Security

For the past year and a bit I’ve been building out features on Have I been pwned? [https://haveibeenpwned.com/] (HIBP) in response to things I think would be awesome and things I’m asked for. I’m constantly surprised at the ways people have found to use the data for good, which is a nice twist given that the data normally comes from very unpleasant circumstances. For some ideas on how the data has been used, have a look at the API consumers page [https://haveibeenpwned.com/API/Consumers]: variou...

For many regular readers here, this is probably not overly surprising: some of your apps may do nasty things. Yes, yes, we’re all very shocked about this but all jokes aside, it’s a rather nasty problem that kids in particular are at risk of. There was a piece a few days back on Channel 4 in the UK about Apps, ads and what they get from your phone [http://blogs.channel4.com/geoff-white-on-technology/apps-ads-phone/1415] where a bunch of kids had their traffic intercepted by a security firm. The...

I’ve just published my eighth Pluralsight course – Secure Account Management Fundamentals [http://www.pluralsight.com/courses/secure-account-management-fundamentals] – and it’s all about the things we need to do to properly look after the valuable customers that use the services we developers build. Normally when I launch a new course I’d write up a bunch of detail on what it’s all about but this time, I thought I’d reproduce a collection of the discussions I’ve had with many people over many ye...

It was the story that got weirder and weirder and will likely remain the high water mark for impactful security breaches for, well, probably not very long given this industry! Be that as it may, the Sony saga was unprecedented in many ways and it provoked some really interesting discussions. A couple of weeks back I suggested that many of us are working for the next Sony Pictures [https://www.troyhunt.com/2014/12/are-you-working-for-next-sony-pictures.html] insofar as a lot of the atrocious pr...

Clearly, Sony Pictures has had a rather bad time of it lately. First there were the threats from the alleged attackers, then the beginning of internal data dumps that now total tens of GB already, then the embarrassing internal email leaks, then the threats of 9/11 style attacks and now pulling the launch of “The Interview” because allegedly, the North Koreans don’t share their sense of humour. This is, without a doubt, the bizarrest of hacks in an industry where bizarre is par for the course....

I heard about this guy, walked into a federal bank with a portable phone, handed the phone to the teller, the guy on the other end of the phone said: “We got this guy’s little girl, and if you don’t give him all your money, we’re gonna kill ‘er.” Did it work? F**kin’ A it worked, that’s what I’m talkin’ about! Knucklehead walks in a bank with a telephone, not a pistol, not a shotgun, but a f**kin’ phone, cleans the place out, and they don’t lift a f**kin’ finger. Did they hurt the little g...

I’ve been doing a lot of talking about API security recently because frankly, there’s a lot to talk about. Those little web services that sit behind the rich client apps on our devices and increasingly behind our Internet of Things have a nasty habit of having some really serious vulnerabilities in them. I’m talking about everything from leaking data to allowing unauthorised users to perform actions they shouldn’t be allowed to all the way through to entirely useless SSL implementations because...

A couple of weeks back, this bloke hit the news [http://www.smh.com.au/nsw/barry-spurr-emails-investigated-by-university-of-sydney-20141016-1179kj.html] when his private emails were leaked and disclosed that he was fond of, shall we say, a very “colonial” vernacular when it comes to talking about our indigenous people: That he is (was?) a professor at a university would normally suggest that he’s a pretty switched on guy, but the evidence is clearly to the contrary. Speaking of people we’d...

Let’s go through just some of the ways you can hand your valuable datas over to people that want to get somewhere in between you and whatever service it is you want to talk to at the other end. You can get pineappled [https://www.troyhunt.com/2013/04/the-beginners-guide-to-breaking-website.html] and certainly that’s been a favourite of mine to demonstrate because it’s just so damn easy (it’s also kinda cool, if I’m honest). The router you connect through can be pwned and its DNS changed to hel...

You know how you always wanted a fork with an ARM processor that could upload data wirelessly over the internet? C’mon, you know you want it and now you can get a HAPIfork [http://www.hapi.com/product/hapifork]. Or how about your light globes? Yes, LIFX totally rocks [http://au.lifx.co/] but no, I wasn’t so keen on the idea once I learned your neighbours could pwn your wifi through them [http://www.smh.com.au/digital-life/consumer-security/security-vulnerability-found-in-lifx-smart-light-bulbs-...