Security

Last week I wrote a couple of different pieces on passwords, firstly about why we're going to be stuck with them for a long time yet [https://www.troyhunt.com/heres-why-insert-thing-here-is-not-a-password-killer/] and then secondly, about how we all bear some responsibility for making good password choices [https://www.troyhunt.com/when-accounts-are-hacked-victims-must-share-the-blame/]. A few people took some of the points I made in those posts as being contentious, although on reflection I sus...

It's just another day on the internet when the news is full of headlines about accounts being hacked. Yesterday was a perfect example of that with 2 separate noteworthy stories adorning my early morning Twitter feed. The first one was about HSBC disclosing a "security incident" [https://www.zdnet.com/article/hsbc-discloses-security-incident/] which, upon closer inspection, boiled down to this: > The security incident that HSBC described in its letter seems to fit the characteristics of brute-fo...

These days, I get a lot of messages from people on security related things. Often it's related to data breaches or sloppy behaviour on behalf of some online service playing fast and loose with HTTPS or passwords or some other easily observable security posture. But on a fairly regular basis, I get an email from someone which effectively boils down to this: > Hey, have you seen [insert thing here]? It's totally going to kill passwords! No, it's not and to save myself from repeating the same mess...

I take more pleasure than I probably should in watching the bewilderment within organisations as the technology landscape rapidly changes and rushes ahead of them. Perhaps "pleasure" isn't the right word, is it more "amusement"? Or even "curiosity"? Whichever it is, I find myself rhetorically asking "so you just expected everything to stay the same forever, did you?" A case in point: you should look for the green padlock on a website so that you know it's safe. Except that you can't say that an...

That's it - I'm calling it - extended validation certificates are dead. Sure, you can still buy them (and there are companies out there that would just love to sell them to you!), but their usefulness has now descended from "barely there" to "as good as non-existent". This change has come via a combination of factors including increasing use of mobile devices, removal of the EV visual indicator by browser vendors and as of today, removal from Safari on iOS (it'll also be gone in Mac OS Mojave w...

This is going to be a brief blog post but it's a necessary one because I can't load the data I'm about to publish into Have I Been Pwned [https://haveibeenpwned.com] (HIBP) without providing more context than what I can in a single short breach description. Here's the story: Kayo.moe [https://kayo.moe/] is a free, public, anonymous hosting service. The operator of the service (Kayo) reached out to me earlier this week and advised they'd noticed a collection of files uploaded to the site which a...

Here's how it normally plays out: It all begins when a company pops up online and makes some sort of ludicrous statement related to their security posture, often as part of a discussion on a public social media platform such as Twitter. Shortly thereafter, the masses descend on said organisation and express their outrage at the stated position. Where it gets interesting (and this is the whole point of the post), is when another group of folks pop up and accuse the outraged group of doing a bit o...

Rounding out a recent spate of new Pluralsight courses is one final one: Modern Browser Security Reports [https://pluralsight.pxf.io/c/1196446/424552/7490?u=https%3A%2F%2Fapp.pluralsight.com%2Flibrary%2Fcourses%2Fmodern-browser-security-reports] . This time, it's with Scott Helme [https://scotthelme.co.uk/] who for most of my followers, needs no introduction. You may remember Scott from such previous projects as securityheaders.io [https://securityheaders.com/], Report URI [https://report-uri.co...

Only a few weeks ago, I wrote about a new GDPR course with John Elliott [https://www.troyhunt.com/new-pluralsight-course-the-state-of-gdpr-common-questions-and-misperceptions/] . We've been getting fantastic feedback on that course and I love the way John has been able to explain GDPR in a way that's actually practical and makes sense! In my experience, that's a bit of a rare talent in GDPR land... When we recorded that course in London a couple of months back, we also recorded another one on D...

Earlier this year, I spent some time in San Fran with friend and Bugcrowd [https://www.bugcrowd.com/] founder Casey Ellis [https://twitter.com/caseyjohnellis] where we recorded a Pluralsight "Play by Play" titled Bug Bounties for Companies [https://www.troyhunt.com/new-pluralsight-course-bug-bounties-for-companies/]. I wrote about that in the aforementioned post which went out in May and I mentioned back then that we'd also created a second course targeted directly at researchers. We had to pull...