! If the LinkedIn .NET User Group is a little bit new to you, it’s the top LinkedIn group dedicated to .NET with a staggering 47,387 members at the time of writing. This is a casual chat rather than a a full on interview and covers a bunch of the usual stuff I talk about such as the OWASP Top 10. Hope you e...