Security

During my travels over recent weeks I’ve been doing a quick demo that works like this: First, I open up the dev tools in Chrome and select the network tab. Second, I load up americanexpress.com [http://americanexpress.com] and show the network requests: I point out how the first one goes out over HTTP because this is what browsers do when you don’t explicitly enter a scheme such as “https://”. The server responds to this request with an HTTP 301 “Moved Permanently” and a “location” header w...

It’s the “Hack Yourself First” trilogy: Watch the talk [https://yow.eventer.com/yow-2014-1222/hack-yourself-first-go-on-the-cyber-offence-before-online-attackers-do-by-troy-hunt-1698] , take the Pluralsight course [http://www.pluralsight.com/courses/hack-yourself-first] and now you can spend a couple of days with me in Amsterdam next month on June 22 and 23 doing the workshop [https://training.xebia.com/developer-skills/hack-yourself-first-how-to-go-on-the-cyber-offence/] . I’ve teamed up with X...

So I’m at the DevSum conference in Stockholm [http://www.devsum.se/speaker/troy-hunt/] and yesterday afternoon was busily preparing for my talk, Hack Yourself First. It’s a talk I’ve done many times before and it always rocks not just based on the attendee feedback, but because frankly I just have a lot of fun doing it (you can watch a recording from Yow! in December [https://yow.eventer.com/yow-2014-1222/hack-yourself-first-go-on-the-cyber-offence-before-online-attackers-do-by-troy-hunt-1698]...

I love it when a whole bunch of different bits play really nice together, especially when it’s making things more secure. Today I decided to properly implement a content security policy (CSP) on Have I been pwned? (HIBP) and managed to tie in a whole bunch of nice bits to create what I reckon is a pretty neat implementation. Firstly, if CSP is new to you, go and read Scott Helme’s overview [https://scotthelme.co.uk/content-security-policy-an-introduction/] which is excellent. The tl;dr version...

There was a bit of discussion down here recently about how the National Australia Bank (NAB) has requested their SSL stats be withheld from showing up in the SSL Labs test [https://www.ssllabs.com/ssltest] that which has become so popular in recent times. It’s a great way of identifying what’s good and what bad about an SSL implementation and indeed, it appears that NAB has pulled their stats: Which, of course, looks enormously suspicious. You don’t pull your stats when you have a good result...

Sometimes, good ideas take a while to materialise. The penny only dropped on just how long some of them take when I was going back through my Pluralsight notes just the other day and found this: That was March last year and an awful lot of water has gone under the bridge since then. But it seemed like a really good idea at the time and inevitably, it was. I’d find a willing “muse” with a suitable website then go to town on it, critiquing everything that could possibly we wrong with it. This w...

I’m not often astounded by the woefulness of a security practice any more, but every now and then there’s a notable exception. Take this one, for example: > @BetfairHelpdesk [https://twitter.com/BetfairHelpdesk] Is it right that all one needs to change their password is their username and date of birth? — Paul Sawers (@psawers) April 23, 2015 [https://twitter.com/psawers/status/591279641828143104] Yes, that’s exactly what it looks like and just for the sake of posterity should those Betfair r...

I was preparing for a talk last weekend where I wanted to show the sorts of bad mobile app behaviours you can readily find using Telerik’s Fiddler [http://www.telerik.com/fiddler]. Now I’ve spent quite a bit of time over the years looking at the behaviour of the apps we use every day on our phones, in fact it was nearly four years ago that I wrote Secret iOS business; what you don’t know about your apps [https://www.troyhunt.com/2011/10/secret-ios-business-what-you-dont-know.html] and called out...

This content is now available in the Pluralsight course "Getting Started with CloudFlare Security" [http://www.pluralsight.com/courses/cloudflare-security-getting-started]As you may be well aware by this, Microsoft’s Azure gets me rather excited [https://www.troyhunt.com/search/label/Azure]. That’s not without merit IMHO, it’s a sensational product for all the reasons you can read about in the blog posts at the end of that link. Almost without exception, when I get a question about Azure I have...

Back in December, I was privileged enough to be asked along to the Yow! Conference [http://yowconference.com.au/] road show down here in Australia. I say “road show” as myself and a bunch of speakers from around the world spent a couple of days in Melbourne, a weekend up in sunny Queensland, a couple of days in Brisbane then jetted down to Sydney and spent a couple of days there. It was pretty much the same content in each city, but obviously different audiences. This was my first Yow! and it w...