Security

These real world experiences with Azure are now available in the Pluralsight course "Modernizing Your Websites with Azure Platform as a Service" [http://www.pluralsight.com/courses/modernizing-websites-microsoft-azure]Just a quick one as it’s mostly explained in How to Disable SSL 3.0 in Azure Websites, Roles, and Virtual Machines [http://azure.microsoft.com/blog/2014/10/19/how-to-disable-ssl-3-0-in-azure-websites-roles-and-virtual-machines/] , but there are a few bits worth adding. Oh – just in...

We don’t seem to go far these days without the next “catastrophic” bug hitting the internets. Remember how a few weeks ago Shellshock [https://www.troyhunt.com/2014/09/everything-you-need-to-know-about.html] was going to end the internet as we know it? If you believed all the headlines, that sucker was going to own us through our light globes (I suspect some poetic license was taken on my IoT comments) and the web would never be the same. Scroll forward and it’s already “Shell-what?” Earlier th...

I’ve learned some rather intriguing things about what our mobile apps are doing while we’re not looking in the six days since I launched the challenge to find crazy stuff in mobile app communications [https://www.troyhunt.com/2014/10/find-crazy-stuff-in-mobile-app.html]. For example, there’s the social app that allows you to accept friend requests on behalf of someone else [https://www.troyhunt.com/2014/10/find-crazy-stuff-in-mobile-app.html#comment-1627770487] if you call the API in the right...

In the spirit of “here’s something I couldn’t find an easy answer for so I’m writing it myself”, let me very briefly run you through how to have Raygun ignore specific exception types raised by Web API. Firstly, Web API support came a couple of months ago [https://raygun.io/blog/2014/08/webapi-exception-tracking/] which is rather important given how much stuff is transitioning to APIs these days. I use Web API fairly extensively in Have I been pwned? [https://haveibeenpwned.com/] (HIBP), partl...

Here’s a pop quiz for you: how much data do you reckon this iPad app downloads when it first runs? I don’t mean how big it is to download from the App Store (it’s 25MB), I mean after you download it then simply tap the icon to fire it up, how much data does it pull down if you don’t touch it again? Take a close look and consider the answer before reading on: Now you’ve probably done what I would have done – looked what you can see on the screen, speculated about how you’d build it in a way to...

I imagine this is what it’s like when one of your kids gets old enough to finally beat you at something you’ve poured your heart into teaching them. Yes, I’m proud and it’s awesome that it has turned out so well, but I was still a little disappointed to get this the other day: This came totally out of the blue for me which, of course, is exactly how it’s meant to work. If all this is unfamiliar to you, this is the paste monitoring feature of “Have I been pwned?” (HIBP) which I launched last m...

Remember Shellshock? How could anyone forget! This thing has totally dominated the news – not just the tech news either – and like Heartbleed before it (inevitably the yardstick we compare it to), the hype has been, well, somewhat overinflated. I get it – it is a big thing – but the press has a way of sensationalising things in a pretty unique way. Case in point: I wrote Everything you need to know about the Shellshock Bash bug [https://www.troyhunt.com/2014/09/everything-you-need-to-know-about...

Here’s a scary stat for you: last year was the most hacked year ever. According to Risk Based Security [https://www.riskbasedsecurity.com/reports/2013-DataBreachQuickView.pdf], we saw 823M records exposed via data breaches: Nasty stuff right? Yeah, but it gets worse. As of mid 2014, we’re already looking at 502 million records exposed [http://datalossdb.org/incident_highlights/66-hacking-exposed-78-of-all-records-compromised-in-first-half-of-2014] . Bugger. These breaches keep on coming and w...

It’s six days since I wrote about Shellshock [https://www.troyhunt.com/2014/09/everything-you-need-to-know-about.html] and the response has been massive. There’s clearly a lot of interest in this bug and indeed there have been some pretty dire warnings about the impending “Bashpocalypse” which ultimately, hasn’t really happened. I’m sure it’s made life tricky for some sysadmins and I’m also sure there have been many servers that have suffered from what by all objective measures, remains a pretty...

Did I mention that we have some terrible security flaws with our APIs behind rich client apps? Pretty sure I did’; oh and I did just write a Pluralsight course that shot to the top of the charts [http://pluralsight.com/training/Courses/TableOfContents/hack-your-api-first] so yeah, there’s that! There are a few reasons why vulnerabilities in APIs are the new black: 1. They’re that much less obvious than vulnerabilities in browser-based apps; you don’t see the URL, you don’t get browser war...