Remember Shellshock? How could anyone forget! This thing has totally dominated the news – not just the tech news either – and like Heartbleed before it (inevitably the yardstick we compare it to), the hype has been, well, somewhat overinflated. I get it – it is a big thing – but the press has a way of sensationalising things in a pretty unique way. Case in point: I wrote Everything you need to know about the Shellshock Bash bug [https://www.troyhunt.com/2014/09/everything-you-need-to-know-about...

Here’s a scary stat for you: last year was the most hacked year ever. According to Risk Based Security [https://www.riskbasedsecurity.com/reports/2013-DataBreachQuickView.pdf], we saw 823M records exposed via data breaches: Nasty stuff right? Yeah, but it gets worse. As of mid 2014, we’re already looking at 502 million records exposed [http://datalossdb.org/incident_highlights/66-hacking-exposed-78-of-all-records-compromised-in-first-half-of-2014] . Bugger. These breaches keep on coming and w...

It’s six days since I wrote about Shellshock [https://www.troyhunt.com/2014/09/everything-you-need-to-know-about.html] and the response has been massive. There’s clearly a lot of interest in this bug and indeed there have been some pretty dire warnings about the impending “Bashpocalypse” which ultimately, hasn’t really happened. I’m sure it’s made life tricky for some sysadmins and I’m also sure there have been many servers that have suffered from what by all objective measures, remains a pretty...

Did I mention that we have some terrible security flaws with our APIs behind rich client apps? Pretty sure I did’; oh and I did just write a Pluralsight course that shot to the top of the charts [http://pluralsight.com/training/Courses/TableOfContents/hack-your-api-first] so yeah, there’s that! There are a few reasons why vulnerabilities in APIs are the new black: 1. They’re that much less obvious than vulnerabilities in browser-based apps; you don’t see the URL, you don’t get browser war...

This content is now available in the Pluralsight course "Understanding the Shellshock Bash Bug" [http://www.pluralsight.com/courses/shellshock-bash-bug]Remember Heartbleed [https://www.troyhunt.com/2014/04/everything-you-need-to-know-about.html]? If you believe the hype today, Shellshock is in that league and with an equally awesome name albeit bereft of a cool logo (someone in the marketing department of these vulns needs to get on that). But in all seriousness, it does have the potential to be...

These real world experiences with Azure are now available in the Pluralsight course "Modernizing Your Websites with Azure Platform as a Service" [http://www.pluralsight.com/courses/modernizing-websites-microsoft-azure]This is not what you want to see on your Azure website: Ok, so what are we looking at here? CPU goes up and up and up and then… dramatically down. There are even some additional coloured lines in the middle of that graph indicating that there were more instances put on just to d...

No, I didn’t camp out the front of the Apple store with my sleeping bag and frankly, I think those that did perhaps have what we refer to down here as “a couple of kangaroos loose in the top paddock”. Queues stretching hundreds of metres and adults in tears [http://www.smh.com.au/digital-life/mobiles/student-in-tears-after-being-kicked-out-of-iphone-6-queue-20140919-10j7uq.html] aren’t really my things (incidentally, crying over queue position is not something you do once you have your grown up...

I’ve got 174,451,409 breached accounts in Have I been pwned? [https://haveibeenpwned.com/] (HIBP) as of today which probably sounds like a lot, but it’s not. Why is it not a lot? Because whilst that list spans a lot of the big breaches I could get my hands on, as of the middle of this year (now a couple of months ago already), there were over half a billion accounts breached in just six months [https://www.riskbasedsecurity.com/2014/08/hacking-exposed-78-of-all-records-compromised-in-first-half-...

These real world experiences with Azure are now available in the Pluralsight course "Modernizing Your Websites with Azure Platform as a Service" [http://www.pluralsight.com/courses/modernizing-websites-microsoft-azure]This is the traffic pattern that cloud pundits the world over sell the value proposition of elastic scale on: This is Have I been pwned? [https://haveibeenpwned.com] (HIBP) going from a fairly constant ~100 sessions an hour to… 12,000 an hour. Almost immediately. This is what h...

You may not know this, but an HTTP 403 response when browsing to an empty directory is a serious security risk. What the?! You mean if I go to my website which has a “scripts” folder where I put all my JavaScript and I have directory browsing disabled (as I rightly should) and the server returns a 403 “Forbidden” (which it rightly should), I’m putting my internet things at risks of being pwned?! Yes, because it discloses the presence of a folder called “scripts” which is a common directory. W...