Speaking

A 61-post collection

Hacking your API first at TechEd Australia 2014

I’ve been doing a lot of talking about API security recently because frankly, there’s a lot to talk about. Those little web services that sit behind the rich client apps on our devices and increasingly behind our Internet of Things have a nasty habit of having some really serious vulnerabilities in them. I’m talking about everything from leaking data to allowing unauthorised users to perform actions they shouldn’t be allowed to all the way through to entirely useless SSL implementations because certificate validation has been disabled. Pretty much every time I set out to look at the APIs being called by my devices, I find nasty stuff. Even just yesterday I was...

10 email security fundamentals for everyday people

A couple of weeks back, this bloke hit the news when his private emails were leaked and disclosed that he was fond of, shall we say, a very “colonial” vernacular when it comes to talking about our indigenous people: That he is (was?) a professor at a university would normally suggest that he’s a pretty switched on guy, but the evidence is clearly to the contrary. Speaking of people we’d normally assume to have above average intelligence, you’d probably not expect a Senator to offer a foreign athlete a handful of taxpayer funds to travel over here and then suggest that he be “compensated for the long haul, sexually of course&...

.NET Rocks Podcast: The Security of IoT

You know how you always wanted a fork with an ARM processor that could upload data wirelessly over the internet? C’mon, you know you want it and now you can get a HAPIfork. Or how about your light globes? Yes, LIFX totally rocks but no, I wasn’t so keen on the idea once I learned your neighbours could pwn your wifi through them. This brave new “Internet of Things” world is equal parts awesome and scary and there seems to be no limit to the extent we’ll go to connect our things. We connect these things to the internet via APIs and of course at the end of the day, an API...

Gone Mobile Podcast: Securing Mobile Apps

I’ve learned some rather intriguing things about what our mobile apps are doing while we’re not looking in the six days since I launched the challenge to find crazy stuff in mobile app communications. For example, there’s the social app that allows you to accept friend requests on behalf of someone else if you call the API in the right way. Sequential user IDs and no rate limiting help that one along nicely. Then there’s the word game that sends you all the possible solutions via the API whilst you’re playing. That’s rather handy and it only take a little bit of device proxying and wammo! There’...

Podcast: The Security Influencer's Channel

Here’s a scary stat for you: last year was the most hacked year ever. According to Risk Based Security, we saw 823M records exposed via data breaches: Nasty stuff right? Yeah, but it gets worse. As of mid 2014, we’re already looking at 502 million records exposed. Bugger. These breaches keep on coming and worryingly, they’re getting bigger than ever. I recently caught up with Jeff Williams of Contrast Security for a podcast chat and we delved into some of the crazy stuff that has been happening in the industry of late. We touched on breaches, mobile security, internet of things and a whole bunch of stuff you can listen to now on the...

TestTalks Podcast: Hack Your API-Security Testing

Did I mention that we have some terrible security flaws with our APIs behind rich client apps? Pretty sure I did’; oh and I did just write a Pluralsight course that shot to the top of the charts so yeah, there’s that! There are a few reasons why vulnerabilities in APIs are the new black: They’re that much less obvious than vulnerabilities in browser-based apps; you don’t see the URL, you don’t get browser warnings and it’s harder for a casual observer to probe away at them (but only just…) Mobile apps are proliferating at a crazy rate. Well in excess of one million each in Apple and...

Security Insanity with RunAs Radio

I know I’ve shared this a number of times now, but no matter how much I see it, it still cracks me up: Make sense? Of course it doesn’t and therein lies the insanity of it all! But let us not single out Tesco alone, there are plenty of British companies that construct responses like this (sorry English people, I don’t know why, they just seem to feature disproportionately to the rest of the world). In fact earlier this week I wrote about the new Twitter account I’d set up called @InfoSecInsanity which is sharing heaps of this kind of nuttiness, not just the stuff from the UK! I was inspired in...

Hello World, this is Troy

How did you get started in this industry? I mean what made you go “Hey, sitting it a keyboard day in day out whilst focussed on screens and not seeing much sunlight sounds awesom…” – wait, it doesn’t sound quite so awesome when you think of it like that. In fact that was my original view of computers in general but as I told Shawn Wildermuth on his latest Hello World podcast, that view of the world soon changed. The change of heart was more than helped along by making some rather obscene amounts of money writing code while very young, then consequently watching it all disappear (and then some) as the dodgy “horseracing...

Too much soft cheese may directly impact your health insurance premiums

We’ve become accustomed to the whole idea of us being electronically tracked based on our various personal habits. In fact just the other day I was asking online about Bose headphones, did a couple of searches then next thing I knew, my own blog was plugging them to me: But again, we’ve got a bit of a sense of tracking cookies now and that the same ad networks operate across seemingly independent websites therefore providing the ability to track and target information. Ratchet up the tracking feature a notch and before you know it, rubbish bins are monitoring your movements by watching for the signals your phone sends when looking for wifi connections: Still not creepy...

DDD Melbourne, hackers and gentlemen's parts

A couple of Saturdays back I spent a day down in Melbourne at DDD doing the usual combination of showing people some of the ridiculous stuff we’re doing on the net in relation to privacy, how we as developers are building some woefully insecure apps and generally making everyone depressed about the state of web. I do mean that in a constructive way though and indeed that’s the entire premise behind the Hack Yourself First courses I’ve been writing; see what it is we’re doing wrong, understand how it’s exploited – I mean actually exploit it yourself – then learn the secure patterns. I did a workshop in the morning...