I’ve got a heap of resources I constantly come back to in talks, workshops and just during the course of my everyday work. Frankly, I have trouble remembering them all myself plus I reckon they’re kinda useful for other people too so I thought I’d drop them all into a post here. If you’ve got good stuff I’ve missed (and you almost certainly will), drop it into the comments below as I’d love to add to my own set of resources plus that way it gets shared with everyone. Enjoy! SSL / TLS / HTTPS 1...

Now I swear this is entirely coincidental, but only this month I wrote a very tongue-in-cheek piece titled Good news – your credit card is fine and only your irreplaceable things were hacked! [https://www.troyhunt.com/2015/09/good-news-your-credit-card-is-fine-and.html] The basic premise of this piece was that when you see a company proudly asserting that your credit card is fine even though they’ve just been pwned six ways from Sunday (hi Ashley Madison!), that assurance is of little consequenc...

I’ve had a rough time of it lately – the internet has been down. I know, it’s been disturbing to say the least and I actually can’t remember the last time the connection coming into my home was totally out. In some ways, the problem is not as bad as it was some years ago due to my wife and I having fast other devices that can connect direct to 4G yet in other ways, it’s worse due to the number of things connected – usually connected – to the internet. The hardest bit of all this though was deal...

Hey, I really hate to tell you this, but we were hacked and your account containing a bunch of really sensitive personal data was exposed. I know, it’s enormously inconvenient but I have good news for you – your credit card is fine! Now yes, banks do have very good fraud protection these days and they would almost certainly have reversed any illegitimate charges, but isn’t this great news! Oh yeah – they’ll also issue you a new card too and don’t worry, that won’t cost you a cent. Yes, you’ll n...

I’ve been doing this fantastic demo about browser security headers in a lot of my recent talks and workshops. It’s always a lot of fun and it’s very interactive – you can try this out for yourself right now – and it works like this: So cross site scripting (XSS) is still a big thing. Yes it’s been around for ages and yes we should be on top of it by now, but here we are. Anyway, I was at the AppSecEU conference in the Netherlands a few months ago and a local guy called Breno de Winter did a fan...

I’ve always written very publicly about how Have I been pwned [https://haveibeenpwned.com/] (HIBP) was conceived, built and indeed how it performs. If ever there was a time to look back at that performance, it’s in the wake of the first few days after loading in the Ashley Madison breach. I want to share the “warts and all account” of what I observed over the three days of utter chaos that ensued. I first learned of the incident at about 6am local on Wednesday which was very shortly after the t...

I found myself in somewhat of a unique position last week: I’d made the Ashley Madison data searchable for verified subscribers of Have I been pwned? [https://haveibeenpwned.com/] (HIBP) and now – perhaps unsurprisingly in retrospect – I was being inundated with email. I mean hundreds of emails every day with people asking questions about the data. Not just asking questions, but often giving me their life stories as well. These stories shed a very interesting light on the incident, one that mos...

To date, I’ve avoided commenting on the other Ashley Madison search services and have invested my efforts purely in keeping Have I been pwned? [https://haveibeenpwned.com/] (HIBP) ticking along. I’ve seen them come and indeed I’ve seen some of them go too. I’ve seen many that enable you to get confirmation about the presence of an email in Ashley Madison, others that return everything about the user. Publicly. To anyone. But something I saw today struck a very different chord with me, something...

This was always going to be a huge incident given not just the scale of the number of accounts impacted by the Ashley Madison breach [https://krebsonsecurity.com/2015/08/was-the-ashley-madison-database-leaked/] (well over 30M), but the sensitivity of the data within it. However the interest has surprised even me – I loaded the breached data into Have I been pwned? [https://haveibeenpwned.com/] (HIBP) about 8 hours ago and I’m presently seeing about 30k visitors an hour to the site. I’ve had a c...

I run a workshop which I often do privately for organisations or as a part of various conferences which I title “Hack Yourself First”. I wrote about what I do in these recently in relation to my upcoming US workshops next month [https://www.troyhunt.com/2015/07/its-app-sec-in-usa-and-hack-yourself.html] and the ones I’ll be doing in London in Jan [https://www.troyhunt.com/2015/07/its-time-to-visit-london.html] but in short, it’s a couple of days of very hands-on exercises where we look at a heap...