Mastodon

Have I Been Pwned

A 200-post collection

Ashley Madison search sites like Trustify are harvesting email addresses and spamming searched victims

To date, I’ve avoided commenting on the other Ashley Madison search services and have invested my efforts purely in keeping Have I been pwned? [https://haveibeenpwned.com/] (HIBP) ticking along. I’ve seen them come and indeed I’ve seen some of them go too. I’ve seen many that enable you to get confirmation about the presence of an email in Ashley Madison, others that return everything about the user. Publicly. To anyone. But something I saw today struck a very different chord with me, something...

Here’s what Ashley Madison members have told me

I found myself in somewhat of a unique position last week: I’d made the Ashley Madison data searchable for verified subscribers of Have I been pwned? [https://haveibeenpwned.com/] (HIBP) and now – perhaps unsurprisingly in retrospect – I was being inundated with email. I mean hundreds of emails every day with people asking questions about the data. Not just asking questions, but often giving me their life stories as well. These stories shed a very interesting light on the incident, one that mos...

Ashley Madison data breach Q&A

This was always going to be a huge incident given not just the scale of the number of accounts impacted by the Ashley Madison breach [https://krebsonsecurity.com/2015/08/was-the-ashley-madison-database-leaked/] (well over 30M), but the sensitivity of the data within it. However the interest has surprised even me – I loaded the breached data into Have I been pwned? [https://haveibeenpwned.com/] (HIBP) about 8 hours ago and I’m presently seeing about 30k visitors an hour to the site. I’ve had a c...

Azure websites SSL goes “A” grade

I’ve often received feedback from people about this SSL Labs test of Have I been pwned? [https://haveibeenpwned.com/] (HIBP): Just recently I had an email effectively saying “drop this cipher, do that other thing, you’re insecure kthanksbye”. Precisely what this individual thought an attacker was going to do with an entirely public site wasn’t quite clear (and I will come back to this later on), but regardless, if I’m going to have SSL then clearly I want good SSL and this report bugged me....

Here’s how I’m going to handle the Ashley Madison data

This morning I was reading a piece on the Ashley Madison hack [http://www.inquisitr.com/2281408/ashley-madison-hack-customer-service-impact-team-complaints-was-he-on-ashley-madison-site-down-as-users-turn-to-private-investigators/] which helped cement a few things in my mind. The first thing is that if this data ends up being made public (and it’s still an “if”) then it will rapidly be shared far and wide. Of course this happens with many major data breaches, but the emergence already of domain...

“Have I been pwned?” goes (a little bit) commercial

If I’m honest, the success of Have I been pwned? (HIBP) [https://haveibeenpwned.com] took me by surprise. It started out as an intriguing exercise to look at how the same accounts were being compromised across multiple data breaches and morphed into something well beyond that in pretty short order. The unexpected success of the service made for some really intriguing technology challenges and provided me with an excellent opportunity to push Microsoft’s Azure to the limits, not just in terms of...

32k email addresses from the Hacking Team breach are now in “Have I Been pwned?”

Over the last week, the Hacking Team story has absolutely exploded. It’s dominated the security news, featured heavily in tech publications and regularly appeared in the mainstream press. The 400GB of data leaked has been extensively torrented, mirrored and reproduced then of course commentated on at length in various articles and social media pieces. In terms of public breaches, this is as exposed as data gets. Clearly, this incident is also highly controversial. Hacking Team has long been und...

Understanding HTTP Strict Transport Security (HSTS) and preloading it into the browser

During my travels over recent weeks I’ve been doing a quick demo that works like this: First, I open up the dev tools in Chrome and select the network tab. Second, I load up americanexpress.com [http://americanexpress.com] and show the network requests: I point out how the first one goes out over HTTP because this is what browsers do when you don’t explicitly enter a scheme such as “https://”. The server responds to this request with an HTTP 301 “Moved Permanently” and a “location” header w...

Now you can monitor “Have I been pwned?” performance on Azure in real time

There’s been a huge amount of activity on Have I been pwned? [https://haveibeenpwned.com/] (HIBP) in recent weeks, particularly in the wake of the Adult Friend Finder breach [http://time.com/3893946/adultfriendfinder-data-breach/] which drew a lot of attention. The activity has comprised of organic browser-based traffic as well hits to the API [https://haveibeenpwned.com/API/v2]. The latter in particular is interesting as you can see a steady rate of traffic (or a steady increase of traffic) sud...

Supercars suck at transporting TVs (and other Azure Table Storage lessons)

The other day my receiver for the home audio setup completely died. Kaput. So I go out to get another one and given a receiver is no larger than a couple of shoeboxes in size, I decide to drive the GT-R [https://www.troyhunt.com/2013/07/gt-r-technology-of-speed.html] instead of taking the family estate. I love the GT-R because it’s enormous fun and I smile every time I drive it so given my requirements were well within the capacity allowance of the GT-R’s supercar proportions, it was the natural...