The phone rings from a concealed number and you pick up: Hello? Silence. More silence. Eventually a foreign voice enters: Hi, this is your bank, we need you to verify some details. This is the point where you should be disclosing absolutely nothing, at least nothing that is not known already which is probably just your phone number and perhaps your name if they’ve greeted you with it. No, I’m not revealing my address or my account numbers or my password because frankly, I don’t trust you....

I heard about this guy, walked into a federal bank with a portable phone, handed the phone to the teller, the guy on the other end of the phone said: “We got this guy’s little girl, and if you don’t give him all your money, we’re gonna kill ‘er.” Did it work? F**kin’ A it worked, that’s what I’m talkin’ about! Knucklehead walks in a bank with a telephone, not a pistol, not a shotgun, but a f**kin’ phone, cleans the place out, and they don’t lift a f**kin’ finger. Did they hurt the little g...

As feature releases go, this is not exactly a killer, but to my surprise it was one that was requested quite frequently. It turns out that people really wanted to be able to keep abreast of new breaches and pastes in Have I been pwned? [https://haveibeenpwned.com/] (HIBP) via RSS. Not only is that a perfectly reasonable request, but it was also an easy one to get on top of so here it is! There are two RSS feeds both linked in from various places on the site including in the navigation. For your...

Here’s a conundrum for you: would you trust this page with your credit card? It has HTTPS and it has a GoDaddy logo with a padlock (if the significance of this is lost on you, my thoughts on both GoDaddy [https://www.troyhunt.com/2014/06/moving-from-godaddy-to-dnsimple.html] and padlock icons [https://www.troyhunt.com/2011/07/padlock-icon-must-die.html] are well documented), so from a casual glance, it’s ok, right? But what if the SSL implementation looked like this [https://www.ssllabs.com/s...

These real world experiences with Azure are now available in the Pluralsight course "Modernizing Your Websites with Azure Platform as a Service" [http://www.pluralsight.com/courses/modernizing-websites-microsoft-azure]It seems like every time I turn around there’s something I haven’t seen in Azure. If I’m honest, it leaves me in a perpetual state of “Oh man, there is so much stuff I don’t know”. I suspect that resonates with many readers of this blog because there’s just so much stuff to keep on...

I’ve been doing a lot of talking about API security recently because frankly, there’s a lot to talk about. Those little web services that sit behind the rich client apps on our devices and increasingly behind our Internet of Things have a nasty habit of having some really serious vulnerabilities in them. I’m talking about everything from leaking data to allowing unauthorised users to perform actions they shouldn’t be allowed to all the way through to entirely useless SSL implementations because...

A couple of weeks back, this bloke hit the news [http://www.smh.com.au/nsw/barry-spurr-emails-investigated-by-university-of-sydney-20141016-1179kj.html] when his private emails were leaked and disclosed that he was fond of, shall we say, a very “colonial” vernacular when it comes to talking about our indigenous people: That he is (was?) a professor at a university would normally suggest that he’s a pretty switched on guy, but the evidence is clearly to the contrary. Speaking of people we’d...

Let’s go through just some of the ways you can hand your valuable datas over to people that want to get somewhere in between you and whatever service it is you want to talk to at the other end. You can get pineappled [https://www.troyhunt.com/2013/04/the-beginners-guide-to-breaking-website.html] and certainly that’s been a favourite of mine to demonstrate because it’s just so damn easy (it’s also kinda cool, if I’m honest). The router you connect through can be pwned and its DNS changed to hel...

You know how you always wanted a fork with an ARM processor that could upload data wirelessly over the internet? C’mon, you know you want it and now you can get a HAPIfork [http://www.hapi.com/product/hapifork]. Or how about your light globes? Yes, LIFX totally rocks [http://au.lifx.co/] but no, I wasn’t so keen on the idea once I learned your neighbours could pwn your wifi through them [http://www.smh.com.au/digital-life/consumer-security/security-vulnerability-found-in-lifx-smart-light-bulbs-...

These real world experiences with Azure are now available in the Pluralsight course "Modernizing Your Websites with Azure Platform as a Service" [http://www.pluralsight.com/courses/modernizing-websites-microsoft-azure]Just a quick one as it’s mostly explained in How to Disable SSL 3.0 in Azure Websites, Roles, and Virtual Machines [http://azure.microsoft.com/blog/2014/10/19/how-to-disable-ssl-3-0-in-azure-websites-roles-and-virtual-machines/] , but there are a few bits worth adding. Oh – just in...