Some days, it just feels like the world is working against you or in the case of today, like it's all just going to metaphorical security hell. As much as we like to keep pushing the needle further around the "strong security dial" with things like security headers, strong HTTPS implementations and robust hashing algorithms, every now and then we need to take a moment to remember just how low the bar still remains and that frequently, we can't even get the basics right. Here's a bunch of exampl...

I've been using Evernote for about 6 years now. Nothing heavy duty, just basic notes that I collect around things like conference talk ideas, code snippets some recipes I often make and other rather mundane things. Anything sensitive goes into 1Password, this is just everyday notes about things I want easy access to across devices. For me, "devices" means my iPhone, iPad, desktop PC and a couple of laptops. The ability to simply fire up a device and have access to everything is important to me b...

I just had an absolutely sensational trip over to Europe which kicked off with my favourite event of the year - NDC Oslo [http://ndcoslo.com/]. I first came to this event two years ago and talked about How I Hacked my Way to Norway [https://www.troyhunt.com/ndc-2014-vikings-passwords-and/] which was the first big international talk I'd done. Per the link to that blog post, the talk went sensationally well, topping the charts for the event with 100% positive feedback (there's a green / yellow /...

It's been a crazy time for data breaches and as I wrote yesterday, we've seen a very distinct pattern of historical mega breaches lately [https://www.troyhunt.com/the-emergence-of-historical-mega-breaches/]. Fling in 2011, LinkedIn in 2012, tumblr in 2013 and the mother of them all, MySpace in, well, we don't quite know. There's been no information forthcoming from anyone about when this breach actually occurred and there's no explicit indicators in the data dump either (sometimes there are time...

Over the period of this month, we've seen an interesting trend of data breaches. Any one of these 4 I'm going to talk about on their own would be notable, but to see a cluster of them appear together is quite intriguing. For example, just yesterday I loaded the Fling database (you probably don't want to go to fling dot com until you're in a private setting). That was over 40 million records and the breach dates back to 2011 [http://motherboard.vice.com/read/another-day-another-hack-passwords-an...

Last week there was no escaping news of the latest data breach. The LinkedIn hack of 2012 which we thought had "only" exposed 6.5M password hashes (not even the associated email addresses so in practice, useless data), was now being sold on the dark web [https://motherboard.vice.com/read/another-day-another-hack-117-million-linkedin-emails-and-password] . It was allegedly 167 million accounts and for a mere 5 bitcoins (about US$2.2k) you could jump over to the Tor-based trading site, pay your Bi...

Last week we got news of the Rosebutt data breach [http://motherboard.vice.com/read/rosebuttboard-ip-board]. This is a very particular class of site and like many others we've recently seen compromised, it's highly likely that members would have preferred to keep their identities secret. It doesn't matter if you don't agree with the lifestyle choice of those on the site and certainly I myself am not one to look around the house at everyday items and think "I wonder if that could...". That's enti...

A couple of months ago I did a video titled Understanding CSRF, the video tutorial edition [https://www.troyhunt.com/understanding-csrf-video-tutorial/] which was a pretty raw run through of the mechanics and defences of cross site request forgery. It's content I often show in my workshops [https://www.troyhunt.com/workshops/] and I recorded the video pretty much as I present it in those sessions. Today I thought I'd do one on content security policies or as we otherwise know it, CSP. This is...

Round 2 of European travel for me this year has just wrapped up with talks in Brussels for Techorama (which incidentally, was sensational!) followed by a private event for a multinational information services company in Barcelona doing my usual Hack Yourself First workshop [https://www.troyhunt.com/workshops/]. But it's time for the next one already so it's back to Europe again and then after catching my breath at home for a couple of week, time for some US travel for the first time this year. L...

This was pretty big news 18 months ago: It was what greeted Sony Pictures employees [https://en.wikipedia.org/wiki/Sony_Pictures_Entertainment_hack] when they turned up to the office and switched on their machines. Machines infected with malware was one thing - a very bad thing at that - but it got much, much worse for Sony. In all, we saw about 40GB of company data walk out the proverbial door and it included everything from employee credentials to unreleased films to somewhere in the order...