Security

Another week, another breach. This time Yahoo! was the target with 453,491 email addresses and passwords from their Voices service being exposed for all to see [https://www.trustedsec.com/july-2012/yahoo-voice-website-breached-400000-compromised/] . Whilst unfortunate for those involved, these breaches do give us some unique insight into password practices and as is usually the case, it’s not pretty. Back in June last year after one of many Sony breaches I conducted a brief analysis [https://ww...

In the beginning, there was password hashing and all was good. The one-directional nature of the hash meant that once passed through a hashing algorithm the stored password could only be validated by hashing another password (usually provided at logon) and comparing them. Everyone was happy. Then along came those pesky rainbow tables. Suddenly, huge collections of passwords could be hashed and stored in these colourful little tables then compared to existing hashed passwords (often breached fro...

No really, this is my LinkedIn password: y>8Q^<6mqKEA4hac Well it was my LinkedIn password until earlier today when it became apparent that LinkedIn had suffered what could only be described as a massive security breach [http://money.cnn.com/2012/06/06/technology/linkedin-password-hack/index.htm?iid=SF_T_Lead] . The disclosure of 6 million passwords used in one of the world’s premier social networking sites is nothing short of astonishing. But what’s also astonishing is that this exercise onc...

There’s a pattern in the following stills from various scammer videos, see if you can spot it. Here’s one run by Comantra I captured back in Feb [http://www.youtube.com/watch?v=kjKjyMKj3n4&feature=player_detailpage#t=2403s]: And here’s another one [http://www.youtube.com/watch?v=nhqxOFH2rmI&feature=player_detailpage#t=713s] from when an unknown scammer called me in late April: Now here’s one from Noah Magram [http://www.youtube.com/watch?v=jb69H7l0vJA&feature=player_detailpage#t=20s] wh...

This content is now available in the Pluralsight course "Secure Account Management Fundamentals" [http://www.pluralsight.com/courses/secure-account-management-fundamentals] Recently I’ve had a couple of opportunities to think again about how a secure password reset function should operate, firstly whilst building this functionality into ASafaWeb [https://asafaweb.com/] and secondly when giving some direction for someone else doing a similar thing. In that second instance, I wanted to point them...

I’ve been writing and speaking about OWASP for long enough now that it was probably about time I contributed to the podcast so when Jim Manico [http://twitter.com/manicode] invited me to talk, it was a no-brainer! I had a good chat with Jim about a range of aspects related to ASP.NET; good stuff in the framework, not such good stuff in the framework, where I’m seeing people go wrong with .NET security and then a bit about some of the things I’m doing in terms of writing the OWASP Top 10 for .NET...

If you live in a western country and have a landline telephone with a listed phone number, chances are you’ve been “cold called” by someone on the other side of the world with an introduction that goes something like this: > “Hello, I am from the Microsoft technical support division and I am calling you because we have detected some problems with your computer. This is very important – I need you to go and turn your computer on right away…” It doesn’t matter if you have a computer, in fact i...

This ain’t my first rodeo, this ain’t the first I’ve seen this dog and pony show. I first wrote about virus call centre scammers back in October along with my recording titled Anatomy of a virus call centre scam [https://www.troyhunt.com/2011/10/anatomy-of-virus-call-centre-scam.html]. I followed up a couple of months ago with Scamming the scammers – catching the virus call-centre scammers red-handed [https://www.troyhunt.com/2012/02/scamming-scammers-catching-virus-call.html] which screen recor...

It already seems like a lifetime ago, but it was only last month that I was over in Seattle at the 2012 MVP Summit. While I was there, I had a short chat on video with Dave Giard [https://twitter.com/#!/DavidGiard] for his Technology and Friends blog. We predominantly spoke about ASP.NET security and in particular, cryptographic storage of credentials and transport layer security so it’s a little more focussed than many of my talks. The original post is over on Dave’s blog under Episode 207: Tr...

A few weeks back there was a great document released by Verizon (yep, the big American telco) titled Verizon 2012 Data Breach Investigations Report [http://www.verizonbusiness.com/resources/reports/rp_data-breach-investigations-report-2012_en_xg.pdf] . This weekend at the OWASP Appsec Asia Pacifica Conference [https://www.owasp.org/index.php/AppSecAsiaPac2012], I sat in on a talk from Mark Goudie from Verizon [https://www.owasp.org/images/6/65/Mark_goudie.pdf] who helped put the whole report in...