Security

Last month I had a great couple of days at Web Directions South in Sydney. Great on the first day because I got to kick back and watch messages like this popping up on the Twitters: And then great on the second day because I got to talk to everyone about what it means to your app security to have your wifi hijacked. The video of that talk has just gone up on YouTube and IMHO, it’s come up rather well: I also wrote in more detail about how I used the Pineapple at Web Directions and what data...

Adobe had a little issue the other day with the small matter of 150 million accounts being breached and released to the public. Whoops. So what are we talking about? A shed load of records containing an internal ID, username, email, encrypted password and a password hint. Naked Security did a very good write up on Adobe’s giant-sized cryptographic blunder [http://nakedsecurity.sophos.com/2013/11/04/anatomy-of-a-password-disaster-adobes-giant-sized-cryptographic-blunder/] in terms of what they g...

There’s this whole idea of “the creepy line” when it comes to the way our personal data is collected and reused without our permission. Eric Schmidt of Google fame reckons they get right up to it without crossing it [http://blogs.telegraph.co.uk/technology/shanerichmond/100005766/eric-schmidt-getting-close-to-the-creepy-line/] or in other words, they push the boundaries as far as society will tolerate without getting too pissed off. Thing is though, how you define “creepy” is a very personal th...

Update: 17 Feb 2014: Sanity has prevailed and the service has now been pulled [http://www.zdnet.com/linkedin-dumps-intro-in-services-overhaul-7000026123/]. -------------------------------------------------------------------------------- LinkedIn Intro [https://intro.linkedin.com] has already become known by many names: A dream for attackers [http://www.theverge.com/2013/10/25/5027334/linkedin-intro-security-concerns-bishop-fox-mandiant] , A nightmare for email security and privacy [http://ven...

So I’ve just wrapped up another Web Directions [http://webdirections.org/wds13] presentation where the Pineapple has featured. The what now?! You know, the WiFi Pineapple [https://www.troyhunt.com/2013/04/the-beginners-guide-to-breaking-website.html], that little guy with the ability to do all sorts of nasty things to wireless traffic. Now I’ve Pineappled before, but I’ve never Pineappled quite like this and that’s all down to the Mark V [http://hakshop.myshopify.com/products/wifi-pineapple] w...

I’m a security minded guy, that probably comes as no surprise. Other people – not always so much and as a result you inevitably see a lot of unattended, unlocked Windows desktops around the place. Naturally the responsible thing to do when seeing such risky behaviour is to help the victi.. uh, I mean “individual” understand the risky nature of such behaviour. Having recently observed such a situation I thought I’d reach out and ask for some guidance on how one might deal with it: [https://tw...

It’s been a while since I last spoke to Carl and Richard on .NET Rocks [https://www.troyhunt.com/2012/01/net-rocks-talks-security-with-carl.html] where it was all about the OWASP Top 10 and the provisions available in ASP.NET to keep yourself on the happy side of getting hacked. I had a chance to catch up with the guys again a couple of weeks ago to record a new episode all around “Hacking Yourself First” which ties in neatly to much of the writing I’ve been doing lately and my Pluralsight cour...

I’m sorry to be the one to break this to you, but, well, your company network is compromised. I know, I know, you thought you had firewalls and antivirus and Dropbox is blocked but somehow the nasties got in. Unfortunately that also means that all the web apps you have behind your corporate firewall are, for all intents and purposes, now public. Now you may not even be aware of the hacked state of the network you spend your nine to five hours in, many of these intrusions go entirely undetected....

One of the things people often ask me about in regards to software security is “Are there any standards that these people should be following? Any governing bodies? Any recourse for screwing things up?” Ok, that’s three things but you get the idea and people are usually pretty surprised when they learn that for the most part, no. No standards, no governing bodies, no recourse. You can go and create a new website today storing everyone’s credentials in the clear, send them around willy nilly via...

Remember view state? For that matter, do you even remember web forms?! I kid because although MVC is the new hotness in the world of building ASP.NET websites, web forms remains the predominant framework due to both the very long tail of sites already built on it and the prevalence of developers with skills in this area who haven’t made the transition to MVC (indeed some people argue that they can happily cohabit, but that’s another discussion for another day). Anyway, back to view state. When...