I see literally millions of compromised records from online systems every week courtesy of maintaining Have I been pwned? [https://haveibeenpwned.com/] (HIBP), in fact I’ve seen well over 200M of them since starting the service just under two years ago. I’ve gotten used to seeing both seriously sensitive personal data (the Adult Friend Finder breach [http://fortune.com/2015/05/22/adultfriendfinder-hackers/] is a good example of that) as well as “copycat” breaches (the same data dumped under diff...

I regularly share files with people that I want them to grab over HTTP from a location without any auth or other hurdles. They’re not sensitive files, they’re things like exercises I might be running in workshops which I want people to download from a common location. I normally put them in Dropbox, “Share Dropbox Link” then shorten it with my custom troy.hn short URL so they can read it from the screen in a meeting room and point them there. In fact this is exactly what I did last week – just a...

The web is going HTTPS only. In theory. The idea is that unless we encrypt all the transport things, we can have no confidence in the confidentiality, integrity or authenticity of the traffic and services we’re talking to. There’s growing awareness of how essential secure transport comms are (thank you NSA for your part in helping us come to this realisation), and indeed we’re being continually pushed in this direction. For example, last year Google said they’d start using the presence of HTTPS...

As I’ve now widely publicised, I left Pfizer a few months back [https://www.troyhunt.com/2015/04/today-marks-two-important-milestones.html] after 14 years with the firm. You build up a lot of dependencies over 14 years, a lot of access to systems and a lot of people who count on you. As I was preparing to exit, I made a bunch of notes in a draft blog post because firstly, as I recently wrote in How I optimised my life to make my job redundant [https://www.troyhunt.com/2015/07/how-i-optimised-my-...

That’s right folks, I’m finally getting over to London! I’ve made so many awesome connections there over the years (hi Tesco [https://www.troyhunt.com/2012/07/lessons-in-website-security-anti.html]!) and despite getting around quite a bit of late, I haven’t had the opportunity to actually spend time in the UK. All that changes in Jan and it’s thanks to the awesome guys at NDC [http://www.ndc-london.com/]! [http://www.ndc-london.com/] I actually spent a year living in London over the turn of t...

A couple of months ago I wrote about how fellow author Dale Meredith and myself are building out an ethical hacking series on Pluralsight [https://www.troyhunt.com/2015/05/its-ethical-hacking-with-sql-injection_21.html] and in that post I launched the first course I had written for the series on SQL injection. You can read about the ethical hacking series in that blog post and what my approach to covering the CEH syllabus has been (hint: I have my own take on it), but what I will again point out...

This morning I was reading a piece on the Ashley Madison hack [http://www.inquisitr.com/2281408/ashley-madison-hack-customer-service-impact-team-complaints-was-he-on-ashley-madison-site-down-as-users-turn-to-private-investigators/] which helped cement a few things in my mind. The first thing is that if this data ends up being made public (and it’s still an “if”) then it will rapidly be shared far and wide. Of course this happens with many major data breaches, but the emergence already of domain...

I’m very happy to be heading back to the US in a couple of months, this time to keynote at OWASP’s AppSecUSA in San Fransisco [https://2015.appsecusa.org/]. I had a great time in Amsterdam only a couple of months ago keynoting at AppSecEU as well [https://www.troyhunt.com/2015/02/app-sec-in-europe.html] and the whole event was just a heap of fun. It was a really good mix of security pros and developers, each bringing their own strengths to the show and making for some really interesting talks...

If I’m honest, the success of Have I been pwned? (HIBP) [https://haveibeenpwned.com] took me by surprise. It started out as an intriguing exercise to look at how the same accounts were being compromised across multiple data breaches and morphed into something well beyond that in pretty short order. The unexpected success of the service made for some really intriguing technology challenges and provided me with an excellent opportunity to push Microsoft’s Azure to the limits, not just in terms of...

I always find data breaches like today’s Ashley Madison one [http://krebsonsecurity.com/2015/07/online-cheating-site-ashleymadison-hacked/] curious in terms of how people react. But this one is particularly curious because of the promise of “discreet” encounters: Of course when the modus operandi of the site is to facilitate extramarital affairs then “discreet” is somewhat of a virtue… if they actually were discreet about their customers’ identities! This all made me think back to the Adult...