Category Archives: Weekly update

Weekly Update 143

Weekly Update 143

Well this was a big one. The simple stuff first - I'm back in Norway running workshops and getting ready for my absolute favourite event of the year, NDC Oslo. I'm also talking about Scott's Hack Yourself First UK Tour where he'll be hitting up Manchester, London and Glasgow with public workshops. Tickets are still available at those and it'll be your last chance for a long time to do that event in the UK.

Then there's Project Svalbard. I think it'll come across in the video below, but putting a project I've poured my heart and soul into over the last 5 and half year up for sale is a massive thing for me. There are so many emotions involved at so many levels and I really wanted to try and get that across in a more personable form than what written word lends itself to. I hope I've done that, and I hope you enjoy listening to the back story of Project Svalbard. Here it is:

Weekly Update 143
Weekly Update 143
Weekly Update 143

References

  1. Scott's public Hack Yourself First UK Tour is coming up (Manchester, London and Glasgow - get on it!)
  2. Project Svalbard (the big one - this is a long weekly update mostly about my decision to move HIBP into another organisation)
  3. Twilio is sponsoring my blog this week (learn what regulations like PSD2 mean for your business, and how Twilio can help you achieve secure, compliant transactions)

Weekly Update 142

Weekly Update 142

I made it to the Infosecurity hall of fame! Yesterday was an absolutely unreal experience that was enormously exciting:

But that wasn't all, there was also the European Security Blogger awards a couple of days earlier:

And just a general absolutely jam-packed, non-stop week for both Scott and I. We talk about what we've been up to in London, Scott's weird cert adventures and a couple of massive data breaches back home in Australia. I'm publishing this just before I head off to Oslo so I'll come from there next week solo, then with Scott again the week after from the NDC conference. Until then, here's this week's update:

Weekly Update 142
Weekly Update 142
Weekly Update 142

References

  1. Scott had a cert unexpectedly issued for one of his domains (interesting series of events that led to it, documented in that Twitter thread)
  2. Scott tweeted about a weird security decision by Emirate... and got into "Twitter trouble" (we only ever - ever - see this sort of behaviour online, never in person)
  3. Westpac's PayID was the target of a mass enumeration attack (apparently 100k Aussies had personal data exposed by this "feature")
  4. The Australian National University got seriously pwned (19 years worth of historical data - how much of that did they actually still need?)
  5. I'm sponsored by Varonis this week - watch their DFIR team investigate a cyberattack using their data-centric security stack

Weekly Update 141

Weekly Update 141

Another week, another conference. This time, Scott and I have just wrapped up the AusCERT event which is my local home town conference (I can literally see my house from Scott's balcony). We're talking about the event, upcoming ones, Scott's Hack Yourself First UK tour, some funky default values in EV certs and then we head off down a rabbit hole of 2FA and people getting fired for failing simulated phishing tests. Next one from London next week!

Weekly Update 141
Weekly Update 141
Weekly Update 141

References

  1. We've launched a bunch of hotel packages with the Hack Yourself First UK tour! (one price gets you access to the workshop and hotel accommodation in Manchester, London or Glasgow)
  2. Check out the mozilla.dev.security.policy forum for commentary on the default values in EV certs issue (it's an odd one, I'd still love to know how they got in there)
  3. People are actually getting fired for failing multiple simulated phishing attacks (I agree, this feels really dirty)
  4. Twilio is sponsoring my blog again this week (check out how easy it is to add 2FA to your app using Authy)

Weekly Update 140

Weekly Update 140

I'm a day and a half behind with this week's update again - sorry! Thursday and Friday were solid with training in Melbourne so I recorded Saturday and am pushing this out in the early hours of Sunday before going wakeboarding - is that work / life balance? But there's been a hell of a lot going on, particularly around HIBP and I'll be talking a lot more about that in the weeks to come.

For now, I did actually get a post out this week and also found myself in a rather unexpected debate about password managers, biometrics and "fun". I spend quite a bit of time this week talking about that, I'm curious to hear other people's thoughts on it too. Next week's update will be with Scott Helme again so if there's anything in particular you'd like to hear from him (us), drop me a note on it.

Weekly Update 140
Weekly Update 140
Weekly Update 140

References

  1. Last week's update had some really off the mark comments about biometrics and password managers (still not sure whether that was spam or organic comments)
  2. Pwned Passwords did 16M requests in a day with a 99.4% cache hit ratio! (I expect that ratio will only go up as demand increases)
  3. PayPal's cert hasn't been showing EV in Chrome since September (which perfectly demonstrates why EV doesn't work as advertised)

Weekly Update 139

Weekly Update 139

Per the beginning of the video, it's out late, I'm jet lagged, all my clothes are dirty and I've had to raid the conference swag cupboard to even find a clean t-shirt. But be that as it may, I'm yet to miss one of these weekly vids in the 2 and a half years I've been doing them and I'm not going to start now! So with that very short intro done, here's this week's and I'll try and be a little more on the ball for the next one.

Weekly Update 139
Weekly Update 139
Weekly Update 139

References

  1. Google is having some issues with the U2F keys the recommend for their Advanced Protection Program (but seriously, this is a pretty minor issue)
  2. I'm definitely still recommending this approach for locking down Google accounts (that's my piece from November on how to get it all set up)
  3. Forbes had some Magecart script running on their site (interesting breakdown by @bad_packets)
  4. Let's Encrypt's CT log is now up and running (with support from Sectigo too so kudos to them for that, it's a very different approach to the old Comodo)
  5. I'm up for some European Blogger Awards again! (I'd love your votes folks ๐Ÿ˜Ž)
  6. Twilio is sponsoring my blog again this week (check how to implement 2FA in your app with Authy)

Weekly Update 138

Weekly Update 138

After a mammoth 30-hour door-to-door journey, I'm back in the USA! It's Minnesota this week and I've just wrapped up a couple of days of Hack Yourself First workshop followed by the opening keynote at NDC followed by PubConf. All great events but combined with the burden of travel, all a bit tiring too (plus, it turns out that emails don't stop coming in when you're busy...) There's a real crypto theme to this week's update courtesy of some of the contents in my keynote, a really ridiculous article on PC Mag I came across and a lovely meeting with a few of the folks from Let's Encrypt. There's also a follow-up to the video I promised to include in this blog post...

After recording this piece, I went and checked what had changed on that PC Mag article about certs. As expected, it turns out it was just promotional content on Sectigo, specifically changing the name from Comodo and also changing some of the content. Here's a diff of the archive.org version from earlier this month versus today:

Weekly Update 138
Weekly Update 138

Gotta keep that "good reputation"! Still in the PC Mag article:

  1. "you're probably best off clicking away from [sites using DV certs] as fast as you can"
  2. "most modern web browsers will indicate that an EV certificate is being used by showing a green Uniform Resource Locator (URL) bar"
  3. "You usually get what you pay for"

To be clear too: archive.org shows a few edits of that article in October and November last year then nothing until the 6th of May which is the day I tweeted this:

You can see why this sort of thing is so frustrating to folks like Scott and I; imagine what it's like for people actually trying to figure out what certificate they should acquire! Anyway, all that and more in this week's update:

Weekly Update 138
Weekly Update 138
Weekly Update 138

References

  1. I'm doing another Hack Yourself First workshop in New York next week (we've still got tickets available for that one, kicks off on Monday!)
  2. PC Mag did an absolute hatchet piece on certificates full of disinformation and clearly motivated by commercial desires (I've linked to my tweet as the ensuing discussion makes for "entertaining" reading)
  3. Some people remain insistent on arguing about Let's Encrypt's success to the fullest extent possible (but they're easily debunked arguments, which brings me to the next point...)
  4. Let's Encrypt certs are now used by 38% of the Alexa Top 1M sites serving content over HTTPS (that's based on Scott's nightly crawler stats)
  5. There's some real upsides to having phishing sites served over HTTPS (that's Scott's piece from Jan last year)
  6. Varonis is sponsoring my blog this week (they're talking about insider threats again, courtesy of the course I made for them ๐Ÿ™‚)

Weekly Update 137

Weekly Update 137

It's the last one from home for a few weeks, both for Scott and myself. Whilst I head off to the US for a couple of weeks, he's back home to the UK before other Europe travel then we'll both end up back on the Gold Coast in a few weeks time before the AusCERT conference.

This week, we're talking about how kids are so good at circumventing things like parental controls and how maybe - just maybe - talking to your kids and using some social techniques is a better (or at least complimentary) approach to hard controls. Partly as a result of that tweet, we're also discussing the rampant negativity we seem to constantly face by a small minority on Twitter. It's minor in numbers, but increasingly carries a mental weight (see the link below for context). Plus there's Trustico. Ah, Trustico, just have a listen and see what you think...

Weekly Update 137
Weekly Update 137
Weekly Update 137

References

  1. My 9-year old found a clever way to circumvent iOS' parental controls (imagine what it's like for the average person trying to understand this stuff...)
  2. We're both confounded by the unnecessary ongoing negativity folks on Twitter seem intent on espousing (I'm linking to this one because it's a perfect example of injecting negativity into an otherwise happy, joyful tweet)
  3. Trustico has some really shady marketing going on with their certs (that's a link to Scott's post smashing the screwy - make sure you search for "nerdville"!)
  4. Twilio are sponsoring my blog this week, check out what you can do with Authy to add 2FA to your site (this is dead easy - do it!)

Weekly Update 136

Weekly Update 136

Scott is still here with me on the Gold Coast lapping up the sunshine before NDC Security next week so I thought we'd do this week's video next to the palm trees and jet ski ๐Ÿ˜Ž But, of course, there's still a heap of stuff happening that's worthy of discussion, everything from the UK gov's NCSC doing good work to the Reply All podcast I was on this week to new data breaches to the ongoing shenanigans involving kids "smart" watches. And oh boy, the communications strategies of a couple of these in particular is just absolutely woeful. All that and more in this week's update.

Oh - and right after I published this, I noticed some crazy static for about 14 seconds at the 27:15 mark. Sorry - I'd republish it but I'd be looking at about 2 hours to re-render and re-upload and this is already going out a couple of hours late so, yeah, sorry!

Weekly Update 136
Weekly Update 136
Weekly Update 136

References

  1. The NCSC has published a list of the worst 100k passwords you can now go and download (these came from HIBP's Pwned Passwords list and are available to download in the clear)
  2. The Pwned Passwords API has really grown in usage lately (10.5M hits a day with a 98.4% cache hit ratio courtesy of Cloudflare)
  3. I was on the Reply All podcast again this week (these guys rock - listen to this podcast at every opportunity!)
  4. TicTokTrack is back online per the schedule they represented last week, but apparently the Sri Lanka bombings meant they were back online... when they said they would be? (that's a link to the original story, their PR process has been absolutely terrible)
  5. There are some very shady communications coming from SPACETALK in the wake of the TicTokTrack incident (seriously guys, when is ambulance chasing ever looked on as a good thing?!)
  6. Varonis is sponsoring my blog this week and giving you access to their free "Enemy Within" course (written by me!)
  7. And whilst we're talking insider threats, let us not forget the man who outsourced his job to China (6 years old now, still kinda stupid and hilarious at the same time)

Weekly Update 135

Weekly Update 135

It's another episode with Scott Helme this week as he's back in town for NDC Security on the Gold Coast (still a got a week to get those tickets, folks!) The timing actually works out pretty well as there was this week's announcement around Let's Encrypt transition of their root cert which is right up his alley. There's also the whole TicTokTrack kids watch situation which aligns very well with many of both our prior experience. And just on that, when we recorded the video they were planning on getting the service back up and running that day (Thursday Aus time when we recorded). Turns out that didn't happen and frankly, kudos to them for taking a little more time to get things right:

All that and more in this week's update:

Weekly Update 135
Weekly Update 135
Weekly Update 135

References

  1. We're at NDC Security on the Gold Coast week after next (Scott's doing the World's Best TLS Training, I'm doing Hack Yourself First)
  2. Let's Encrypt's transition to ISRG root (that post of Scott's went to number 1 on Hacker News so good work on that mate!)
  3. TicTocTrack had an absolute zinger of an IDOR vulnerability (they're not the only watch in this class to have serious flaws either)
  4. Twilio are sponsoring my blog this week, big thanks to them! (check our how you can use Authy to add 2FA to your app)

Weekly Update 134

Weekly Update 134

That's the second update in a row I've done on time! It's also another one with a bunch of other things in common with last week, namely commentary on yet more data breaches. It's not just the breaches in HIBP, but the ones I'm busily trying to disclose. This is really sucking a lot of time right now and frankly, well, I summed it up here earlier in the week:

But it's the right thing to do and I'm going to keep at it, even if it means loading data without the organisations involved responding (it certainly won't be the first time). I also go on a bit of a rant about devices and services targeted at monitoring kids and as I say in the video, you'll see precisely why this is such a big issue for me probably next week or the week after. Stay tuned for that one and for now, here's this week's vid:

Weekly Update 134
Weekly Update 134
Weekly Update 134

References

  1. I've got 3 different NDC events with workshops coming up over the next month:
    1. Gold Coast
    2. Minnesota
    3. New York
  2. Knuddles got themselves a โ‚ฌ20k fine for their breach (which is now in HIBP)
  3. I ranted on about how crazy the security and privacy implications are for  whole bunch of products and services targeted at monitoring kids (do read - and please share - that thread, here's a Facebook version of it too)
  4. Varonis is sponsoring my blog again this week and they have an excellent free course on insider threats (ok, I may be a little biased on that...)

Weekly Update 133

Weekly Update 133

Wow, a weekly update back on the normal schedule! I also realised when watching this back how less tired I look compared to the last few weeks. Travel takes its toll so I touched on that a bit in this week's update, along with the usual raft of new data breaches to go into HIBP. Plus there's Facebook's incidents, both the one they're not directly responsible for and the one they are responsible for, but is also both a bit of a non-event and something that's reflective of broader issues in the industry.

Next week should be bang on schedule again and with any luck, I'll look even less tired again ๐Ÿ˜Ž

Weekly Update 133
Weekly Update 133
Weekly Update 133

References

  1. Here's everything that goes into a massive international speaking trip (people always publicly share the good stuff in their lives, this is the warts and all version)
  2. Stop hosting forum software yourself! (that was specifically targeted at vBulletin, I later also wrote about my broader approach to platform outages when I'm not responsible for them)
  3. The Intelimost breach has a really interesting write-up by Zack Whittaker (and it's kinda fun to sleazy spammers come undone!)
  4. It's not Facebook's fault that 3rd party developers exposed a bunch of data from their APIs (but there's still a discussion to be had about how much data Facebook should be exposing in the first place)
  5. It is Facebook's fault that they were asking for people's email account passwords (although in practical terms, it also doesn't particularly matter)
  6. Twilio is this week's blog sponsor (they're talking about how 2FA helps secure online transactions and helps comply with regs like PSD2 )

Weekly Update 132

Weekly Update 132

From last week's update in Seattle to home to Sydney to back home and a late update (again). But regardless, I'm committed to continuing the cadence of doing these updates each week and 132 of them in, I'm yet to miss a week.

This week it's a combination of more of the same (travel, events and data breaches), as well as more thoughts on the future of HIBP and Cloudflare's role when it comes to nasty content online. That last one in particular is a really tricky discussion and it's one that tends to come back to the surface after events that cause us to reflect on the nature of online speech that whilst legal, we all (well, almost all) just don't want being online. I'm not sure exactly what the answer is that allows us to have both the freedoms and safety we want, but I do think that acknowledging the issues on both sides of that debate is important. All that and more this week, next week will be another update from home and with any luck, one that puts be back on the usual Friday schedule.

Weekly Update 132
Weekly Update 132
Weekly Update 132

References

  1. I've got a bunch of events coming in the US, Europe and Israel (that's a complete list of all the public 2019 events)
  2. I'm being inducted into the Infosecurity Hall of Fame in London (this is pretty cool, I'm really looking forward to the event in June!)
  3. Tens of millions of more records went into HIBP this week (the Twitter feed lists them all, including how many unique addresses were found)
  4. The Cloudflare issue around what they should censor is a really dicey one (that link goes back to issues with the Daily Stormer in 2017 and is worth re-reading in light of recent events)
  5. Varonis is this week's blog sponsor (check out their live cyber attack workshop)
  6. I've created a bunch of training for Varonis in the past you can access for free (ransomware, insider threats and GDPR, amongst other topics)

Weekly Update 131

Weekly Update 131

So firstly, sorry for the audio quality. I'm pretty damn frustrated with those Instamics right now between the flakey firmware upgrade process and the unexpected loss of recording today. I'll make sure I get on top of it for next time.

I'm sitting at the gate in Seattle right now about to board so I'm going to cut this intro short and jump straight into the vid. Here's this week's which has a bunch of different things in it I found interesting including the usual raft of data breaches and other industry bits and pieces. Gotta fly, enjoy!

Weekly Update 131
Weekly Update 131
Weekly Update 131

References

  1. I'm doing a keynote for Akamai in Sydney on Thursday (hear more from me on data breaches and cyber-things)
  2. And another NDC meetup in Sydney that night (we packed these out in Brisbane and Sydney so register quickly for this one if you want to come along)
  3. The owner of Exactis wasn't real happy about the impact of their data breach on his business (yeah, the people whose data they sold weren't real happy either...)
  4. Elsevier looks like they logged a bunch of passwords in plain text (who would do that... oh, wait...)
  5. Facebook looks like they logged a bunch of passwords in plain text (they join Twitter and GitHub from last year in doing the same thing)
  6. Never ever, ever, ever install spyware on the devices of anyone you actually care about (seriously, how often are we going to go down this path?!)
  7. Twilio is sponsoring my blog again this week (they're talking 2FA with Authy, something you definitely want to look into if you're building any sort of auth system)

Weekly Update 130

Weekly Update 130

Well that was a hell of a week of travel. Seriously, the Denver situation was just an absolute mess but when looking at the video from the day I was meant to fly in, maybe being stuck in LA wasn't such a bad thing after all:

But despite the dramas I did still (just) make it and got to do my talk so as close as it was, I'm still yet to miss one. This week I'm talking about a bunch of different travel things, upcoming events, data breaches and those ridiculous bloody cookie warnings everyone hates so much. Next week I'll be in Seattle and will probably also be pushing the update out a little late, but I will still be pushing it out. Until then, here's the week that was:

Weekly Update 130
Weekly Update 130
Weekly Update 130

References

  1. I'll be keynoting at the Akamai Security Summit World tour in Sydney (it's on Thursday 28 of this month)
  2. Then I'll be doing another NDC meetup in Sydney (like Brisbane and Melbourne, that event will be oversubscribed so get in early)
  3. ixigo denies a breach (but resets everyone's passwords anyway...)
  4. These cookie warnings are absolutely ridiculous (they always were, but GDPR just continues the insanity)
  5. Ad blockers are also part of this whole problem (killing all ads - even those run responsibly - just makes the whole thing even worse)
  6. Varonis is this week's blog sponsor (watch their DFIR team investigate a cyberattack using their data-centric security stack)

Weekly Update 129

Weekly Update 129

Heaps of stuff going on this week with all sorts of different bits and pieces. I bought a massive new stash of HIBP stickers (1ok oughta last... a few weeks?), I'll be giving them out at a heap of upcoming events, I was on the Darknet Diaries podcast (which is epic!) plus there's more insights into the ShareThis data breach and the ginormous verifications.io incident. Oh - and Udemy is still pirating my content, here's the tweet if you'd like to let them know how you feel about that:

Next week I'll be coming from the US, either Denver or New York depending on how time goes. I'm sure not much will happen between now and then...

Weekly Update 129
Weekly Update 129
Weekly Update 129

References

  1. I was on the Darknet Diaries podcast about the RockYou data breach (add this one to your regular list, Jack does a fantastic job of it)
  2. The ShareThis breach had people in there who never expected to be in there (that's a link to last week's weekly update, check out the comments there for more info)
  3. There's now 763 million more records in HIBP (you didn't give your data to verifications.io and neither did I, but they left it all sitting there open to the world)
  4. Udemy has got a long history of pirating and selling other people's content (no, they're not like YouTube, not unless they want to drop the facade of being a platform with quality content)
  5. Twilio is sponsoring my blog again this week (check out their stuff on implementing 2FA, it can be dead easy)

Weekly Update 128

Weekly Update 128

I'm not intentionally pushing these out later than usual, but events have just been such over the last few weeks that it's worked out that way. This one really is a short one though as there hasn't been a lot of newsworthy stuff going on this week, other than the new Instamics I picked up which are rather cool. The audio recording did work well (I mentioned in the video I wasn't sure if it was functioning correctly), and it's pretty damn good quality for what it is. Certainly better than my old Rhode lapel mic, but obviously not up to the standard of the Electro-Voice I use for professional recording.

Next week I expect I'll be a little more organised and have some more content but until then, here's a succinct 14 minutes worth of what's new on my side:

Weekly Update 128
Weekly Update 128
Weekly Update 128

References

  1. I bought some Instamics (these are very cool units, but the firmware update process is worrying)
  2. We've got a free NDC meetup in Melbourne soon (Brisbane sold out early and Melbourne looks like doing the same)
  3. We're bringing NDC to New York! (I'll be there doing a workshops and talks)
  4. I loaded the Dubsmash data breach into HIBP (also just pushed the button on ShareThis)
  5. Varonis is sponsoring my blog this week (more from them on their DFIR team investigating a cyberattack)

Weekly Update 127

Weekly Update 127

It was another travel week so another slightly delayed weekly update, but still plenty of stuff going on all the same. Along with a private Sydney workshop earlier on, I'm talking about some free upcoming NDC meetup events in Brisbane and Melbourne and I'd love to get a great turnout for. I've just ordered 10k more HIBP stickers to last me through upcoming events so they'll be coming with me.

In other news, there was old news appearing as new news about how hosed you are if your machine is compromised with the level of hosing extending to your password manager. This will inevitably be another one of these times where something gets blown out of proportion (and context) in some of the news headlines then we'll all go back to more sane discussions about assessing relative risks, likelihoods and impacts. There's also a very stead feed of breaches making their way into HIBP after appearing for sale on dark web marketplaces so I give a bit of an update on those as well.

All that and more this week in a slightly shorter form than usual, enjoy!

Weekly Update 127
Weekly Update 127
Weekly Update 127

References

  1. Catch me in Brisbane next week at the NDC meetup (free, and very close to capacity already)
  2. Or catch me in Melbourne a couple of weeks later for the NDC meetup there (that event has just gone up so there's tickets left, but there's also strong interest)
  3. Order yourself some Have I Been Pwned stickers (and help me by using the referral code in that blog post so I can buy more to give away at events)
  4. Twilio is sponsoring my blog this week (they're talking about how easy it is to use Authy for 2FA instead of risky SMS)

Weekly Update 126

Weekly Update 126

Another week, another conference. This time it was Microsoft Ignite in Sydney and as tends to happen at these events, many casual meetups, chats, beers, selfies, delivery of HIBP stickers and an all-round good time, albeit an exhausting one. That's why I'm a day late this week having finally arrived home late last night.

Moving on though, I've got a bunch of other events coming up particularly in conjunctions with the folks at NDC. Brisbane in a couple of weeks, Gold Coast in April then Minnesota in May. Oh - plus Oslo in June and stretching out beyond that, Sydney in October. The link in the references below about how conferences can help keep speakers happy (or piss them off, as it may be), explains why I keep doing these events. All that plus more data breach news and my thoughts on the subsequent lists of credential stuffing data.

Weekly Update 126
Weekly Update 126
Weekly Update 126

References

  1. I'm doing a free user group in Brisbane for NDC on Thursday 28 Feb (this will be a really casual presentation, Q&A and fun night out)
  2. Speaking of NDC, the show will be on in my home town of the Gold Coast in late April (that's a dedicated security event which Scott Helme will be down for too)
  3. Speaking of NDC, I'll also be at NDC Minnesota in May (Hack Yourself First workshop and a shiny keynote)
  4. The reason I keep doing NDC events is because they don't do any of these things! (that's the 10 things conferences do to upset their speakers)
  5. A heap of new data was leaked earlier on in the week (EyeEm has since been loaded into HIBP)
  6. And then even more data breaches were announced a couple of days ago (I'll obviously be keeping an eye out for those too)
  7. All these new data breaches are already starting to make the debate around credential stuffing collections a memory (but as I explain in that post, I think we're past hyping every single one of them up)