Troy Hunt

NOVEMBER 2, 2018

New data breaches, dramas with account recovery, some great ICO password guidance, reflections on conferences past and the latest updates to Scott Helme's and my "Why No HTTPS?" Then again, it's hard not to when I get the itch.

Data breaches 157

Data breaches Passwords Accountability 157

Malwarebytes

AUGUST 4, 2021

By secure, I mean that they didn’t use HTTPS. Sites you bought goods from tended to use HTTPS so your credit card number couldn’t be intercepted as it traversed the Internet. People would often say that it wasn’t really dangerous if blogs or information sites weren’t using HTTPS. But random blogs? Not so much.

Encryption 94

Encryption Surveillance Internet Internet 94

Troy Hunt

JULY 12, 2018

Even the government has been pushing to drive adoption of HTTPS for all sites, for example in this post by the National Cyber Security Centre in the UK : all websites should use HTTPS, even if they don't include private content, sign-in pages, or credit card details. Is it needed? Does it do any good? What's it actually protecting?

DNS 276

DNS Wireless Risk Banking 276

Troy Hunt

JULY 31, 2018

We're already seeing some sites on the Day 1 list go HTTPS (although frankly, if the site is that large and they've done it that quickly then I doubt it's because of our list), and really, that's the best possible outcome of this project - seeing websites drop off because an insecure request is now redirected to a secure one. So what gives?

Accountability 126

Accountability Insurance Banking Media 126

Troy Hunt

NOVEMBER 25, 2020

I also looked at custom firmware and soldering and why, to my mind, that was a path I didn't need to go down at this time. In part 2 , I covered IP addresses and the importance of a decent network to run all this stuff on, followed by Zigbee and the role of low power, low bandwidth devices. Now for the big challenge - security.

IoT 358

IoT Firmware Risk Manufacturing 358

Troy Hunt

MARCH 10, 2021

This is why Zero Trust has become such a buzzword in recent years. The challenge is to establish a baseline of security posture around things like acceptable passwords such that it doesn't get in the way of good security decisions whilst still providing useful protection for those who don't know any better.

Passwords 349

Passwords IoT Password Management Data breaches 349

Google Security

AUGUST 10, 2023

Much of Chrome is sandboxed , but the sandbox still requires a core high-privilege “broker” process to coordinate communication and launch sandboxed processes. The relative risks between sandboxed processes and the browser process are why the browser process is only allowed to parse trustworthy inputs and specific IPC messages.

Risk 77

Risk Authentication Architecture Backups 77

Troy Hunt

MAY 7, 2018

But as time has gone by and HTTPS has become increasingly ubiquitous and obtainable by all, the veracity of that advice has taken a serious hit. As of a few months ago, 38% of the world's top 1 million websites were served over HTTPS and that figure was up by a third in only 6 months, a trend that's continued for some time now.

Phishing 117

Phishing Encryption Education Risk 117

Troy Hunt

OCTOBER 28, 2020

I assumed Baidu got the lion's share of the votes by virtue of the HTTP address not being served over the secure scheme, even though HTTPS has got absolutely nothing to do with the trustworthiness of the contents of a website. Been a lot of "victim blaming" going on these last few days. — Bartek ?wierczy?ski

Phishing 362

Phishing Password Management Passwords Internet 362

Krebs on Security

MARCH 25, 2020

The truth is anyone can get an SSL certificate for free, and that’s a big reason why most phishing sites now have them. “‘Https’ does not mean that you are at the correct website or that the site is secure,” LaCour said. The server could still be misconfigured or have software vulnerabilities.

Government 281

Government Phishing Encryption Scams 281

CyberSecurity Insiders

JANUARY 6, 2022

That’s why it’s crucial to have a robust IT security strategy in place. Many people still don’t realize the dangers of phishing, malware, ransomware, unpatched software, and weak passwords. That’s why savvy businesses have started using online generators for making stubs. HTTPS and DNS), data link (e.g.,

Encryption 134

Encryption Identity Theft Authentication Data breaches 134

Malwarebytes

JANUARY 20, 2022

But there are still many other examples of these sites online. Just because a website is HTTPs, does not guarantee a site’s legitimacy. It’s easier than ever to set up a free HTTPs certificate, which is why manually navigating to websites is important. The site in question now resolves to a 404 error.

Scams 125

Scams Social Engineering Engineering Phishing 125

Troy Hunt

SEPTEMBER 11, 2018

I disagree and I want to explain - and demonstrate - precisely why. Still nice to see they have actually changed the site now. Shame, those opposed to it will say, is not the way. The last one from Betfair is a great example and the entire thread is worth a read. The Register wrote about it. Venture Beat wrote about it.

Media 260

Media Accountability Passwords Mobile 260

The Last Watchdog

FEBRUARY 18, 2020

It was just a few short years ago that the tech sector, led by Google, Mozilla and Microsoft, commenced a big push to increase the use of HTTPS – and its underlying TLS authentication and encryption protocol. Related: Why Google’s HTTPS push is a good thing At the time, just 50 % of Internet traffic used encryption.

Encryption 218

Encryption Firewall Risk IoT 218

Troy Hunt

SEPTEMBER 26, 2018

Scott Helme put me onto this originally via his two excellent posts on Securing DNS across all of my devices with Pi-Hole + DNS-over-HTTPS + 1.1.1.1 What - why?! Somewhere in the middle is a responsible approach, for example the sponsorship banner you see at the top of this blog. That is all. No HTML tags. No tracking.

DNS 274

DNS Risk 274

Webroot

FEBRUARY 11, 2021

Knowing who they are and why they target your business is essential to remaining cyber resilient. Nowadays, you’re more likely to receive an email from your boss’ boss asking for gift cards or money, but these scams are still active in many forms, as the Twitter attack shows. What Does the Opportunist Want?

Scams 108

Scams Phishing Firewall Social Engineering 108

SecureList

OCTOBER 26, 2023

Unfortunately for us, all the communications with the servers in question happened over HTTPS, so we could not recover any additional details from the traffic. com, exchanging data with it over a course of less than a minute; Next, the devices connected to one of the following servers for a longer session: cloudsponcer[.]com

Encryption 145

Encryption Backups VPN Malware 145

Troy Hunt

MARCH 26, 2018

Alrighty, we’re still going here, but he seems to have shifted angle a little bit now. This is why the recent Uber situation was such a debacle. But still, you're in no position to make demands without stepping into a very shady area. pic.twitter.com/i2EFDFgLem — Troy Hunt (@troyhunt) March 20, 2018. Your move ??

Scams 199

Scams Penetration Testing Accountability Data breaches 199

Troy Hunt

MAY 1, 2018

Because especially when it comes to security, there are fundamental and inherent shortcomings in everything from HTTP to HTML and many of the other acronyms that make the web work as it does today. I talk about this in detail in my 6-step happy path to HTTPS so I'll give you just a quick recap here. No - cyber-sticky tape!

Government 122

Government 122

eSecurity Planet

MAY 3, 2022

That’s the reason why Nozomi Networks Labs is not disclosing the details of the devices to reproduce the vulnerability. Unfortunately, even if the system randomizes the source port, the attackers can still try to brute-force the port value, so it’s not a remediation. The vulnerability remains unpatched at the time of writing.

DNS 131

DNS Risk Firmware IoT 131

Troy Hunt

SEPTEMBER 17, 2020

Yet I also find myself constantly using VPNs for a variety of security and privacy related reasons and it got me thinking - why? Here's one of our "Big 4" Aussie banks and as you can clearly see by virtue of the padlock, it's served over an HTTPS connection: Goodo! We still have a way to go! I mean what's the remaining gap?

VPN 358

VPN Phishing DNS Encryption 358

eSecurity Planet

NOVEMBER 10, 2023

Featured Partners Learn more Learn more Learn more Why DNS Security is Important DNS security is important because all computers use DNS whenever they try to communicate with websites and applications hosted on the internet.

DNS 109

DNS DDOS Encryption Authentication 109

Security Boulevard

JANUARY 17, 2024

What is RBI and Why Use It? Why Do We Care? Why should I care?” This means your stealthy HTTPS C2 traffic gets sent through the same virtualized host process the same as everything else and results in the server responses to your agents being rendered as an inert stream.

DNS 64

DNS Penetration Testing Passwords Encryption 64

Malwarebytes

JANUARY 30, 2023

Telerik Fiddler Classic —Fiddler is an Internet traffic monitor with powerful HTTPS capturing capabilities. Most other internet traffic monitors can't show details of HTTPS connections, because it is encrypted. Then by proxying internet traffic through a Windows machine, you can see otherwise private HTTPS traffic.

Malware 98

Malware Internet Internet Firewall 98

Vipre

JANUARY 27, 2021

Most of you have probably heard about encrypted DNS (DNS-over-HTTPS or DoH, and DNS-over-TLS or DoT) and have noticed that several of the major browser vendors have rolled out support for these newer protocols. Maybe you don’t even run your own DNS server, so why would you care? But what about at the office?

DNS 45

DNS Encryption 45

Troy Hunt

JULY 23, 2018

Make sure your site redirects to #HTTPS , so you don’t have the same problem. After all the advanced warnings combined with all we know to be bad about serving even static sites over HTTP , what sort of sites are left that are neglecting such a fundamental security and privacy basic? Cloudflare makes it easy!

Government 165

Government VPN Banking 165

Troy Hunt

JANUARY 10, 2018

Especially in a rapidly modernising country with over a billion people (a huge number of which still live in poverty), there are many reasons why much of what Aadhaar sets out to achieve does make sense. But as I've written before, there's a lot more to HTTPS than simply redirecting all the traffic ).

Hacking 279

Hacking Government Risk Encryption 279

Troy Hunt

MARCH 31, 2021

but it still feels super shady. However, it was still making requests to the domain but without the name resolving anywhere, the only signs of Coinhive being gone were errors in the browser's developer tools. It might only be exploiting them a little bit (how much power can an in-browser JS cryptominer really draw?),

Technology 363

Technology Mobile Internet Internet 363

SC Magazine

JUNE 21, 2021

“I’m very concerned about it, as a good portion of systems identified during the first round of reporting and on the list with the Department of Health and Human Services, US-CERT, and the FBI are still connected to the internet,” said Schrader. Access is needed, but if you want constant access, why not implement a virtual private network?

Internet 89

Internet Internet Media Healthcare 89

Troy Hunt

JULY 18, 2022

Sure, TV was "free" in that you don't pay to watch it (screwy UK TV licenses aside), but running a television network ain't cheap so it was (and still is) supported by advertisers paying to put their message in front of viewers. If not to make money, then why would we do it? So why do it? Our time has a value.

Data breaches 252

Data breaches Passwords Password Management Software 252

Troy Hunt

JANUARY 3, 2019

They're a great way of reflecting on success (and indeed, on failures) and they also help explain why we all feel so damn tired by the end of the year! In fact, I'm sure that's why the next 3 blog posts are up there too because they're all from similar incidents (number 6 in that list was also from 2017). Why No HTTPS?

Passwords 204

Passwords Technology Government InfoSec 204

Troy Hunt

JANUARY 3, 2020

Last one: what if an attacker directs you to a malicious website and upon visiting it your browser makes a post request to the original website that set the cookie - will that cookie still be sent with the request? Why is this possible? Cookies like to get around. Imagine this request: POST [link] Cookie: AuthCookie=EF29.

Passwords 287

Passwords Accountability Risk Hacking 287

Malwarebytes

MARCH 28, 2023

I asked it what it thought of ransomware and it swerved my question, told me what ransomware was, and why it was important to protect against it. With that in mind, I asked ChatGPT to simply choose the quickest encryption algorithm that is still secure. The only thing standing in their way are ChatGPT's famously porous safeguards.

Ransomware 98

Ransomware Encryption Backups Cybercrime 98

SecureList

MAY 1, 2023

Why URL classification? Still, building a machine-learning system requires a lot of effort, from gathering data and crafting features to preparing the infrastructure. URLs are still text, and LLMs are good at processing text. Please explain why. It is fast and cheap (we check a lot of links), but still powerful enough.

Phishing 117

Phishing DNS Cybersecurity Internet 117

Fox IT

MARCH 19, 2020

That is why we decided to build an advanced LDAP communication channel that fixes these issues. Why a C2 LDAP channel? This solution is ideal in a situation where network segments are completely segmented and firewalled but still share the same Active Directory domain. More issues like these made this solution not an ideal one.

Accountability 74

Accountability Architecture Penetration Testing Authentication 74

Troy Hunt

FEBRUARY 27, 2018

When I launched Pwned Passwords V2 last week , I made it fast - real fast - and I want to talk briefly here about why that was important, how I did it and then how I've since shaved another 56% off the load time for requests that hit the origin. Why Speed Matters for Pwned Passwords. And a bunch of other cool perf stuff while I'm here.

Passwords 199

Passwords Internet Internet Architecture 199

Troy Hunt

NOVEMBER 2, 2017

Or imagine there's a fire somewhere but the hydrant is on the other side of train tracks and you really want to put that fire out but trains have still gotta run too - what options are you left with? Let's extend that into the digital world and we'll talk about HTTPS for a bit. Wrong again! Seeing a theme here? You should use it.

Passwords 203

Passwords Penetration Testing Technology Accountability 203