Security

This was pretty big news 18 months ago: It was what greeted Sony Pictures employees [https://en.wikipedia.org/wiki/Sony_Pictures_Entertainment_hack] when they turned up to the office and switched on their machines. Machines infected with malware was one thing - a very bad thing at that - but it got much, much worse for Sony. In all, we saw about 40GB of company data walk out the proverbial door and it included everything from employee credentials to unreleased films to somewhere in the order...

Let me start with this headline [http://www.reuters.com/article/us-cyber-passwords-idUSKCN0XV1I6]: Other headlines went on to suggest that you need to change your password right now [http://www.iflscience.com/technology/millions-passwords-hotmail-gmail-and-yahoo-have-been-stolen] if you're using the likes of Hotmail or Gmail, among others. The strong implication across the stories I've read is that these mail providers have been hacked and now there's a mega-list of stolen accounts floating...

I certainly didn't expect it would go this far when I built Have I been pwned [https://haveibeenpwned.com/] (HIBP) a few years ago, but I've just loaded the 100th data breach into the system. This brings it to a grand total of 336,724,945 breached accounts that have been loaded in over the years, another figure I honestly didn't expect to see. But there's something a bit different about this 100th data breach - it was provided to me by the site that was breached themselves. It was self-submitte...

Remember when OPM got breached last year [https://en.wikipedia.org/wiki/Office_of_Personnel_Management_data_breach]? There was a lot of excitement in various parts of the world (namely the US) because here we had a government department (Office of Personnel Management), and they’d just lost 21.5 million records! These records included such sensitive data as names, dates of birth and addresses and by any reasonable measure, it was serious – that’s almost 7% of the country’s population! Yet some...

I love this Google Play store review of the NissanConnect app which had such terrible security issues recently [https://www.troyhunt.com/2016/02/controlling-vehicle-features-of-nissan.html]: > I may print and frame this: pic.twitter.com/P0hu7E08GQ [https://t.co/P0hu7E08GQ] — Troy Hunt (@troyhunt) March 17, 2016 [https://twitter.com/troyhunt/status/710604327186931712] I join a long line of stupid security folks who’ve messed things up for other people. Sometimes people have been unable to purc...

I’ve just launched my latest Pluralsight course titled Ethical Hacking, Denial of Service [https://app.pluralsight.com/library/courses/ethical-hacking-denial-service/table-of-contents] but before I explain what’s in it, let’s kick off with some trivia: DDoS attacks have increased massively in size in recent years: This is from Arbor Networks’ latest Worldwide Infrastructure Security Report [https://www.arbornetworks.com/images/documents/WISR2016_EN_Web.pdf] and that was current in October wh...

Cross site request forgery is one of those attacks which remains enormously effective yet is frequently misunderstood. I’ve been running a bunch of security workshops for web developers around the globe recently and this is one of the topics we cover that often results in blank stares when I first ask about it. It usually unfolds that the developers have multiple resources at risk of a CSRF attack and if it’s not a classic web form style resource, then it’s frequently an API somewhere (you’re pa...

I get a lot of people popping up with data breaches for Have I been pwned [https://haveibeenpwned.com/] (HIBP). There’s an interesting story in that itself actually, one I must get around to writing in the future as folks come from all sorts of different backgrounds and offer up data they’ve come across in various locations. Recently someone sent me a list of various data breaches they’d obtained, including this one: > InstantCheckmate 2015 - 80M entries On the surface of it, that’s a phenom...

I spend a lot of time on Have I been pwned [https://haveibeenpwned.com/] (HIBP) which consists of both maintaining and building out the software with new features as well as obviously sourcing new data for it on a regular basis. I make it freely available to the community and some time ago at the suggestion of some of those who’d found it useful, I stood up a donations page [https://haveibeenpwned.com/Donate]. Whilst the service is cheap to run courtesy of Azure being pretty cost efficient, it’s...

Last month I was over in Norway doing training for ProgramUtvikling, [http://programutvikling.no/] the good folks who run the NDC conferences I've become so attached to. I was running my usual “Hack Yourself First” workshop [https://www.troyhunt.com/2016/02/more-europe-even-more-again-and-more.html] which is targeted at software developers who’d like to get up to speed on the things they should be doing to protect their apps against today’s online threats. Across the two days of training, I cov...