Security

So a few months ago I wrote about having a little visit to London [https://www.troyhunt.com/2015/07/its-time-to-visit-london.html] in Jan and offered to do a workshop or two while I’m there. Anyway, one thing lead to another and now I’m away for four weeks. In Jan. When it’s cold there. And hot here. But seriously, it’s wonderful there’s been so much interest in my “Hack Yourself First” workshops. I’m spending time with some really interesting organisations who are getting their developers trai...

This must have seemed like a good idea at the time: > We're LIVE! Tweet your cyber crime questions in using #cybercrimensw [https://twitter.com/hashtag/cybercrimensw?src=hash] — NSW Police (@nswpolice) October 14, 2015 [https://twitter.com/nswpolice/status/654084466600644608] The idea of a hashtag campaign is to drum up social support where anyone can chime in with their 2 cents worth and all going according to plan, you get all this nice warm and fuzzy community engagement. Problem is though...

This is somewhat of a perplexing acquisition, but apparently LastPass is now owned by LogMeIn [https://blog.lastpass.com/2015/10/lastpass-joins-logmein.html/]. I get it in the-big-publicly-traded-company-gobbling-up-the-smaller-one kinda way, but it’s an odd marriage for a company that builds remote desktop software to buy one that builds a password manager. People aren’t real happy either when you look at the comments they’ve left on that post. Why aren’t they happy? I touched on it here: >...

I’m a big proponent of the content security policy paradigm (CSP) supported by modern browsers. In fact I’m so keen on them I even wrote a Pluralsight course: Introduction to Browser Security Headers [http://www.pluralsight.com/courses/browser-security-headers]. (Sidenote: I’m enormously happy with how well this course has been received, seems there’s an appetite for securing our things after all!) Now if you’re not sure what all the fuss is about, have a quick read of my launch blog post for...

I’ve got a heap of resources I constantly come back to in talks, workshops and just during the course of my everyday work. Frankly, I have trouble remembering them all myself plus I reckon they’re kinda useful for other people too so I thought I’d drop them all into a post here. If you’ve got good stuff I’ve missed (and you almost certainly will), drop it into the comments below as I’d love to add to my own set of resources plus that way it gets shared with everyone. Enjoy! SSL / TLS / HTTPS 1...

Now I swear this is entirely coincidental, but only this month I wrote a very tongue-in-cheek piece titled Good news – your credit card is fine and only your irreplaceable things were hacked! [https://www.troyhunt.com/2015/09/good-news-your-credit-card-is-fine-and.html] The basic premise of this piece was that when you see a company proudly asserting that your credit card is fine even though they’ve just been pwned six ways from Sunday (hi Ashley Madison!), that assurance is of little consequenc...

Hey, I really hate to tell you this, but we were hacked and your account containing a bunch of really sensitive personal data was exposed. I know, it’s enormously inconvenient but I have good news for you – your credit card is fine! Now yes, banks do have very good fraud protection these days and they would almost certainly have reversed any illegitimate charges, but isn’t this great news! Oh yeah – they’ll also issue you a new card too and don’t worry, that won’t cost you a cent. Yes, you’ll n...

I’ve been doing this fantastic demo about browser security headers in a lot of my recent talks and workshops. It’s always a lot of fun and it’s very interactive – you can try this out for yourself right now – and it works like this: So cross site scripting (XSS) is still a big thing. Yes it’s been around for ages and yes we should be on top of it by now, but here we are. Anyway, I was at the AppSecEU conference in the Netherlands a few months ago and a local guy called Breno de Winter did a fan...

This was always going to be a huge incident given not just the scale of the number of accounts impacted by the Ashley Madison breach [https://krebsonsecurity.com/2015/08/was-the-ashley-madison-database-leaked/] (well over 30M), but the sensitivity of the data within it. However the interest has surprised even me – I loaded the breached data into Have I been pwned? [https://haveibeenpwned.com/] (HIBP) about 8 hours ago and I’m presently seeing about 30k visitors an hour to the site. I’ve had a c...

I’ve often received feedback from people about this SSL Labs test of Have I been pwned? [https://haveibeenpwned.com/] (HIBP): Just recently I had an email effectively saying “drop this cipher, do that other thing, you’re insecure kthanksbye”. Precisely what this individual thought an attacker was going to do with an entirely public site wasn’t quite clear (and I will come back to this later on), but regardless, if I’m going to have SSL then clearly I want good SSL and this report bugged me....