Category Archives: Weekly update

Weekly Update 152

Weekly Update 152

I made it out of Vegas! That was a rather intense 8 days and if I'm honest, returning to the relative tranquillity of Oslo has been lovely (not to mention the massive uptick in coffee quality). But just as the US to Europe jet lag passes, it's time to head back to Aus for a bit and go through the whole cycle again. And just on that, I've found that diet makes a hell of a difference in coping with this sort of thing:

This week it's almost all about commercial CAs and their increasingly bizarre behaviour. It's disappointing to see disinformation and privacy violations from any organisations, but when it's from the ones literally controlling trust on the web it's especially concerning. Maybe once they're no longer able to promote EV in the way they have been that will change, but I have a feeling we've got a bunch more crap to endure yet. See what you think about all that in this week's update:

Weekly Update 152
Weekly Update 152
Weekly Update 152

References

  1. Reminder: If you're using the HIBP API to search for email addresses, get yourself onto V3 ASAP! (you've got 2 days until the old versions die)
  2. Chegg had 40M accounts breach with unsalted MD5 password hashes! (it was April last year, now it's searchable in HIBP)
  3. Extended Validation Certificates are (Really, Really) Dead (I've been saying it for ages, but both Chrome and Firefox have really nailed it now)
  4. DigiCert is rejecting the proposal to reduce maximum certificate lifespans (uh, except for that post a few years ago when they thought it was a good idea...)
  5. Sectigo leaked the personal info of a do-gooder which resulted in him receiving a threatening letter (there's all kinds of things gone wrong here)
  6. Big thanks to strongDM for sponsoring my blog over the last week! (see why Splunk's CISO says "strongDM enables you to see what happens, replay & analyze incidents. You can't get that anywhere else")

Weekly Update 151

Weekly Update 151

Well that's Vegas done. 8 days of absolutely non-stop events that's now pretty much robbed me of my voice but hey, I got a flying cow! Scott and I both spent BSides, Black Hat and DEF CON doing "hallway con" or in other words, wandering around just meeting people. The personal engagement you get from these ad hoc meetups really can't be beat and I appreciate everyone who took the time to come over and say hi. Just a sample of our week is below:

Weekly Update 151
Weekly Update 151
Weekly Update 151

References

  1. Just in case these events seem like nothing but glamour, a quick reminder of what goes into a long trip like this (pretty sure that's still my longest blog post ever...)
  2. The Canva data breach is now in HIBP and it's massive! (137M unique email addresses with 44% of them already in HIBP)
  3. The StockX breach went in today and it's "only" 6.8M records (but also MD5 password hashes in 2019, seriously...)
  4. Big thanks to strongDM for sponsoring my blog over the last week! (see why Splunk's CISO says "strongDM enables you to see what happens, replay & analyze incidents. You can't get that anywhere else")

Weekly Update 150

Weekly Update 150

Vegas! I'm a bit late with this week's update but I thought I'd catch up with Scott Helme and do the video together. We're talking about the events in Vegas, the ongoing Project Svalbard process, some very screwy messaging about certificates from Sectigo and the Irish government coming on board HIBP. Next week we'll do another one from Vegas and talk about what the events of the week here were like.

Weekly Update 150
Weekly Update 150
Weekly Update 150

References

  1. Sectigo made some pretty wild claims about EV certs (read the tweet thread by Scott)
  2. The subsequent rebuttals by David from Sectigo are worth reading (although they still don't justify the earlier claims IMHO)
  3. The Irish government is now using HIBP to monitor all their domains (they now join the UK, Australia, Spain and Austria)
  4. Big thanks to strongDM for sponsoring my blog over the last week! (see why Splunk's CISO says "strongDM enables you to see what happens, replay & analyze incidents. You can't get that anywhere else")

Weekly Update 149

Weekly Update 149

What. A. Week.

I've been in San Fran meeting with a whole bunch of potential purchasers for HIBP and it's been... intense. Daunting. Exciting. It's actually an amazing feeling to see my "little" project come to this where I'm sitting in a room with some of the most awesome tech companies whilst flanked by bankers in suits. I try and give a bit of insight into that in this week's video, keeping in mind of course that I'm a bit limited by how much detail I can go into right now. As the process unfolds I'll share more, but hopefully this will give you a little taste of what I'm going through at present.

Weekly Update 149
Weekly Update 149
Weekly Update 149

References

  1. Our password hashing has no clothes (SHA-1 as a password storage mechanism was pretty useless 7 years ago, yet here we still are)
  2. 38% of requests to the HIBP API are already using the authenticated V3 version (that was 44% when I checked it a day later)
  3. Password manager adoption rates are as low as 0.09% (so what does that tell you about how people are creating passwords?)
  4. Shape Security is sponsoring my blog this week (Captcha is no longer enough, they're talking about how Shape Connect blocks automation & improves security instantly, with a 30 minute implementation)

Weekly Update 148

Weekly Update 148

It's the last one from Norway before heading off to the US and diving into the deep end of the Project Svalbard pool followed by Black Hat and DEF CON in Vegas. That's off the back of the last week being focused on pushing out Pwned Passwords V5, loading several hundred million new records worth of new data breaches and finally launching something I've been very excited about for a long time now: auth on the HIBP API. I spend most of this week's update talking about that because it's such an important feature and I especially wanted to make it clear why there's now literally a financial price to pay for entry. All that and more in this week's update.

Weekly Update 148
Weekly Update 148
Weekly Update 148

References

  1. Chrome 77 Canary presently has the EV indicator dropped (we always knew this was coming, can we please stop the EV FUD now?)
  2. Pwned Passwords V5 has finally hit! (I spoke about it last week so only touch on it briefly this time)
  3. I've loaded a slew of new breaches into HIBP (the data just doesn't stop coming, that's a link through to the Twitter timeline announcing all the new ones)
  4. The HIBP API now requires authentication (this is a massive change in many ways, do make sure you watch and read if you're using it)
  5. Shape Security is sponsoring my blog this week (Captcha is no longer enough, they're talking about how Shape Connect blocks automation & improves security instantly, with a 30 minute implementation)

Weekly Update 147

Weekly Update 147

So "Plan A" was to publish Pwned Passwords V5 on Tuesday but a last-minute check showed control characters had snuck in due to the quality (or lack thereof) of the source data. Scratch that and go to "Plan B" which was to push them out today but a last-minute check showed that my "improved" export script had screwed up the encoding and every single hash was wrong. "Plan C" is now to push them out on the weekend with everything working correctly. Hopefully. If I don't screw anything up again...

The constant challenge I've faced over the last few years is the massive amount of multi-tasking required to do all the things I'm presently doing. I touched on this in my Project Svalbard blog post and it goes a long to explaining why HIBP needs to grow up into a larger organisation. I quite literally need people to remove the horizontal tabs and get the encoding right; it's such a simple thing but it's so easy to screw up when you're stretched too thin.

Enough about that, this week I'm also talking about Scott's upcoming public Glasgow workshop, more data breaches, Namecheap's faux pas and EVE Online's great security work they've very generously shared publicly.

Weekly Update 147
Weekly Update 147
Weekly Update 147

References

  1. Scott will be running my Hack Yourself First workshop in Glasgow next week (this is the last stop on the UK tour, get in while you still can!)
  2. Someone also created a website dedicated to him (seems legit!)
  3. The Zhenai breach from 2011 added another 5M records to HIBP (I'm still working through a ridiculously long backlog of breaches...)
  4. I called Namecheap to account for a very misleading post on SSL (to their credit, they've now pulled the piece)
  5. EVE Online published some great material on how they're doing their security things (it's not just the practices I think are great, it's the fact that they're happy to talk about them publicly so that other companies can benefit too)
  6. Shape Security is sponsoring my blog this week (Captcha is no longer enough, they're talking about how Shape Connect blocks automation & improves security instantly, with a 30 minute implementation)

Weekly Update 146

Weekly Update 146

After a very non-stop Cyber Week in Israel, I'm back in Oslo working through the endless emails and other logistics related to Project Svalbard. In my haste this week, I put out a really poorly worded tweet which I've tried to clarify in this week's video. On more positive news, the Austrian government came on board HIBP and my MVP status got renewed for the 9th time. I also wanted to talk this week about some of the stats from HIBP I've been preparing as part of the acquisition. There's a bunch of really interesting numbers in there (for me at least) and rather than just keeping them locked away in an information memorandum, I thought I'd share them with everyone in this week's update.

Weekly Update 146
Weekly Update 146
Weekly Update 146

References

  1. The Austrian government is now using HIBP to monitor all gov domains across the country (they join the UK, Australia and Spain in utilising this free service)
  2. My MVP status has been renewed, now going into year 9! (this program has been a real defining part of my career)
  3. Shape Security is sponsoring my blog this week (Captcha is no longer enough, they're talking about how Shape Connect blocks automation & improves security instantly, with a 30 minute implementation)

Weekly Update 145

Weekly Update 145

Something totally new this week - Israel! I spent the week in Tel Aviv at Cyber Week, a massive infosec conference where I shared the keynote stage with an amazing array of speakers including many from three letter acronym departments and even PM Benjamin Netanyahu. It's funny how on the one hand an event like this can be so completely different to the very familiar NDC Oslo scene I was in just last week yet by the same token, I'm up there talking about all the same stuff and doing my usual thing.

This week, I'm talking about Israel, the Cyber Week event and how things are tracking with Project Svalbard (spoiler - bloody busy!) I also get a ticket from traffic cops for riding an electric scooter in a footpath so yeah, that's a new one for me...

Weekly Update 145
Weekly Update 145
Weekly Update 145

References

  1. I spent an afternoon in Jerusalem (link through to my Facebook pics, what an amazing place...)
  2. Plus, the better part of 4 days in Tel Aviv (posted more pics on the way to the airport at stupid o'clock this morning)
  3. TripAdvisor has been resetting a bunch of customers' passwords when found in a data breach (precisely what Scott and I were talking about last week in terms of many other companies proactively using breach data)
  4. strongDM is this week's blog sponsor (Use your SSO to grant or revoke access to any database, server, or k8s)

Weekly Update 144

Weekly Update 144

So first things first - my patience for the Instamics we're wearing just reached zero. One of them recorded and one of them didn't which means we've had to fallback to audio captured by the iPhone I was recording from so apologies it's sub-par. I ended up just uploading the unedited clip direct from the phone because frankly, after trying to recover the non-existent audio both my time and patience were well into the red.

Be that as it may, there's video, audio and a narrative to tell both around the NDC event Scott and I are at and the progress of "Project Svalbard". I'm trying to share as much as I can about that process as things progress and I hope people appreciate the transparency I've always run HIBP with. As I say in the video, if you've got questions about it then drop them in the comments section below.

Weekly Update 144
Weekly Update 144
Weekly Update 144

References

  1. Scott wrote about maintaining state in a Cloudflare worker (this is a fundamental part of how we're able to process 670M reports a day!)
  2. Check out how much HIBP trended in searches in January (yes, that's a direct map to my stress levels and yes, I will send stickers to anyone who creates that site I mentioned!)
  3. Project Svalbard is forging ahead (it's becoming increasingly demanding, but it's also a very exciting time)
  4. Varonis is sponsoring my blog again this week (check out their Varonis DFIR team investigating a cyberattack using their data-centric security stack)

Weekly Update 137

Weekly Update 137

It's the last one from home for a few weeks, both for Scott and myself. Whilst I head off to the US for a couple of weeks, he's back home to the UK before other Europe travel then we'll both end up back on the Gold Coast in a few weeks time before the AusCERT conference.

This week, we're talking about how kids are so good at circumventing things like parental controls and how maybe - just maybe - talking to your goods and using some social techniques is a better (or at least complimentary) approach to hard controls. Partly as a result of that tweet, we're also discussing the rampant negativity we seem to constantly face by a small minority on Twitter. It's minor in numbers, but increasingly carries a mental weight (see the link below for context). Plus there's Trustico. Ah, Trustico, just have a listen and see what you think...

Weekly Update 137
Weekly Update 137
Weekly Update 137

References

  1. My 9-year old found a clever way to circumvent iOS' parental controls (imagine what it's like for the average person trying to understand this stuff...)
  2. We're both confounded by the unnecessary ongoing negativity folks on Twitter seem intent on espousing (I'm linking to this one because it's a perfect example of injecting negativity into an otherwise happy, joyful tweet)
  3. Trustico has some really shady marketing going on with their certs (that's a link to Scott's post smashing the screwy - make sure you search for "nerdville"!)
  4. Twilio are sponsoring my blog this week, check out what you can do with Authy to add 2FA to your site (this is dead easy - do it!)

Weekly Update 136

Weekly Update 136

Scott is still here with me on the Gold Coast lapping up the sunshine before NDC Security next week so I thought we'd do this week's video next to the palm trees and jet ski 😎 But, of course, there's still a heap of stuff happening that's worthy of discussion, everything from the UK gov's NCSC doing good work to the Reply All podcast I was on this week to new data breaches to the ongoing shenanigans involving kids "smart" watches. And oh boy, the communications strategies of a couple of these in particular is just absolutely woeful. All that and more in this week's update.

Oh - and right after I published this, I noticed some crazy static for about 14 seconds at the 27:15 mark. Sorry - I'd republish it but I'd be looking at about 2 hours to re-render and re-upload and this is already going out a couple of hours late so, yeah, sorry!

Weekly Update 136
Weekly Update 136
Weekly Update 136

References

  1. The NCSC has published a list of the worst 100k passwords you can now go and download (these came from HIBP's Pwned Passwords list and are available to download in the clear)
  2. The Pwned Passwords API has really grown in usage lately (10.5M hits a day with a 98.4% cache hit ratio courtesy of Cloudflare)
  3. I was on the Reply All podcast again this week (these guys rock - listen to this podcast at every opportunity!)
  4. TicTokTrack is back online per the schedule they represented last week, but apparently the Sri Lanka bombings meant they were back online... when they said they would be? (that's a link to the original story, their PR process has been absolutely terrible)
  5. There are some very shady communications coming from SPACETALK in the wake of the TicTokTrack incident (seriously guys, when is ambulance chasing ever looked on as a good thing?!)
  6. Varonis is sponsoring my blog this week and giving you access to their free "Enemy Within" course (written by me!)
  7. And whilst we're talking insider threats, let us not forget the man who outsourced his job to China (6 years old now, still kinda stupid and hilarious at the same time)

Weekly Update 135

Weekly Update 135

It's another episode with Scott Helme this week as he's back in town for NDC Security on the Gold Coast (still a got a week to get those tickets, folks!) The timing actually works out pretty well as there was this week's announcement around Let's Encrypt transition of their root cert which is right up his alley. There's also the whole TicTokTrack kids watch situation which aligns very well with many of both our prior experience. And just on that, when we recorded the video they were planning on getting the service back up and running that day (Thursday Aus time when we recorded). Turns out that didn't happen and frankly, kudos to them for taking a little more time to get things right:

All that and more in this week's update:

Weekly Update 135
Weekly Update 135
Weekly Update 135

References

  1. We're at NDC Security on the Gold Coast week after next (Scott's doing the World's Best TLS Training, I'm doing Hack Yourself First)
  2. Let's Encrypt's transition to ISRG root (that post of Scott's went to number 1 on Hacker News so good work on that mate!)
  3. TicTocTrack had an absolute zinger of an IDOR vulnerability (they're not the only watch in this class to have serious flaws either)
  4. Twilio are sponsoring my blog this week, big thanks to them! (check our how you can use Authy to add 2FA to your app)

Weekly Update 134

Weekly Update 134

That's the second update in a row I've done on time! It's also another one with a bunch of other things in common with last week, namely commentary on yet more data breaches. It's not just the breaches in HIBP, but the ones I'm busily trying to disclose. This is really sucking a lot of time right now and frankly, well, I summed it up here earlier in the week:

But it's the right thing to do and I'm going to keep at it, even if it means loading data without the organisations involved responding (it certainly won't be the first time). I also go on a bit of a rant about devices and services targeted at monitoring kids and as I say in the video, you'll see precisely why this is such a big issue for me probably next week or the week after. Stay tuned for that one and for now, here's this week's vid:

Weekly Update 134
Weekly Update 134
Weekly Update 134

References

  1. I've got 3 different NDC events with workshops coming up over the next month:
    1. Gold Coast
    2. Minnesota
    3. New York
  2. Knuddles got themselves a €20k fine for their breach (which is now in HIBP)
  3. I ranted on about how crazy the security and privacy implications are for  whole bunch of products and services targeted at monitoring kids (do read - and please share - that thread, here's a Facebook version of it too)
  4. Varonis is sponsoring my blog again this week and they have an excellent free course on insider threats (ok, I may be a little biased on that...)

Weekly Update 133

Weekly Update 133

Wow, a weekly update back on the normal schedule! I also realised when watching this back how less tired I look compared to the last few weeks. Travel takes its toll so I touched on that a bit in this week's update, along with the usual raft of new data breaches to go into HIBP. Plus there's Facebook's incidents, both the one they're not directly responsible for and the one they are responsible for, but is also both a bit of a non-event and something that's reflective of broader issues in the industry.

Next week should be bang on schedule again and with any luck, I'll look even less tired again 😎

Weekly Update 133
Weekly Update 133
Weekly Update 133

References

  1. Here's everything that goes into a massive international speaking trip (people always publicly share the good stuff in their lives, this is the warts and all version)
  2. Stop hosting forum software yourself! (that was specifically targeted at vBulletin, I later also wrote about my broader approach to platform outages when I'm not responsible for them)
  3. The Intelimost breach has a really interesting write-up by Zack Whittaker (and it's kinda fun to sleazy spammers come undone!)
  4. It's not Facebook's fault that 3rd party developers exposed a bunch of data from their APIs (but there's still a discussion to be had about how much data Facebook should be exposing in the first place)
  5. It is Facebook's fault that they were asking for people's email account passwords (although in practical terms, it also doesn't particularly matter)
  6. Twilio is this week's blog sponsor (they're talking about how 2FA helps secure online transactions and helps comply with regs like PSD2 )

Weekly Update 132

Weekly Update 132

From last week's update in Seattle to home to Sydney to back home and a late update (again). But regardless, I'm committed to continuing the cadence of doing these updates each week and 132 of them in, I'm yet to miss a week.

This week it's a combination of more of the same (travel, events and data breaches), as well as more thoughts on the future of HIBP and Cloudflare's role when it comes to nasty content online. That last one in particular is a really tricky discussion and it's one that tends to come back to the surface after events that cause us to reflect on the nature of online speech that whilst legal, we all (well, almost all) just don't want being online. I'm not sure exactly what the answer is that allows us to have both the freedoms and safety we want, but I do think that acknowledging the issues on both sides of that debate is important. All that and more this week, next week will be another update from home and with any luck, one that puts be back on the usual Friday schedule.

Weekly Update 132
Weekly Update 132
Weekly Update 132

References

  1. I've got a bunch of events coming in the US, Europe and Israel (that's a complete list of all the public 2019 events)
  2. I'm being inducted into the Infosecurity Hall of Fame in London (this is pretty cool, I'm really looking forward to the event in June!)
  3. Tens of millions of more records went into HIBP this week (the Twitter feed lists them all, including how many unique addresses were found)
  4. The Cloudflare issue around what they should censor is a really dicey one (that link goes back to issues with the Daily Stormer in 2017 and is worth re-reading in light of recent events)
  5. Varonis is this week's blog sponsor (check out their live cyber attack workshop)
  6. I've created a bunch of training for Varonis in the past you can access for free (ransomware, insider threats and GDPR, amongst other topics)

Weekly Update 131

Weekly Update 131

So firstly, sorry for the audio quality. I'm pretty damn frustrated with those Instamics right now between the flakey firmware upgrade process and the unexpected loss of recording today. I'll make sure I get on top of it for next time.

I'm sitting at the gate in Seattle right now about to board so I'm going to cut this intro short and jump straight into the vid. Here's this week's which has a bunch of different things in it I found interesting including the usual raft of data breaches and other industry bits and pieces. Gotta fly, enjoy!

Weekly Update 131
Weekly Update 131
Weekly Update 131

References

  1. I'm doing a keynote for Akamai in Sydney on Thursday (hear more from me on data breaches and cyber-things)
  2. And another NDC meetup in Sydney that night (we packed these out in Brisbane and Sydney so register quickly for this one if you want to come along)
  3. The owner of Exactis wasn't real happy about the impact of their data breach on his business (yeah, the people whose data they sold weren't real happy either...)
  4. Elsevier looks like they logged a bunch of passwords in plain text (who would do that... oh, wait...)
  5. Facebook looks like they logged a bunch of passwords in plain text (they join Twitter and GitHub from last year in doing the same thing)
  6. Never ever, ever, ever install spyware on the devices of anyone you actually care about (seriously, how often are we going to go down this path?!)
  7. Twilio is sponsoring my blog again this week (they're talking 2FA with Authy, something you definitely want to look into if you're building any sort of auth system)

Weekly Update 130

Weekly Update 130

Well that was a hell of a week of travel. Seriously, the Denver situation was just an absolute mess but when looking at the video from the day I was meant to fly in, maybe being stuck in LA wasn't such a bad thing after all:

But despite the dramas I did still (just) make it and got to do my talk so as close as it was, I'm still yet to miss one. This week I'm talking about a bunch of different travel things, upcoming events, data breaches and those ridiculous bloody cookie warnings everyone hates so much. Next week I'll be in Seattle and will probably also be pushing the update out a little late, but I will still be pushing it out. Until then, here's the week that was:

Weekly Update 130
Weekly Update 130
Weekly Update 130

References

  1. I'll be keynoting at the Akamai Security Summit World tour in Sydney (it's on Thursday 28 of this month)
  2. Then I'll be doing another NDC meetup in Sydney (like Brisbane and Melbourne, that event will be oversubscribed so get in early)
  3. ixigo denies a breach (but resets everyone's passwords anyway...)
  4. These cookie warnings are absolutely ridiculous (they always were, but GDPR just continues the insanity)
  5. Ad blockers are also part of this whole problem (killing all ads - even those run responsibly - just makes the whole thing even worse)
  6. Varonis is this week's blog sponsor (watch their DFIR team investigate a cyberattack using their data-centric security stack)

Weekly Update 129

Weekly Update 129

Heaps of stuff going on this week with all sorts of different bits and pieces. I bought a massive new stash of HIBP stickers (1ok oughta last... a few weeks?), I'll be giving them out at a heap of upcoming events, I was on the Darknet Diaries podcast (which is epic!) plus there's more insights into the ShareThis data breach and the ginormous verifications.io incident. Oh - and Udemy is still pirating my content, here's the tweet if you'd like to let them know how you feel about that:

Next week I'll be coming from the US, either Denver or New York depending on how time goes. I'm sure not much will happen between now and then...

Weekly Update 129
Weekly Update 129
Weekly Update 129

References

  1. I was on the Darknet Diaries podcast about the RockYou data breach (add this one to your regular list, Jack does a fantastic job of it)
  2. The ShareThis breach had people in there who never expected to be in there (that's a link to last week's weekly update, check out the comments there for more info)
  3. There's now 763 million more records in HIBP (you didn't give your data to verifications.io and neither did I, but they left it all sitting there open to the world)
  4. Udemy has got a long history of pirating and selling other people's content (no, they're not like YouTube, not unless they want to drop the facade of being a platform with quality content)
  5. Twilio is sponsoring my blog again this week (check out their stuff on implementing 2FA, it can be dead easy)

Weekly Update 128

Weekly Update 128

I'm not intentionally pushing these out later than usual, but events have just been such over the last few weeks that it's worked out that way. This one really is a short one though as there hasn't been a lot of newsworthy stuff going on this week, other than the new Instamics I picked up which are rather cool. The audio recording did work well (I mentioned in the video I wasn't sure if it was functioning correctly), and it's pretty damn good quality for what it is. Certainly better than my old Rhode lapel mic, but obviously not up to the standard of the Electro-Voice I use for professional recording.

Next week I expect I'll be a little more organised and have some more content but until then, here's a succinct 14 minutes worth of what's new on my side:

Weekly Update 128
Weekly Update 128
Weekly Update 128

References

  1. I bought some Instamics (these are very cool units, but the firmware update process is worrying)
  2. We've got a free NDC meetup in Melbourne soon (Brisbane sold out early and Melbourne looks like doing the same)
  3. We're bringing NDC to New York! (I'll be there doing a workshops and talks)
  4. I loaded the Dubsmash data breach into HIBP (also just pushed the button on ShareThis)
  5. Varonis is sponsoring my blog this week (more from them on their DFIR team investigating a cyberattack)

Weekly Update 127

Weekly Update 127

It was another travel week so another slightly delayed weekly update, but still plenty of stuff going on all the same. Along with a private Sydney workshop earlier on, I'm talking about some free upcoming NDC meetup events in Brisbane and Melbourne and I'd love to get a great turnout for. I've just ordered 10k more HIBP stickers to last me through upcoming events so they'll be coming with me.

In other news, there was old news appearing as new news about how hosed you are if your machine is compromised with the level of hosing extending to your password manager. This will inevitably be another one of these times where something gets blown out of proportion (and context) in some of the news headlines then we'll all go back to more sane discussions about assessing relative risks, likelihoods and impacts. There's also a very stead feed of breaches making their way into HIBP after appearing for sale on dark web marketplaces so I give a bit of an update on those as well.

All that and more this week in a slightly shorter form than usual, enjoy!

Weekly Update 127
Weekly Update 127
Weekly Update 127

References

  1. Catch me in Brisbane next week at the NDC meetup (free, and very close to capacity already)
  2. Or catch me in Melbourne a couple of weeks later for the NDC meetup there (that event has just gone up so there's tickets left, but there's also strong interest)
  3. Order yourself some Have I Been Pwned stickers (and help me by using the referral code in that blog post so I can buy more to give away at events)
  4. Twilio is sponsoring my blog this week (they're talking about how easy it is to use Authy for 2FA instead of risky SMS)

Weekly Update 126

Weekly Update 126

Another week, another conference. This time it was Microsoft Ignite in Sydney and as tends to happen at these events, many casual meetups, chats, beers, selfies, delivery of HIBP stickers and an all-round good time, albeit an exhausting one. That's why I'm a day late this week having finally arrived home late last night.

Moving on though, I've got a bunch of other events coming up particularly in conjunctions with the folks at NDC. Brisbane in a couple of weeks, Gold Coast in April then Minnesota in May. Oh - plus Oslo in June and stretching out beyond that, Sydney in October. The link in the references below about how conferences can help keep speakers happy (or piss them off, as it may be), explains why I keep doing these events. All that plus more data breach news and my thoughts on the subsequent lists of credential stuffing data.

Weekly Update 126
Weekly Update 126
Weekly Update 126

References

  1. I'm doing a free user group in Brisbane for NDC on Thursday 28 Feb (this will be a really casual presentation, Q&A and fun night out)
  2. Speaking of NDC, the show will be on in my home town of the Gold Coast in late April (that's a dedicated security event which Scott Helme will be down for too)
  3. Speaking of NDC, I'll also be at NDC Minnesota in May (Hack Yourself First workshop and a shiny keynote)
  4. The reason I keep doing NDC events is because they don't do any of these things! (that's the 10 things conferences do to upset their speakers)
  5. A heap of new data was leaked earlier on in the week (EyeEm has since been loaded into HIBP)
  6. And then even more data breaches were announced a couple of days ago (I'll obviously be keeping an eye out for those too)
  7. All these new data breaches are already starting to make the debate around credential stuffing collections a memory (but as I explain in that post, I think we're past hyping every single one of them up)

Weekly Update 125

Weekly Update 125

I'm back home! It was an amazing trip in many ways, not least of which was the time it gave both Scott and myself to reflect on workload and managing lives which can be a bit of a never-ending series of commitments. To that effect, I've been backing off Twitter a bit and as I say in this update, I very quickly remembered why after a couple of short engagements yesterday. But moving forward, it's Microsoft Ignite in Sydney next week and that should be a great event, plus I'm talking about Google's Password Checkup extension and the other credential stuffing list "collections" I keep getting asked about. On that last point, I explain my hesitation with them in the video so for those curious about my opinion, hopefully this helps shed some light on things.

Weekly Update 125
Weekly Update 125
Weekly Update 125

References

  1. As much as people may disagree with me online, I've never had a physical or even verbal confrontation in person (that's a link to an incident that panned out very differently for the bloke involved)
  2. Microsoft Ignite is in Sydney next week (I'll be there doing a bunch of different things, come by and say hi if you're around)
  3. Google launched their Password Checkup tool (if this helps people improve their personal security, I'm all for it!)
  4. Twilio is sponsoring my blog this week (they're talking about the PSD2 reg in the EU)

Weekly Update 124

Weekly Update 124

I'm pumping this weekly update out a little bit later, pushing it just before I get on the plane back home to Australia. I've just wrapped up a week in London with Scott doing all things NDC including a couple of days of workshops and a couple of talks each. We discuss that, and how the UK seems to have an odd infatuation with doing anything that could even remotely be deemed a health and safety risk.

On a more serious note, we talk about the emotional toll of the things we do, namely the never ending charging forward with projects like Report URI and HIBP, along with the training, conference talks and what seems like a never-ending pit of emails. I really want to talk more about this in future because whilst I don't personally feel like I'm suffering from burn-out, I can see how that would be the inevitable conclusion of doing too much of this for too long. As I say in the video, I (and Scott) welcome all comments on this.

Weekly Update 124
Weekly Update 124
Weekly Update 124

References

  1. The January NDC events are behind us, but the next one I'll be at is extra cool 😎 (home town on the Gold Coast, this was sensational last year, hoping to see a bunch of Aussie friends there)
  2. Varonis is sponsoring my blog this week (watch their DFIR team investigate a cyberattack using their data-centric security stack )

Weekly Update 123

Weekly Update 123

So it's been a bit of a crazy week. I got onto the plane in Australia on Thursday evening just as Europe was waking up to the news of the 773M email address credential stuffing list I loaded into HIBP. And then the flood began; blog comments, emails, tweets - it was an absolute deluge. I spent the flight fielding the ones I could, landed in Oslo and dealt with more on the way up the mountain then frankly, got there and tuned out. Out of office on, blog comments closed and tweets ignored. This trip was planned downtime with my son and good friends and I really needed it.

In this week's update, I talk about the coverage of that event with Scott Helme while sitting in Oslo during a break in our workshops. We also talked about what frankly, became a bit of a spectacle: the VLC debate about serving updates over HTTP. I'll link to that in the references below and you can hear Scott's and my thoughts on it there. Next week, we'll both be in London at the NDC conference so Scott will join me again for another update then.

Weekly Update 123
Weekly Update 123
Weekly Update 123

References

  1. That 733M email address credential stuffing list (this post so clearly laid out all the facts, there was absolutely no room left for misinterpretation)
  2. The Hacker News piece on VLC serving updates over HTTP got way out of control (this escalated way too quickly and and became a pretty negative spectacle to watch)
  3. Twilio is sponsoring my blog this week (they're talking about using Authy to add 2FA to your app)