Mastodon

Troy Hunt

Hi, I'm Troy Hunt, I write this blog, create courses for Pluralsight and am a Microsoft Regional Director and MVP who travels the world speaking at events and training technology professionals

Journey to an extended validation certificate

Trust is a really difficult thing to define. Think about it in the web security context - how do you "trust" a site? Many people would argue that trust decisions are made on the familiarity you have with the brand, you know, brands like LinkedIn, Dropbox, Adobe... who've all had really serious data breaches. Others will look for the padlock in the address bar and imply by its presence that the site is trustworthy... without realising that it makes no guarantees about the security profile of the...

Weekly update 13

This week begins with the biggest of big breaches - the one that finally broke the big "B" - Yahoo (version 2). It's a massive story and I spent a lot of time yesterday answering media queries about hacker things related to data breaches. I talk about that at the start of this weekly update as well pursuing a career in security, providing an internet basics course for free via Varonis and how my blog on Ubiquiti network bits is still getting massive traction. iTunes podcast [https://itunes.appl...

Get to grips with internet security basics, courtesy of Varonis

Most readers here understand security fundamentals. They know what makes a strong password, what the padlock in the address bar above means, why software updates are important, the value of locking their mobile devices and some of dangers we face with the internet of things. But equally, most of our friends, relatives and significant others don't. We know this because we're continually doing tech support for them and we experience the horrors of their security profiles first hand! Recently, Var...

Careers in security, ethical hacking and advice on where to get started

Many people will disagree with this post, not so much because it's flat out wrong but because there are so many different approaches one can take. It's a very subjective realm but I'm going to put forward some suggestions, make some considered arguments and leave it at that. The context is twofold as suggested by the title: Firstly, I get a lot of people asking me about how to get a start in the security industry. I've regularly reverted with "stay tuned, I'm writing something" and this blog po...

Weekly update 12

This was a pretty jam-packed week which kicked off with the crazy, crazy Indian pathology data leak. You'll sense my frustration with the whole thing and frankly, I still can't quite get over it. Be that as it may, stuff like this provides us with endless material that speaks to how badly wrong it can all go with any data that gets digitised. There's that and a bunch of HIBP bits in relation to the AMA I did earlier this week and the 1.4 billion records I made available for analysis. All that an...

How Chrome's buggy content security policy implementation cost me money

Content security policies [https://www.troyhunt.com/understanding-csp-the-video-tutorial-edition/] (CSPs) can be both a blessing and a curse. A blessing because they can do neat stuff like my recent piece on upgrading insecure requests [https://www.troyhunt.com/disqus-mixed-content-problem-and-fixing-it-with-a-csp/] yet a curse because they can also do screwy things like break your site [https://www.troyhunt.com/how-to-break-your-site-with-content/]. Now in fairness, the breaking bit linked to t...

Here's 1.4 billion records from Have I been pwned for you to analyse

I get a lot of requests from people for data from Have I been pwned [https://haveibeenpwned.com/] (HIBP) that they can analyse. Now obviously, there are a bunch of people up to no good requesting the data but equally, there are many others who just want to run statistics. Regardless, the answer has always been "no", I'm not going to redistribute data to you. In fact, the requests were happening so frequently that I even wrote the blog post No, I cannot share data breaches with you [https://www.t...

43,203 Indian patient pathology reports were left publicly exposed by Health Solutions

I'm used to seeing large amounts of personal data left inadvertently exposed to the web. Recently, the Red Cross Blood Service down here left a huge amount of data exposed [https://www.troyhunt.com/the-red-cross-blood-service-australias-largest-ever-leak-of-personal-data/] (well, at least the company doing their tech things did). Shortly afterwards, the global recruitment company Michael Page also lost a heap [https://www.troyhunt.com/the-capgemini-leak-of-michael-page-data-via-publicly-facing-...

Weekly update 11

A bit of a quieter week this time blog wise, but a very busy week in terms of HIBP traffic. It went pretty nuts on Tuesday with a spike the scale I'd never seen before which made things, well, "interesting". I also put the word out about an "ask me anything" live stream event I'm going to do early next week which should be a lot of fun. Oh - and the Indian pathology results exposed to the world - that's unfolding as I write this but the position from the lab exposing things like patient HIV resu...

Brief lessons on handling huge traffic spikes

Earlier today, Have I been pwned [https://haveibeenpwned.com/] (HIBP) appeared on a British TV show called The Martin Lewis Money Show [http://www.moneysavingexpert.com/]. A producer had contacted me about this last week: > I Just wanted to get in contact to let you know we're featuring 'have I been pwned?' on the programme next week (Monday 28 Nov, 8pm, ITV) saying it's a good way to check if your data has been compromised. I thought it best to let you know in case you need to put extra resour...