We tend to get very focused on digital security controls; firewalls, antivirus, software updates and then all the usual practices I spend so much time talking to developers about, stuff like defending against SQL injection, cross site scripting and a whole raft of other attacks against systems. But the bigger risk – and it’s one that doesn’t get near as much coverage – is attacks against humans. Whereas most of the time we’re thinking about attacks against the systems, we tend to neglect weaknes...

This weekend, I loaded five additional data breaches into Have I been pwned [https://haveibeenpwned.com/] (HIBP) that had come from various forums running on vBulletin. These came via supporters that had collected them from data breach traders over the years and some of them dated back quite some time. I always go to great lengths to validate that a breach is indeed legitimate and one of the ways I do that is to take a real good look at the passwords stored in the system and ensure that they do...

I had a follower send me a curious question the other day which if I paraphrase, went like this: > Hi, I was worried about the security of the Waitrose login form so I contacted them about it. They sent me a response but I’m not sure if it’s correct – can you shed some light on it? Actually, yes, I can and frankly, it’s a bit of a comedy of errors. For those not familiar with Waitrose [https://en.wikipedia.org/wiki/Waitrose], they’re a large British supermarket chain bringing in somewhere ar...

One of the things I really enjoy about doing live events is the entirely random, unexpected things that can occur without any warning. In fact, I’m increasingly structuring my talks to present these opportunities, but this one was entirely unexpected: > When someone whacks XSS in the live question feed whilst you're answering security questions on a panel... pic.twitter.com/paLp7ECXHF [https://t.co/paLp7ECXHF] — Troy Hunt (@troyhunt) January 22, 2016 [https://twitter.com/troyhunt/status/69056...

I’ve been running “Have I been pwned?” (HIBP) for just over a couple of years now and to say that it’s exceeded my wildest expectations of what it might achieve is somewhat of an understatement. The volume of data it now holds is one thing, the many hundreds of thousands of notification subscribers is another and yet another again is the volume of traffic it serves, sometimes in the millions of visitors a day. But recently, the penny has dropped on something else it’s managed to achieve that I n...

I got a rather odd invoice via PayPal the other day, it looks like this: Naturally the first thing I did was to look for spoof email indicators, but none of the usual suspects were showing up: 1. It was from member@paypal.com.au 2. The mail headers were legit 3. The “View and Pay Invoice” button linked directly to https://www.paypal.com/ Which all struck me as quite odd so I tweeted it out [https://twitter.com/troyhunt/status/683386377904361472]. I suggested that it was spam because that...

We’re a few days into the new year and I’m sick of it already. This is fundamental web usability 101 stuff that plagues us all and makes our online life that much more painful than it needs to be. None of these practices – none of them – is ever met with “Oh how nice, this site is doing that thing”. Every one of these is absolutely driving the web into a dismal abyss of frustration and much ranting by all. And before anyone retorts with “Oh you can just install this do-whacky plugin which rewri...

I don’t normally do the year in review thing, but then I don’t normally have a year like this either. Whilst it may not seem like it to the casual observer, life changed in so many significant ways in 2015, more so than any time in probably the last 15. The other day I was having a spin back through my tweets with media and I realised just how nuts things had been, so I thought I might capture a bunch of them here as they really tell the story. This is as much for me to reflect on the year as...

I’ve had a couple of experiences recently where guests have come to stay and then requested to jump on my wifi. In each case, I’ve declined and in turn they have expressed some degree of shock and outrage. Because it will happen again and because I don’t want upset guests staying in my house, allow me to articulate clearly and objectively why my network is off limits and why perhaps you too want to think twice about allowing access to yours. It’s not that I don't trust my guests… Let’s start he...

Every now and then, a Pluralsight course completely defies the odds of what I expected it to do. Now it’s not that I don’t think this latest one [https://app.pluralsight.com/library/courses/play-by-play-ethical-hacking-troy-hunt/table-of-contents] is a good course, rather it’s that it’s a play-by-play which effectively went like this: Pluralsight: Hey, how about you hack Gary Eimerman [https://twitter.com/garyeimerman] and we record it? Me: You had me at “hack”! And that’s about it – now it’...