Security

Did I mention already that NDC was totally awesome [https://www.troyhunt.com/2014/06/ndc-2014-vikings-passwords-and.html]? Pretty sure I said something along those lines (many, many times) and as you’ll see from the presentations I did in that link, I had a heap of fun while I was there. Actually, I had so much fun that I’ve already committed to go back in 2015. That’s it, I’m there! While I was there, I finally got to catch up in person with Carl and Richard of .NET Rocks fame. I’ve been on th...

Why do we bother with SSL? I mean what’s the risk that we’re trying to protect against by using certificate authorities and serving up traffic over HTTPS? Usually it’s men (or possibly even women) in the middle or in other words, someone sitting somewhere between the client and the server and getting their hands on the data. Do we all agree with this? Yes? Good, then why on earth would you possibly say this? [https://twitter.com/HoytsAustralia/status/478320507402465281] This was in response t...

Here was the original plan: propose two talks for NDC, travel over to the other side of the world and do them both then make the long trek home (each trip taking about 33 hours, thank you very much). That was pretty much how it went except that only one of the proposed talks made the cut (I later learned that they seemed too similar which is a perfectly reasonable assessment). So I did the only sensible thing and took the very best parts out of the talk that didn’t make the cut and rolled them i...

If you’re an Aussie with an iPhone, there’s a chance you’ve been woken up in the middle of the night by this: Oh boy. What we’re looking at is an iPhone that has been remotely locked by “Oleg Pliss”. What we’re looking at is a modern incarnation of ransomware [http://en.wikipedia.org/wiki/Ransomware] executed via Apple’s iCloud and impacting devices using the “Find my iPhone” feature. Perplexingly, this is predominantly impacting Aussie iCloud users and to date, there’s no clear reason why, r...

I’m used to seeing short-sighted responses on Twitter when it comes to security, but admittedly this one took me by surprise: [https://twitter.com/vBZachery/status/471161211401555968] This was from a vBulletin “Tech Support Guy” as part of a thread about the security profile of the website MMO Champion [http://www.mmo-champion.com/], a World of Warcraft discussion site. This is a site that allows you to register with a username and password, store your date of birth (and hide it from public v...

Last month I headed over to the totally awesome conference that was Codemania in Auckland, New Zealand (for international readers, it’s like Australia but with stranger accents and more hobbits). I spoke on… security! Imagine that? More specifically, I spoke about “Hacking Yourself First” which is all about teaching developers to identify risks in their own software before someone else does! If this sounds interesting (and if you’re building software for the web, it should), the talk is based...

Here’s how it usually works: someone big gets hacked or a serious risk gets disclosed then all sorts of articles pop up with journos quoting people like myself on all the same questions that inevitably get asked. I’ve been doing a bit of that today in the wake of the eBay attack so I thought that rather than just have these one on one conversations which then get dispersed all over the place, I’d capture a bunch of responses from discussions I’ve had here. Just one more thing – it’s very early...

Back in the day when the British had a penchant for conquering the world, they ran into a little problem on the subcontinent; cobras. Turns out there were a hell of a lot of the buggers wandering around India and it also turned out that they were rather venomous which didn’t sit well with the colonials. Ingenious as the British were, they decided to offer the citizens a bounty – you hand in dead cobras that would otherwise have bitten some poor imperialist and you get some cash. Problem solved....

Remember view state? This was the massive kludge of hidden input data in an ASP.NET web forms page which tried to create quasi-persistence between requests in what is otherwise the stateless world of HTTP. Actually saying “was” isn’t that fair as indeed web forms apps make up the vast majority of ASP.NET sites out there today, but Microsoft’s implementation of MVC tends to be viewed as the new shiny thing that many of us have gravitated towards in recent years. That said, when I created my recen...

Ever notice how in hindsight, most of the online attacks we see could have been easily prevented? Granted, we tend to have 20:20 vision when we’re looking back, but take something like the Bell telco in Canada and their SQL injection attack the other day [https://www.troyhunt.com/2014/02/heres-how-bell-was-hacked-sql-injection.html]. Guys, it’s a simple matter of validating the untrusted data and parameterising the SQL statements. We know this – we’ve (the software community) had this discussion...