Category Archives: Weekly update

Weekly Update 122

Presently sponsored by: Live Workshop! Watch the Varonis DFIR team investigate a cyberattack using our data-centric security stack

Weekly Update 122

And then there was the biggest data breach to go into HIBP ever! I wrote that sentence from home just after publishing all the data, then I got on a plane...

Holy cow that's a lot of emails! Hundreds upon hundreds of emails came in whilst on the way to Dubai, more than I'll ever be able to respond to. Plus, I'm actually trying to have some downtime with my son on this trip particularly over the next few days so a bunch of stuff is going to have to go unanswered or at best, delayed. Mind you, a heap of them were asking questions already addressed in the blog post, but that's just the nature of the internet.

What I will say is that if you're interested in more details on this incident, do read the comments. It'll give you a sense of the way this sort of thing impacts everyday people, and it'll also give you a sense of the sort of comments I have to deal with after these incidents...

Weekly Update 122
Weekly Update 122
Weekly Update 122

References

  1. I'm going to be in Oslo next week (Hack Yourself First workshop and NDC Security conference)
  2. Then in London the week after that (Hack Yourself First workshop and NDC conference)
  3. And I'll be in Denver for SnowFROC in March (cyber-something keynote πŸ™‚)
  4. That 733M record breach (oh boy, this thing was a mammoth processing job!)
  5. Varonis is sponsoring my blog this week (they're talking about their DFIR team investigating cyberattacks)

Weekly Update 121

Presently sponsored by: Live Workshop! Watch the Varonis DFIR team investigate a cyberattack using our data-centric security stack

Weekly Update 121

Well, it's one more sunny weekly update then snow time again so I've gone particularly beachy today. I'm also particularly breachy, talking about a massive combo list I'm presently pondering for inclusion in HIBP. These lists are frequently used for account takeover attacks against the likes of Spotify which is the subject of this week's blog post. Plus, I'm talking a bit about a bunch of Ubiquiti bits I'll be installing soon to fix the problem seen below:

Oh - and I did end up heading out on the water with Kevin Mitnick, albeit on the boat. I think it's alright. Maybe...

Weekly Update 121
Weekly Update 121
Weekly Update 121

References

  1. In case you missed it, here was my first foray into Ubiquiti (tl;dr - consumer grade gear sucks so I went totally overboard and couldn't be happier πŸ™‚)
  2. Spotify hasn't been breached (people will argue who's responsible, but at the very least let's agree on the mechanics of what's happened)
  3. Twilio are sponsoring this week's blog post (remember, they own Authy and there's some pretty good content on that link about how to use it to set up 2FA on your site)

Weekly Update 120

Presently sponsored by: Live Workshop! Watch the Varonis DFIR team investigate a cyberattack using our data-centric security stack

Weekly Update 120

And then it was 2019. Funny how quickly it gets away from you, someone just posted on my 2018 retrospective blog post this week and asked why I didn't include my congressional testimony and if I'm honest, it took me a bit to think about why as well (it was in 2017). But we're here now so it's back to business as usual blog wise.

This week is dominated by the personal finance lessons blog post. This has gotten massive traction this week and has been read by tens of thousands of people. But perhaps what surprises me most is that out of all the feedback I've had, there's only been one negative comment. O-n-e. Frankly, I'm not even sure he actually absorbed the content as the comment was very specifically addressed in the post, but that forms one little part of everything I cover in this week's update. I also touch on the aforementioned 2018 retrospective which I've been doing these last few years as a little reminder of what I've been up to.

This is (probably?) the longest weekly update I've done so far and I do hope it helps add a bit more personality and context to that finance blog post. Do please continue to share feedback and ask questions, I've really enjoyed seeing people get motivated by it.

Weekly Update 120
Weekly Update 120
Weekly Update 120

References

  1. If you're working in tech, you're in a better position than just about anyone to have a fantastic financial position (and even you're not in tech, I hope there's a lot of valuable content here)
  2. My 2018 was surprisingly similar to my 2017 in many ways (but hidden within the travel stats was a lot more time spent with my family)
  3. DigiCert is sponsoring my blog this week, and they're talking about the impact of quantum computing on crypto (this is a genuinely fascinating aspect of infosec)

Weekly Update 119

Presently sponsored by: Live Workshop! Watch the Varonis DFIR team investigate a cyberattack using our data-centric security stack

Weekly Update 119

I'm home! And it's a nice hot Christmas! And I've got a new car! And that's where the discussion kinda started heading south this week. As I say in the video, the reaction to my tweet about it was actually overwhelmingly positive, but there was this unhealthy undercurrent of negativity which was really disappointing to see. Several other non-related events following that demonstrated similar online aggressiveness and I don't know if it was a case of too much eggnog or simply people having more downtime to be dicks online, but it was a really odd spate of bad behaviour.

Be that as it may, I hope there's some useful content in this one but I do appreciate the car bit in particular may not be relevant to a lot of people. In case you want to skip it, that bit starts at about the 3-minute mark and goes until the 28-minute mark. For those that do watch it, I hope you enjoy something a little bit different this week whether you agree with my choice or not πŸ™‚

Weekly Update 119
Weekly Update 119
Weekly Update 119

References

  1. It's a new car! (that's the tweet with the pics and all the likes, but if you dig far enough, you'll see a negative undercurrent too)
  2. The Tesla is a great car, but it's not for everyone (some people just look for different things in a car, and that's absolutely fine)
  3. Scott Helme got himself blocked while trying to understand the barriers to HTTPS adoption (if it wasn't for the fact this is becoming an alarming trend amongst those pushing back against secure connections, it would be unremarkable)
  4. I got myself chastised for saying this is an alarming trend! (seriously people, the issue here is people ignorantly blocking people like Scott, not people saying that being ignorant is ignorant!)
  5. Scott wrote a good piece on how to actually implement HTTPS and remain compatible with non-supporting clients (this is where we should be - talking about technical solutions - leave the emotional baggage at home)
  6. The HTTPS discussion is reminiscent of Scott's anti-vaxxers post (discard the science, block out the expert voices)
  7. I've got a post I'm working on about fundamental financial lessons for tech people (there's a heap of support in that tweet and I'm really excited about publishing it on Monday!)
  8. Tech Fabric are sponsoring my blog this week (a big thanks to those guys for supporting me over the course of 2018, check them out for scalable, reliable and secure cloud native apps)

Weekly Update 118

Presently sponsored by: Live Workshop! Watch the Varonis DFIR team investigate a cyberattack using our data-centric security stack

Weekly Update 118

And that's it for Canada. I recorded this Saturday morning local before heading out for last runs with the family. It's been fun but as I just tweeted sitting here in the airport:

This week I'm talking about my new (free!) Pluralsight course, yet more data breaches, some really wacky Spotify attitudes towards passwords, a cool new Report URI feature we're looking for beta testers on and introducing an all new sponsor - strongDM. That's it from Canada, it's off to a hot Aussie Christmas now and the next few days will come from sunny home 😎

Weekly Update 118
Weekly Update 118
Weekly Update 118

References

  1. It's a new Pluralsight course ("Managing the Modern Software Dependency Ecosystem")
  2. Spotify would like you to DM them your password (multiple operators asked for this in different ways, although Spotify did later tweet that they were looking into this practice)
  3. We're looking for people willing to test a cool new Report URI feature (DMARC reporting is pretty neat!)
  4. strongDM are an all new sponsor! (put your SSO to good work to grant access to server, DBs and audit a whole bunch of different activities in your environment)

Weekly Update 117

Presently sponsored by: Live Workshop! Watch the Varonis DFIR team investigate a cyberattack using our data-centric security stack

Weekly Update 117

I'm in Whistler! And as I say at the start of this video, I did seriously consider having a week off these videos, but I found a comfy spot by the fire and a cold beer and all was good in the world again. This week has some updates on my Canada travels, a couple of data breaches I loaded during the week, new HIBP stickers and some really screwy password practices at HSBC. I'll still be here in Whistler next week so will pump out one more snowy update before heading home for a hot Christmas.

Weekly Update 117
Weekly Update 117
Weekly Update 117

References

  1. The worker safety HIBP sticker is pretty cool ("The user has worked __ days without having being pwned")
  2. HSBC has a rather odd approach to password validation ("Customers can enter additional characters on their password and it will be accepted as a successful logon. We don’t classify this as a security risk")
  3. Netsparker is sponsoring my blog again this week (I'm a long-time user of their security scanner and they've been a great sponsor this year - thanks guys!)

Weekly Update 116

Presently sponsored by: Live Workshop! Watch the Varonis DFIR team investigate a cyberattack using our data-centric security stack

Weekly Update 116

I'm on countdown to take-off for the next 2 and a bit weeks so I'm going to keep this intro really short because it's sitting between me and a relaxing cold one (as soon as the bags are ready). Heaps of services got pwned, Australia has a screwy set of circumstances (and reactions) around a cyber bill and HIBP had a 5th birthday celebration which resulted in stickers and a really fun live AMA video. That's it for now - next week's update comes from the snow!

Weekly Update 116
Weekly Update 116
Weekly Update 116

References

  1. We've all been scraped (66M people had their data exposed after it was scraped off LinkedIn)
  2. My data was included (This will give everyone a good sense of what sort of stuff was exposed about them)
  3. The Australian Assistance and Access bill was passed (that's a link to Patrick Gray's Risky Business podcast - listen to that episode, he does a much better job of explaining it than anyone else I've heard from about the 10:30 mark)
  4. Stickers! And an AMA! (it's all there, enjoy the HIBP birthday celebrations πŸŽ‚)
  5. Gold Security is sponsoring my blog this week (another big thanks to a sponsor that's been featured many times this year now)

Weekly Update 115

Presently sponsored by: Live Workshop! Watch the Varonis DFIR team investigate a cyberattack using our data-centric security stack

Weekly Update 115

I'm pushing this out a day late so firstly, apologies for the break in what's otherwise a pretty steady cadence. But having said that, as I say at the start of this video I've really been struggling with work / life balance lately. As such, I recorded this Thursday evening then spent most of Friday on the jet ski with my son. We balanced out a lot of work on this trip 😎

Getting back to business as usual, I was in Sydney for a day trip during the week, I'm off to Canada in a week from today, example.com forgot to renew their cert, there was a massive new breach to go into HIBP and York City Council seriously screwed up their handling of a very ethical security report. Oh - and the massive Marriott / Starwood breach only came to light Saturday morning my time so it didn't get a mention this week, I'll see if there's anything worth covering off next week. For now, here's this week's update and I'll come to you once more next week before heading off to waaay colder times:

Weekly Update 115
Weekly Update 115
Weekly Update 115

References

  1. Data and Leads had a massive 44M record breach (yet another data aggregator trading all personal info by the look of it)
  2. York council - wow! (that thread summarises what happened and how they dealt with it)
  3. DigiCert is sponsoring my blog this week (they're talking PKI and securing IoT)

Weekly Update 114

Presently sponsored by: Live Workshop! Watch the Varonis DFIR team investigate a cyberattack using our data-centric security stack

Weekly Update 114

It's a no-blog week, but that doesn't mean any less is happening! This week, I've finally wrapped up the Lego Bugatti, got myself into the new iPad, connected my washing machine (I know, I know, I didn't plan it this way!) and then isolated it on a separate IoT network. What a time we live in... Oh - and speaking of times we live in, our data is getting thrown around the place like never before thanks to data aggregators and their constant breaches and frankly, I'm a bit fed up with it. All that and more in this week's update.

Weekly Update 114
Weekly Update 114
Weekly Update 114

References

  1. Get yourself some real cheap Pluralsight! (that's $100 off an annual subscription right there - one third!)
  2. My new iPad Pro arrived this week (mostly positive experiences, bar a couple of little complaints)
  3. I accidentally discovered our washing machine is... connected (that links to the tweet thread of a walkthrough of getting it connected)
  4. "Adapt" is latest data aggregator to suffer a breach (we've got a bunch more comping to HIBP very soon)
  5. Tech Fabric is sponsoring my blog again this week (they're building scalable, reliable and secure cloud native apps - thanks guys!)

Weekly Update 113

Presently sponsored by: Live Workshop! Watch the Varonis DFIR team investigate a cyberattack using our data-centric security stack

Weekly Update 113

Bit of a change of scenery this week; I've gone to the other end of the house whilst invasive palm tree roots are water blasted out from beneath my office window as part of our garden renos. But hey, that's a nice place to be on a day like this 😎

Other than the location, it's business as usual. There's been some interesting discussion on biometric this morning, I'm appealing to developers of extensions and add-ons to whitelist themselves when a CSP is present and I'm talking about Google's U2F implementation. That last one in particular has had a heap of traction so appears to have struck a bit of a chord. Checking out Google Analytics, it looks it made it to the front page of Hacker News and whilst I always take those comments with a grain of salt, it's nice to see it getting air time.

Weekly Update 113
Weekly Update 113
Weekly Update 113

References

  1. Let's retain some pragmatism when talking about biometric auth (that's a link to my Face ID piece from last year; still relevant today)
  2. We need to get extension and add-on developers whitelisting themselves in CSPs (not doing so breaks their tools and floods site owners with invalid reports)
  3. Google U2F implementation for 2FA is very slick! (particularly for the tech folks, you definitely want to get in on this)
  4. Netsparker is sponsoring my blog again this week (I've been a long-time fan of their work, check 'em out!)