What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2016-12-05 21:47:09 | Here\'s 1.4 billion records from Have I been pwned for you to analyse (lien direct) | I get a lot of requests from people for data from Have I been pwned (HIBP) that they can analyse. Now obviously, there are a bunch of people up to no good requesting the data but equally, there are many others who just want to run statistics. Regardless, the answer | |||
|
2016-12-05 06:10:27 | 43,203 Indian patient pathology reports were left publicly exposed by Health Solutions (lien direct) | I'm used to seeing large amounts of personal data left inadvertently exposed to the web. Recently, the Red Cross Blood Service down here left a huge amount of data exposed (well, at least the company doing their tech things did). Shortly afterwards, the global recruitment company Michael Page also lost | |||
|
2016-12-02 09:07:17 | Weekly update 11 (lien direct) | A bit of a quieter week this time blog wise, but a very busy week in terms of HIBP traffic. It went pretty nuts on Tuesday with a spike the scale I'd never seen before which made things, well, "interesting". I also put the word out about an "ask me | |||
|
2016-11-29 08:59:01 | Brief lessons on handling huge traffic spikes (lien direct) | Earlier today, Have I been pwned (HIBP) appeared on a British TV show called The Martin Lewis Money Show. A producer had contacted me about this last week: I Just wanted to get in contact to let you know we're featuring 'have I been pwned?' on the programme next | |||
|
2016-11-28 09:47:40 | It\'s Have I been pwned\'s birthday and I\'m doing a live streamed AMA (lien direct) | It's hard to believe it, but Sunday 4 December will mark 3 years since I launched Have I been pwned. A huge amount has happened in that time, not just for HIBP but for the industry and indeed for me personally. I certainly didn't expect it to become what it | |||
|
2016-11-25 08:20:03 | Weekly update 10 (lien direct) | This has been a mega week with a couple of pretty contentious blog posts which frankly, are the best kind! It gets so boring when everyone just nods and agrees... But seriously, the one on ad blockers in particular shows just what a mess we've gotten ourselves into and the | |||
|
2016-11-24 09:29:12 | Get "The Information Security Big Picture" on Pluralsight now! (lien direct) | If you're here reading this then it probably won't come as a big surprise but brace yourself anyway - we have a security problem. Yes, yes, I know, it's all very terrifying and not a day goes by where someone isn't getting cyber-something'd. As best I can tell from the | |||
|
2016-11-23 22:51:00 | Have I been pwned and spam lists of personal information (lien direct) | One of the things I'm finding with running Have I been pwned (HIBP) is that over time, my approach is changing. Nothing dramatic thus far, usually just what I'd call "organic" corrections in direction and usually in response to things I've learned, industry events or changes in the way people | |||
|
2016-11-22 09:55:03 | Handling people\'s personal data is sensitive business (lien direct) | Last week I wrote about how 8 million GitHub profiles were leaked from GeekedIn's MongoDB which is always a risk when you expose a DB with no auth whatsoever! For any other website, this would be a typical data breach scenario in that info that was meant to remain private | |||
|
2016-11-21 09:19:26 | Ad blockers are part of the problem (lien direct) | Earlier this year, I wrote about bad user experiences on websites and foremost among these were the shitty things some sites do with ads. Forbes' insistence that you watch one before manually clicking through to the story, full screen and popover ads and ads that would take over your screen | |||
|
2016-11-18 11:24:00 | Weekly update 9 (lien direct) | Lots on this week and I'm very happy to have finally got myself organised and set up an audio podcast feed. It's getting a heap of downloads already so obviously, people did actually want it and frankly, I'm sorry I didn't get it organised earlier! That and much more in | |||
|
2016-11-17 19:50:21 | 8 million GitHub profiles were leaked from GeekedIn\'s MongoDB - here\'s how to see yours (lien direct) | Let me make it crystal clear in the opening paragraph: this incident is not about any sort of security vulnerability on GitHub's behalf, rather it relates to a trove of data from their site which was inappropriately scraped and then inadvertently exposed due to a vulnerability in another service. My | |||
|
2016-11-17 08:25:40 | Data breach claims are often poorly researched, unsubstantiated and ultimately fake (lien direct) | I have multiple Yahoo data breaches. I have a Twitter data breach. I have Facebook data breaches. I know they are data breaches from those sources because people told me they are, ergo, they're data breaches. Except they're not - they're all fake. Problem is though, fake data breaches don't | Yahoo | ||
|
2016-11-15 20:53:40 | My weekly updates are now available as an audio podcast (lien direct) | I've been doing the weekly updates for a couple of months now and by all accounts, they've been very well-received. One of the early pieces of feedback I got though was that I should also publish them as an audio podcast so that people can listen to them in the | |||
|
2016-11-14 21:21:12 | Disqus\' mixed content problem and fixing it with a CSP (lien direct) | I write a blog with a lot of security things on it so understandably, it upsets me somewhat when my site throws security warnings:
I'd had a number of people report this and indeed I'd seen it myself, albeit transiently. Diving into the console, I found the source of the |
|||
|
2016-11-14 09:24:01 | New Pluralsight course: Exploring the Internet of Vulnerabilities (lien direct) | I've done a number of "Play by Play" courses for Pluralsight this year on a range of topics including Social Engineering with my mate Lars Klint, Deconstructing the Hack with my mate Gary Eimerman, Modernizing Your Deployment Strategy with Octopus Deploy with my mate Damo Brady and the latest one | |||
|
2016-11-11 07:13:53 | Weekly update 8 (the backyard edition) (lien direct) | Let's get this out of the way early - I did not shoot this video on a green screen! When I first watched it, I couldn't believe how amazing the picture quality was and the first thought I had when I saw it was the green screen one. The new | |||
|
2016-11-10 20:22:12 | The Capgemini leak of Michael Page data via publicly facing database backup (lien direct) | A couple of weeks ago I wrote about the leak of data from the Red Cross' Blood Service down here in Australia. Many people were shocked that you could have a situation where troves of personal data were obtainable not through any advanced hacking technique, but by merely downloading a | |||
|
2016-11-10 09:07:19 | Offshoring roulette: lessons from outsourcing to India, China and the Philippines (lien direct) | I've had this blog post in one form or another of draft for several years now. I hesitated to complete it, in part because at the best of times cultural observations can easily be misinterpreted and also in part because of the role I had in working with many outsourcing | |||
|
2016-11-04 07:50:01 | Weekly update 7 (the island edition) (lien direct) | Apparently, after doing several weekly updates from different locations across the globe, last week's one from my home office was rather boring. Now maybe that was just a noisy minority saying that, I don't know, but I thought I'd test the theory and this week I headed out on jet | |||
|
2016-11-03 08:51:46 | Ubiquiti all the things: how I finally fixed my dodgy wifi (lien direct) | I'm increasingly of the view that both my time and my sanity are worth more and more as the years progress. Particularly in my independent life, it really can be that black and white - if I can't work, it costs me money. Plus, I want to be happy and | |||
|
2016-11-02 11:48:42 | New Pluralsight Course: Modernizing Your Deployment Strategy with Octopus Deploy (lien direct) | Here's a little-known fact for folks that have only tuned in more recently: I had a life before doing security things. I know, it seems like a long time ago now, but there was a time where all the other things that go into the software development process were highly | |||
|
2016-11-01 08:17:30 | The public Have I been pwned API now has a Creative Commons Attribution license (lien direct) | We're now going on almost 3 years since I introduced the Have I been pwned (HIBP) API. In fact it was one of the first things I did after creating HIBP in the first place because I wanted to make the data as accessible as possible and create an ecosystem | |||
|
2016-10-31 09:32:42 | Apple\'s desensitisation of the human race to fundamental security practices (lien direct) | My son turned 7 earlier this month. I've been getting him into coding and teaching him the fundamentals of using a PC which I reckon is a pretty essential life skill these days. Part of that is helping him to understand the principal of secrets, namely he that should protect | |||
|
2016-10-29 00:54:11 | Weekly update 6 (lien direct) | I'm home! Ideally, I'd be home recovering from travel but it hasn't quite worked out that way, particularly with the Red Cross Blood Service having a massive data leak. I blogged abut that in some detail yesterday, but I wanted to talk about it in this week's update video and | |||
|
2016-10-28 01:08:40 | The Red Cross Blood Service: Australia\'s largest ever leak of personal data (lien direct) | I don't give blood as much as I should. My wife has a much better track record than me, regularly donating not just blood but plasma and platelets as well. I know this not just because it's the sort of thing we talk about, but because her data - along | |||
|
2016-10-24 10:03:07 | Here\'s everything that goes into a massive international speaking trip (lien direct) | International travel can look pretty glamorous from the outside and certainly it has its moments. But what many people don't tend to see (and indeed what's less interesting to share in 140 char tweets), is just how arduous it can be. So instead of just showing the good bits, I | |||
|
2016-10-21 05:27:53 | Weekly update 5 (A380 edition) (lien direct) | I'm on a plane! More importantly though, I'm on a plane home. I've had a massive few weeks and I'm now just hours away from getting home and seeing my family which makes me enormously happy. I thought I'd record this in-flight from London to Dubai for something different (although | |||
|
2016-10-17 08:43:25 | Here\'s how I handle online abuse (lien direct) | I originally wrote this post earlier on in the year. I honestly can't remember what the abuse was that led to it and frankly, that's probably for the best as its allowed me to re-read this and ensure it comes across as general advice rather than a knee-jerk | |||
|
2016-10-15 10:53:37 | Weekly update 4 (London edition) (lien direct) | Another week in another faraway place. Since the last update in Edinburgh I've spent a couple of days in Glasgow, a couple of days in the middle of that in Speyside, a couple of days in Copenhagen then a few nights in London. That's put me a day behind when | |||
|
2016-10-10 16:08:55 | Should you care about the quality of your neighbours on a SAN certificate? (lien direct) | We've all had bad neighbours before. Perhaps they were noisy, maybe the kids ran riot or they could have been just continually snaring all the visitor parking spots in your apartment building (bastards). But last week, someone popped up with another bad neighbour story which was quite different to usual. | |||
|
2016-10-08 10:30:24 | Handling Chinese data breaches in Have I been pwned (lien direct) | China is an immensely fascinating place for many reasons. It's geographically bigger than the US, it has almost double the population of Europe and it's had the world's largest economy for the majority of the last two thousand years. On the technology front, there are more internet users than the | |||
|
2016-10-07 05:58:23 | Weekly update 3 (Edinburgh edition) (lien direct) | Given this thing seems to have some traction and people are enjoying them, I'm going to keep these weekly update videos going. As I mentioned last week though, I'm now travelling so that makes this one a little bit different. I was in Edinburgh yesterday when I recorded this (I'm | |||
|
2016-10-05 09:31:05 | Here\'s how I deal with managed platform outages (lien direct) | The other day, my blog went down: Sorry folks, blog is down for a bit while @TryGhost puts out the fire pic.twitter.com/h3YAUc2gp0— Troy Hunt (@troyhunt) September 15, 2016 Now clearly I don't like my blog going down but hey, this is technology and sometimes it fails | |||
|
2016-09-30 09:16:43 | Weekly update 2 (lien direct) | So much to my surprise (honestly, I really didn't expect it), the weekly update I did last week was actually quite popular. People seem to like the short, casual form and it sounds like they're happy either sitting down and watching it or just listening to it in the background. | |||
|
2016-09-29 08:59:56 | New Pluralsight Course: Deconstructing the Hack (lien direct) | I was on another whirlwind trip back in July, this time to a bunch of spots in the US which included Chicago where Pluralsight has one of their offices. The last time I was there I'd recorded a "Play by Play" course which is video recorded rather than a screen | |||
|
2016-09-26 10:59:04 | 7 years of blogging and a lifetime later... (lien direct) | Exactly 7 years ago today, I wrote my first blog post titled Why online identities are smart career moves. That's a pretty self-explanatory title and I wrote it while gainfully employed in a job I'd been in for 8 years at the time, but it's worth a quick read as | |||
|
2016-09-23 09:16:05 | Something new: Weekly update 1 (lien direct) | I've had this idea in mind for a while to start capturing some video on a weekly basis about things that are topical and interesting but that I'm probably just not going to get around to blogging into detail. Writing is massively time consuming plus I reckon there's a bit | |||
|
2016-09-22 09:02:01 | Azure Functions in practice (lien direct) | I wrote recently about how Have I been pwned (HIBP) had an API rate limit introduced and then brought forward which was in part a response to large volumes of requests against the API. It was causing sudden ramp ups of traffic that Azure couldn't scale fast enough to meet | |||
|
2016-09-19 09:00:49 | I\'m now offering sponsorship of this blog (lien direct) | I have a love-hate relationship with ads, whether they be on my blog or anywhere else for that matter. I get that they're a necessity for many news outlets to keep providing the free information that we all want, but I also can't stand the way advertising has descended into | |||
|
2016-09-16 07:54:24 | Here\'s how broken today\'s web will feel in Chrome\'s secure-by-default future (lien direct) | Last week Google announced some changes to Chrome, specifically that come January 2017, practices like this are going to start resulting is browser warnings:
That's just one of many such examples I've called out in the past and frankly, I have about zero sympathy for those who are doing this |
|||
|
2016-09-13 09:46:57 | Someone just lost 324k payment records, complete with CVVs (lien direct) | I see a lot of data breaches. I see a lot of legit ones and I see a lot of fake ones and because of that, I always verify them before making any claims that an organisation has been hacked. Usually I'll verify and then in conjunction with journalists I | |||
|
2016-09-05 06:14:00 | The "Have I been pwned" API rate limit has been brought forward - here\'s why (lien direct) | Three weeks ago today, I wrote about implementing a rate limit on the Have I been pwned (HIBP) API and the original plan was to have it begin a week from today. I want to talk more about why the rate limit was required and why I've had to bring | |||
|
2016-08-31 05:38:23 | The Dropbox hack is real (lien direct) | Earlier today, Motherboard reported on what had been rumoured for some time, namely that Dropbox had been hacked. Not just a little bit hacked and not in that "someone has cobbled together a list of credentials that work on Dropbox" hacked either, but proper hacked to the tune of 68 | |||
|
2016-08-30 09:07:27 | CloudFlare, SSL and unhealthy security absolutism (lien direct) | Let's start with a quick quiz:
Take a look at haveibeenpwned.com (HIBP) and tell me where the traffic is encrypted between:
You see HTTPS which is good so you know it's doing crypto things in your browser, but where's the other end of the encryption? I mean at what |
|||
|
2016-08-29 09:15:52 | Protecting your embedded content with subresource integrity (SRI) (lien direct) | CDNs are good. You get to put your web things all over the world and then have them served to your global audience from a location close to them. For example, because this blog is served through CloudFlare and about two thirds of the requests to my site come direct | |||
|
2016-08-24 08:03:05 | Self-hosted vBulletin - you\'re doing it wrong! (and why you should be using managed hosting services) (lien direct) | Another day, another data breach: Full news on the GTAGaming breach is here: https://t.co/KuNSuol442 (vBulletin again)— Troy Hunt (@troyhunt) August 23, 2016 Yesterday it was a different one: vBulletin... "Epic Games: Information Regarding Recent Forum Compromise" https://t.co/YqQlSRbtLU— Troy Hunt (@troyhunt) | |||
|
2016-08-22 10:37:32 | Understanding account enumeration, the video tutorial edition (lien direct) | I've been running my Hack Yourself First workshop all over the world where I talk to software developers about various security risks which they then get to exploit firsthand. It's a lot of fun and very hands on and practical which inevitably means spending time looking at real world implementations | |||
|
2016-08-18 09:50:08 | Website enumeration insanity: how our personal data is leaked (lien direct) | I've just wrapped up a couple of Hack Yourself First workshops down closer to home in Australia and true to usual form, attendees found some absolute zinger security implementations. Previous workshops have found various vulnerabilities ranging from realestate.com.au's lack of HTTPS in their Android app (pro tip: don't | |||
|
2016-08-15 09:00:23 | The "Have I been pwned" API, rate limiting and commercial use (lien direct) | It's almost 3 years ago now that I launched the Have I been pwned (HIBP) API and made it free and unlimited. No dollars, no rate limits just query it at will and results not flagged as sensitive will be returned. Since then it's been called, well, I don't know |
To see everything:
Our RSS (filtrered)
