Mastodon

Security

A 415-post collection

Making Light of the "Dark Web" (and Debunking the FUD)

I'll start this post where I start many of my talks - what does a hacker look like? Or perhaps more specifically, what do people think a hacker looks like? It's probably a scary image, one that's a bit mysterious, a shady character lurking in the hidden depths of the internet. People have this image in their mind because that's what they've been conditioned to believe: These are the images that adorn the news pieces we read and we've all seen them before. Hell, we've seen literally the same g...

The JavaScript Supply Chain Paradox: SRI, CSP and Trust in Third Party Libraries

A couple of years back as the US presidential campaign was ramping up, the Trump camp did something stupid. I know, we're all shocked but bear with me because it's an important part of the narrative of this post. One of their developers embedded this code in the campaign's donation website: <script src="https://github.com/igorescobar/jQuery-Mask-Plugin/blob/gh-pages/js/jquery.mask.min.js" type="text/javascript"></script> See the problem? This tag was in the source code over at secure.donaldjt...

How Long is Long Enough? Minimum Password Lengths by the World's Top Sites

I've been giving a bunch of thought to passwords lately. Here we have this absolute cornerstone of security - a paradigm that every single person with an online account understands - yet we see fundamentally different approaches to how services handle them. Some have strict complexity rules. Some have low max lengths. Some won't let you paste a password. Some force you to regularly rotate it. It's all over the place. Last year, I wrote about authentication guidance for the modern era [https://w...

My Blog Now Has a Content Security Policy - Here's How I've Done It

I've long been a proponent of Content Security Policies (CSPs). I've used them to fix mixed content warnings on this blog after Disqus made a little mistake [https://www.troyhunt.com/disqus-mixed-content-problem-and-fixing-it-with-a-csp/], you'll see one adorning Have I Been Pwned [https://haveibeenpwned.com/] (HIBP) and I even wrote a dedicated Pluralsight course on browser security headers [https://pluralsight.pxf.io/c/1196446/424552/7490?u=https%3A%2F%2Fwww.pluralsight.com%2Fcourses%2Fbrowser...

We're Doing an All New Series on Pluralsight: Creating a Security-centric Culture

Usually when we talk about information security, we're talking about the mechanics of how things work. The attacker broke into a system due to a reused password, there was SQL injection because queries weren't parameterised or the company got ransomware'd because they didn't patch their things. These are all good discussions - essential discussions - but there's a broader and perhaps even more important one that we need to have and that's about the security culture within organisations. This is...

Streamlining Data Breach Disclosures: A Step-by-Step Process

I don't know how many data breaches I'm sitting on that I'm yet to process. 100? 200? It's hard to tell because often I'm sent collections of multiple incidents in a single archive, often there's junk in there and often there's redundancy across those collections. All I really know is that there's hundreds of gigabytes spread across thousands of files. Sometimes - like in the case of the recent South Africa situation - I could be sitting on data for months that's actually very serious in nature...

Is India's Aadhaar System Really "Hack-Proof"? Assessing a Publicly Observable Security Posture

India's Aadhaar implementation [https://en.wikipedia.org/wiki/Aadhaar] is the largest biometric system in the world, holding about 1.2 billion locals' data. It's operating in an era of increasingly large repositories of personal data held by both private companies and governments alike. It's also an era where this sort of information is constantly leaked to unauthorised parties; last year Equifax lost control of 145.5 million records on US consumers [https://en.wikipedia.org/wiki/Equifax#May%E2...

Fixing Data Breaches Part 5: Penalties

In the first 4 parts of "Fixing Data Breaches", I highlighted education [https://www.troyhunt.com/fixing-data-breaches-part-1-education/], data ownership and minimisation [https://www.troyhunt.com/fixing-data-breaches-part-2-data-ownership-minimisation/], the ease of disclosure [https://www.troyhunt.com/fixing-data-breaches-part-3-the-ease-of-disclosure/] and bug bounties [https://www.troyhunt.com/fixing-data-breaches-part-4-bug-bounties/] as ways of addressing the problem. It was inevitable tha...

Fixing Data Breaches Part 4: Bug Bounties

Over the course of this week, I've been writing about "Fixing Data Breaches" which focuses on actionable steps that can be taken to reduce the prevalence and the impact of these incidents. I started out by talking about the value of education [https://www.troyhunt.com/fixing-data-breaches-part-1-education/]; let's do a better job of stopping these incidents from occurring in the first place by avoiding well-known coding and configuration flaws. I went on to data ownership and minimisation [https...

Fixing Data Breaches Part 3: The Ease of Disclosure

This week, I've been writing up my 5-part guide on "Fixing Data Breaches". On Monday I talked about the value of education [https://www.troyhunt.com/fixing-data-breaches-part-1-education/]; let's try and stop the breach from happening in the first place. Then yesterday it was all about reducing the impact of a breach [https://www.troyhunt.com/fixing-data-breaches-part-2-data-ownership-minimisation/], namely by collecting a lot less data in the first place then recognising that it belongs to the...