It’s the Low Orbit Ion Cannon and yes, you can be arrested and sentenced to a prison term for using it to mount a distributed denial of service attack on a website. But let’s not get ahead of ourselves, there are a few things to understand first. LOIC has shot to fame in recent years as the tool of choice for what we colloquially refer to as hacktivists [http://en.wikipedia.org/wiki/Hacktivist], or in other words, folks with an axe to grind – usually for political purposes – who use the web to...

A few months back I had another chat to Today Tonight, a national prime time current affairs program I’ve previously appeared on in relation to call centre scammers taking over unsuspecting victim’s PCs [https://www.troyhunt.com/2012/08/virus-scams-social-engineering-victims.html]. This time it was about the security of internet banking which gave me a chance to collate some good practices, many of which didn’t go to air but I kept hold of with the intention of sharing in the context of the vide...

Do you remember what you were doing in October, 2001? You weren’t watching videos on YouTube, updating your Facebook status or even using the term “social media”. It was still the days of web 1.0 and REST was something you did when you were tired. If you had a puppy, it’s probably no longer with us. This was a cutting edge device: Websites were “Best viewed in Internet Explorer 5” and looked like this: That 800x600 image was the typical resolution too, it was the most your common 15” CRT...

I write a lot about website security. Sometimes I’ll publicly point out flaws in software but there are many, many other times where it remains a private conversation for various reasons. The one common thread across most of these incidents is that as developers, we often make bad security design decisions. It’s us – the organic matter in the software development process – that despite the best of intentions make bad choices that introduce serious risks. My belief – and one of the key reasons I...

It was a few months back now, but last year I spent a little time with fellow MVP Denny Cherry [http://twitter.com/mrdenny/] on his podcast People Talking Tech [http://peopletalkingtech.com]. We had a great talk about security in general with a lot of focus on SQL Injection in particular. It’s a nice light-hearted 24 minute chat that I enjoyed doing and I hope you enjoy listening to. You can listen online or download from People Talking Tech, Episode 18 – Troy Hunt [http://peopletalkingtech.com...

Last week something a bit unusual happened; Java was found to have a serious vulnerability. Ok, stop laughing, Java has obviously had many serious vulnerabilities over many years, what’s different this time though is that the US government’s Computer Emergency Response Team (CERT) took the unprecedented step of telling folks to stop using it altogether. Here’s the word from Homeland Security [http://www.ibtimes.com/department-homeland-security-advises-computer-users-disable-java-1010998] : >...

I was at the Web Directions South conference [http://south12.webdirections.org/] the other day and you know what really struck me? There is a lot of very cool, very connected stuff either here now or coming very soon. Hackable stuff! So there’s this term going around which is The Internet of Things [http://en.wikipedia.org/wiki/Internet_of_Things] (it has its own Wikipedia page so it must be real), or in human speak, stuff that’s connected to the web. Unusual stuff like domestic appliances and...

So someone sends you a link to the latest Gangnam parody / cat meme / man jumping on frozen pool video and the link looks something like this: http://bit.ly/10PMelv Nothing unusual about this, every second link shared these days uses a bit.ly or t.co (or comparable) URL shortener. Because you have an insatiable desire to participate in the latest social phenomenon, you click through and see this: There’s also nothing unusual about Facebook asking you for credentials, let’s log in. Aw c’mon,...

It happened again – someone tweeted me about a negative security experience and I just had to take a look: [https://twitter.com/andrew_barratt/status/285343903874428928] C’mon, really? This can’t be for real. But a little more investigating and here we are: [https://twitter.com/EE/status/285305896358256640] This is bad (for reasons I’ll discuss shortly), but it’s far from isolated: [https://twitter.com/EE/status/285045909287497730] EE is over in the UK and they’re “the new network for y...

This content is now available in the Pluralsight course "Ethical Hacking: SQL Injection" [http://www.pluralsight.com/courses/ethical-hacking-sql-injection]Everybody knows the easiest way to save yourself from SQL injection is to use object relational mappers (ORMs such as Entity Framework) or stored procedures, right? Often I see this becoming a mantra: “You don’t need to worry about SQLi if you’re using [Entity Framework | stored procedures]”. I also see the mantra blindly repeated and it’s wro...