Security

HTTPS or SSL or TLS or whatever you want to call it can be a confusing beast. Some say it’s just about protecting your password and banking info whilst the packets are flying around the web but I’ve long said that SSL is not about encryption [https://www.troyhunt.com/2011/01/ssl-is-not-about-encryption.html]. As an indication of how tricky the whole situation is, OWASP talks about insufficient transport layer security [https://www.troyhunt.com/2011/11/owasp-top-10-for-net-developers-part-9.html...

Since a very young age, many of us have been taught that C is for cookie [http://www.youtube.com/watch?v=Ye8mB6VsUHw] and that apparently, “That’s good enough for me”. Except it’s not – the hidden depths of the cookie were never really explored so is it any wonder that after being ingrained with such a trivial view of cookies from such a young age that so many of us are handling them in an insecure fashion? You see, there’s far more to cookies than meets the eye and I want to delve into a coupl...

Browsing through my Facebooks the other day, I came across an interesting little sponsored ad: Banking, you say? In your Facebook, you say? What could possibly go wrong?! The overriding concern that immediately sprung to mind was that you’re mixing two domains of a very, very different nature. On the one hand we have our social media, frequently the source of status updates about our breakfast, commentary on the latest lolcats [http://en.wikipedia.org/wiki/Lolcat] and as I’ve written on nume...

I don’t know how Evernote stored my password, you know, the one they think might have been accessed by masked assassins (or the digital equivalent thereof). I mean I know that their measures are robust [http://evernote.com/corp/news/password_reset.php] but then again, so were Tesco’s [https://www.troyhunt.com/2012/08/why-xss-is-serious-business-and-why.html] and according to their definition, “robust” means storing them in plain text behind a website riddled with XSS and SQL injection (among oth...

45 seconds. That’s how long it took to crack 53% of the ABC’s now very public password database. That’s more than half of the almost 50,000 passwords that were publically exposed today [http://www.cyberwarnews.info/2013/02/27/abc-australia-hacked-49561-moderator-and-user-credentials-leaked/] . How the passwords (among other data) were exposed is yet to play out, but what we now know for sure is that the mechanism the ABC used to protect these credentials was woefully inadequate. Here’s how it wa...

Regular readers of this blog would have seen sagas such as Anatomy of a virus call centre scam [https://www.troyhunt.com/2011/10/anatomy-of-virus-call-centre-scam.html], Scamming the scammers – catching the virus call centre scammers red-handed [https://www.troyhunt.com/2012/02/scamming-scammers-catching-virus-call.html] and my personal favourite, “Type www.” – “Ok, w-w-w-d-o-t”; antagonising call centre scammers [https://www.troyhunt.com/2012/04/type-www-ok-w-w-w-d-o-t-antagonising.html]. That...

It’s the Low Orbit Ion Cannon and yes, you can be arrested and sentenced to a prison term for using it to mount a distributed denial of service attack on a website. But let’s not get ahead of ourselves, there are a few things to understand first. LOIC has shot to fame in recent years as the tool of choice for what we colloquially refer to as hacktivists [http://en.wikipedia.org/wiki/Hacktivist], or in other words, folks with an axe to grind – usually for political purposes – who use the web to...

A few months back I had another chat to Today Tonight, a national prime time current affairs program I’ve previously appeared on in relation to call centre scammers taking over unsuspecting victim’s PCs [https://www.troyhunt.com/2012/08/virus-scams-social-engineering-victims.html]. This time it was about the security of internet banking which gave me a chance to collate some good practices, many of which didn’t go to air but I kept hold of with the intention of sharing in the context of the vide...

I write a lot about website security. Sometimes I’ll publicly point out flaws in software but there are many, many other times where it remains a private conversation for various reasons. The one common thread across most of these incidents is that as developers, we often make bad security design decisions. It’s us – the organic matter in the software development process – that despite the best of intentions make bad choices that introduce serious risks. My belief – and one of the key reasons I...

It was a few months back now, but last year I spent a little time with fellow MVP Denny Cherry [http://twitter.com/mrdenny/] on his podcast People Talking Tech [http://peopletalkingtech.com]. We had a great talk about security in general with a lot of focus on SQL Injection in particular. It’s a nice light-hearted 24 minute chat that I enjoyed doing and I hope you enjoy listening to. You can listen online or download from People Talking Tech, Episode 18 – Troy Hunt [http://peopletalkingtech.com...