Category Archives: Weekly update

Weekly Update 174

Weekly Update 174

We're in Norway! More specifically, Scott Helme and I are in Hafjell and recording this after a day on the snow before heading back to Oslo and the NDC Security conference next week. For now though, we're talking about some really screwy global roaming behaviour with telcos, the Danish gov coming onto HIBP, babies in data breaches and the takedown of We Leak Info. We'll do this again together next week from Oslo and then again the following week from NDC London. For now, here's the fireside version in Hafjell:

Weekly Update 174
Weekly Update 174
Weekly Update 174
Weekly Update 174

References

  1. Babies in data breaches - yep, babies (there are no limits on who can be breached these days)
  2. We Leak Info got taken down by a collection of law enforcement agencies (not particularly surprising given the way it was operated)
  3. It was a similar story for Leaked Source a couple of years ago (pro tip: cruising around in a bright green Lamborghini isn't exactly flying under the radar!)
  4. Sponsored by Shape – App Security & Fraud Summit. Join the Virtual Web Session: Protecting Against Compromised Credentials Before They Hit The Dark Web

Weekly Update 173

Weekly Update 173

I really should have started the video about 3 minutes earlier. Had I done that, you'd have caught me toppling backwards into the frangipani tree whilst trying to position my chair and camera which frankly, would have made for entertaining viewing. Instead, this week's update is focused primarily on a completely different epic fail, namely Surebet247's handling of a breach impacting their customers. I chose those words carefully as it now seems almost certain the breach was actually of BtoBet and I've linked to the story on that below. Regardless, have a listen to hos the Nigerian gambling service handled the incident, holy shit...

Weekly Update 173
Weekly Update 173
Weekly Update 173
Weekly Update 173

References

  1. NDC is coming to Melbourne! (also check out the CFP if you're interested in delivering a talk)
  2. Do you have less, the same or more passwords now than 10 years ago? (also check out the second poll in the thread about what it'll be like in 10 years from now)
  3. Surebet247 set a new bar for bad breach handling (their behaviour on this is rather stunning)
  4. It looks like the source of the breach is almost certainly BtoBet (who also seems to be doing their damndest not to just own up to it)
  5. Sponsored by Varonis. Check out their free video course: 7 Hidden Office 365 Security Settings You Can Only Unlock with PowerShell

Weekly Update 172

Weekly Update 172

I couldn't get 2 days into the new decade without having to deal with ridiculous password criteria from Tik Tok followed by my phone automatically associating with what it thought was my washing machine whilst in a grocery store on the other side of the world (yep, you read that correctly). It somehow seems to just be reflective of how crazy online security is becoming in the modern era. On the plus side, Chrome is making some really positive changes to how it handles cookies so it's not all bad news. Hope you enjoy the first update of 2020 😊

Weekly Update 172
Weekly Update 172
Weekly Update 172
Weekly Update 172

References

  1. Trying to create a password on Tik Tok is... interesting (even their messaging is contradictory, let alone the craziness of the rules in the first place)
  2. So apparently I was browsing on my washing machine's SSID from a grocery store in Norway (yeah, welcome to the future...)
  3. Here's how the whole washing machine SSID thing panned out when I first connected to it (I have since never - not once - gotten any value out of it being connected)
  4. Sponsored by Varonis. Free Video Course: 7 Hidden Office 365 Security Settings You Can Only Unlock with PowerShell

Weekly Update 171

Weekly Update 171

Sitting down to do this one today I thought it would be brief, turns out a bit more ended up on the agenda than I expected. The GoGetSSL bit in particular was unfolding as I recorded and to their credit, they later apologised for their "rude messages" which is a good sign. I still intend to finish writing up the blog post because the issues they've raised need tackling, but as with the Sophos example I also talk about, it's good to see a bit of humility (I've certainly been there myself before). All that plus the Turkish Crime Family aftermath and the Factual data (another data aggregator) in HIBP in this week's update.

Weekly Update 171
Weekly Update 171
Weekly Update 171
Weekly Update 171

References

  1. Sophos got their messaging wrong on padlocks and HTTPS, but fixed it immediately once people spoke up (good on them for that effort!)
  2. GoGetSSL got their messaging wrong on SSL over and over and over and over... (more to follow on this, I'll put it in a dedicated blog post)
  3. "The Turkish Crime Family" ringleader plead guilty to blackmailing Apple (time and time again, this turns out to be kids full of bravado)
  4. Back in 2017 I wrote about how the Turkish Crime Family data was pretty suspect (basically all came from another data breach)
  5. Sponsored by Varonis, check out their free video course: 7 Hidden Office 365 Security Settings You Can Only Unlock with PowerShell

Weekly Update 170

Weekly Update 170

Monday: 40C and lapping up the Gold Coast sunshine. Wednesday: -8C and lapping up... Juicy IPA! I'm back in Oslo and catching up with the locals including running a roundtable discussion for CSOs at Microsoft, visiting the Norwegian National Cyber Security Centre (recently onboarded to HIBP) and chatting with ForbrukerrÄdet, the Norwegian Consumer Counsel. Plus, there's an all new blog post on the long-overdue update to Scott Helme's and my little Why no HTTPS? Project.

Weekly Update 170
Weekly Update 170
Weekly Update 170
Weekly Update 170

References

  1. ForbrukerrÄdet does some excellent work identifying risks to consumers (link to their findings from a couple of year ago around kids tracking watches)
  2. Still why no HTTPS? There's still a heap of websites that need to lift their HTTPS game (see if you can lean on the biggest ones in your country)
  3. You can grab all the raw data for the aforementioned site from crawler.ninja (there's actually some really interesting stats in there, especially those sites with certs expiring in less than 24 hours)
  4. Sponsored by Varonis. Free Video Course: 7 Hidden Office 365 Security Settings You Can Only Unlock with PowerShell

Weekly Update 169

Weekly Update 169

I recorded this right before heading out for my final conference talk of the year at YOW! Melbourne where I was due to do the closing keynote of the event. That's now done, questions answered and beers drunk and I left the event feeling great. One of the things I get the most pleasure out of at conferences is hanging around talking to people so a big thanks to everyone who made the time today to stay back on a Friday evening and cap a very busy year of conferences off in this fashion. I'm going to leave that intro here, push this week's update then do it all again (hopefully also on time!) a week from now.

Weekly Update 169
Weekly Update 169
Weekly Update 169
Weekly Update 169

References

  1. Why No HTTPS? is getting a complete update (new data, new ranking criteria, still not enough HTTPS!)
  2. Go home GoGetSSL, your ad is drunk! (this is just complete and utter rubbish)
  3. Oh look, a kid's tracking watch with serious security vulnerabilities! (this is such an alarmingly predictable trend now)
  4. Sponsored by: Whois XML API: The top domain WHOIS, DNS, IP and Threat Intelligence solution provider for MDR, SIEM, digital forensics, and threat hunting.

Weekly Update 168

Weekly Update 168

I'm presently on the YOW! conference tour which means doing the same keynote three times over in Sydney, Brisbane and Melbourne. It's my first time back at YOW! since 2015 and it's always a nice way to wrap up the year, especially the Brisbane leg I'm on at the moment in my home state. That's kept me busy, but it's some tweets last week that have kept me entertained so I'm talking about those as well as some reflections on what is now 6 years of running HIBP.

Next update I'll try and push out a little earlier to align with YOW! in Melbourne and hopefully give myself a bit more downtime come the weekend.

Weekly Update 168
Weekly Update 168
Weekly Update 168
Weekly Update 168

References

  1. It's not just Let's Encrypt issuing certs to phishing sites (and that's fine, so let's stop throwing them under the bus for it)
  2. Plain text password storage - even generated ones - is wrong on many levels (the UX alone just doesn't make any sense)
  3. Big thanks to Whois XML API for sponsoring my blog this week! A lack of domain intelligence causes data breaches. Test their Security Enterprise API & Data Feed packages with free credits!

Weekly Update 167

Weekly Update 167

It's summer! Yes, I know it's back to front for many of you but Dec 1 means it's sunnier than ever here. Regardless, this week I've been at DDD in Brisbane, written my 10 year old son Ari and I running kids coding clubs in Oslo (cold) and London (rainy) next month and the Swiss gov being on-boarded onto HIBP. Plus there's this week's sponsor IVPN and how tracking ain't tracking (that may be a bit of an old Aussieism). Next week I'll come to you from the YOW! conference somewhere else within the country.

Weekly Update 167
Weekly Update 167
Weekly Update 167
Weekly Update 167

References

  1. I'll be keynoting at YOW! Sydney, Brisbane and Melbourne over the coming couple of weeks (happy to be back there after a few years hiatus)
  2. Come and join Ari and I teaching kids to code in Oslo and London next month (it's free, just bring a kid and a laptop)
  3. The Swiss gov is now on HIBP! (that makes 7, I'd love intros to more govs)
  4. Sponsored by IVPN. This ad is not tracking you, but most others do. Fight digital surveillance by blocking ads and web trackers on all your devices. (and no, they're not "tracking you" when you click that link!)