FreshRSS

πŸ”’
❌ About FreshRSS
There are new available articles, click to refresh the page.
Before yesterdayTroy Hunt

Weekly Update 381

By Troy Hunt
Weekly Update 381

It's another weekly update from the other side of the world with Scott and I in Rome as we continue a bit of downtime before hitting NDC Security in Oslo next week. This week, Scott's sharing details of how he and Joe Tiedman registered a domain Capelli Sport let lapse and now have their JavaScript running on the websites shopping cart page (check your browser console after loading that link) 😲 That's not the crazy bit though, the crazy bit is the months they've spent trying to disclose this to Capelli and getting absolutely nowhere. I'll give them a shout-out this week and see if I have any more luck but when it's this hard to report egregiously bad security issues, is it any wonder we have so many data breaches. As I keep lamenting, it's a great time to be in this industry...

Weekly Update 381
Weekly Update 381
Weekly Update 381
Weekly Update 381

References

  1. Sponsored by:Β Unpatched devices keeping you up at night? Kolide can get your entire fleet updated in days. It's Device Trust for Okta. Watch the demo!
  2. 23andMe is blaming end users for account takeover attacks (it's obviously lawyery deflection, but they're also partly right)
  3. Anyone got a security contact at Capelli Sport? (I'll give that line a push publicly this coming week, it's just nuts how hard it is to report this stuff)

Weekly Update 380

By Troy Hunt
Weekly Update 380

We're in Paris! And feeling proper relaxed after several days of wine and cheese too, I might add. This was a very impromptu end of 2023 weekly update as we balanced family time with doing the final video for the year. On the cyber side, the constant theme over the last week has been ransomware; big firms, little firms, Aussie firms, American firms - it's just completely indiscriminate. Anecdotally, this seems to have really ramped up over 2023 so on that basis, 2024 will bring... well, let's wait and see, this industry is nothing if not full of surprises. Happy New Year friends 😊

Weekly Update 380
Weekly Update 380
Weekly Update 380
Weekly Update 380

References

  1. Sponsored by:Β Unpatched devices keeping you up at night? Kolide can get your entire fleet updated in days. It's Device Trust for Okta. Watch the demo!
  2. Eagers Automotive in Australia got ransom'd (that's a fairly significant Aussie brand)
  3. The University of Western Australia has had a dump turn up on a popular hacking forum (not ransom by the look of it, but obviously still bad)
  4. Ohio Lottery is another ransomware victim (play the odds, lose your data)
  5. And no, you definitely can't use a credit card in the UK to buy lottery tickets (borrowing money to gamble ain't exactly financially sensible)
  6. Even a very localised Aussie taxi firm is on this week's ransomware books (I suspect there's a degree of automation that makes it a no-brainer to add even small firms)

Weekly Update 379

By Troy Hunt
Weekly Update 379

It's that time of the year again, time to head from the heat to the cold as we jump on the big plane(s) back to Europe. The next 4 weekly updates will all be from places of varying degrees colder than home, most of them done with Scott Helme too so they'll be a little different to usual. For now, here's a pretty casual Christmas edition, see you next week from the other side πŸ™‚

Weekly Update 379
Weekly Update 379
Weekly Update 379
Weekly Update 379

References

  1. Sponsored by:Β Unpatched devices keeping you up at night? Kolide can get your entire fleet updated in days. It's Device Trust for Okta. Watch the demo!
  2. K'gari / Fraser Island is just exceedingly beautiful (and now we need a bigger wall to put these photos up on 🀣)
  3. The Ubiquiti Dream Wall is a really sweet looking piece of kit (awesome solution to avoid having a full rack setup if you don't need it)
  4. I'll be back as NDC Oslo in June for the first time since 2019 (this is the event that gave me everything from a career to a wife - it's kinda special to me 😊)
  5. The story about a marketing company pitching ads based on eavesdropped conversations by mobile devices is really wild (for so long, this amounted to tinfoil-hattery, now here we are...)

Weekly Update 378

By Troy Hunt
Weekly Update 378

I'd say the balloon fetish segment was the highlight of this week's video. No, seriously, it's a moment of levity in an otherwise often serious industry. It's still a bunch of personal info exposed publicly and that suchs regardless of the nature of the site, but let's be honest, the subject matter did make for some humorous comments 🀣

Weekly Update 378
Weekly Update 378
Weekly Update 378
Weekly Update 378

References

  1. Sponsored by:Β Identity theft isn’t cheap. Secure your family with Aura the #1 rated proactive protection that helps keep you safe online. Get started.
  2. I now have solar radiation and UV sensors tied into my IoT (in a week of bright sun constantly interjected by storm cells, this has been a really cool way to control lighting)
  3. Many people were left feeling deflated after the balloon fetish website got pwned (the whole thing was a real let down)
  4. The Twitter XSS + CSRF bug was rather nasty (but - assuming the reporting is accurate - it's their claimed handling of the bug report that's particularly bad)
  5. The DC Health Link breach was earlier this year and not particularly large at only 48k records (but it's in DC with a lot of politicians in it)

Weekly Update 377

By Troy Hunt
Weekly Update 377

10 years later... 🀯 Seriously, how did this thing turn into this?! It was the humblest of beginning with absolutely no expectations of anything, and now it's, well, massive! I'm a bit lost for words if I'm honest, I hope the chat with Charlotte adds some candour to this week's update, she's seen this thing grow since before its first birthday, through the hardest times and the best times and now lives and breathes HIBP day in day out with me. I hope you enjoy this video, and we'd both love to hear those swag ideas from you too 😊

Weekly Update 377
Weekly Update 377
Weekly Update 377
Weekly Update 377

References

  1. Sponsored by:Β Get insights into malware’s behavior with ANY.RUN: instant results, live VM interaction, fresh IOCs, and configs without limit.
  2. I wrote up a blog post on the highlights earlier this week (it still feels like I've missed a million things)

Weekly Update 376

By Troy Hunt
Weekly Update 376

I'm irrationally excited about the new Prusa 3D printer on order, and I think that's mostly to do with planning for the NDC Oslo talk I plan to do with Elle, my 11-year old daughter. I'm all for getting the kids exposure not just to tech, but also to being able to talk to others about tech and involving them in conference talks since a young age has been a big part of that. But what I'm especially excited about is that this won't just be an "aw, isn't it cute seeing kids talk at a conference" kinda thing; she genuinely knows enough about this technology that together, we can make a talk that adults will learn something from. That's cool 😎

Weekly Update 376
Weekly Update 376
Weekly Update 376
Weekly Update 376

References

  1. Sponsored by:Β Kolide ensures that if a device isn't secure, it can't access your apps. It's Device Trust for Okta. Watch the demo today!Β 
  2. Prusa MK4 inbound! (the MK3 has been such an awesome machine, the MK4 will be part of the NDC Oslo talk Elle and I do in June)
  3. If you're handy with .NET and feel like contributing to a cool open source project, have a look at our HIBP email address extractor (check out the open issues, there are a bunch of things there waiting for input)
  4. Breaches, breaches, breaches (there's a pretty regular cadence of new breaches flowing through right now, about one every 2-and-a-bit days based on the last 4 weeks.)

Weekly Update 375

By Troy Hunt
Weekly Update 375

For a weekly update with no real agenda, we sure did spend a lot of time talking about the ridiculous approach Harvey Norman took to dealing with heavy traffic on Black Friday. It was just... unfathomable. A bunch of people chimed into the tweet thread and suggested it may have been by design, but they certainly wouldn't have set out to achieve the sorts of headlines that adorned the news afterwards. Who knows, but it made for entertaining content this week πŸ™‚

Weekly Update 375
Weekly Update 375
Weekly Update 375
Weekly Update 375

References

  1. Sponsored by:Β Kolide ensures that if a device isn't secure, it can't access your apps. It's Device Trust for Okta. Watch the demo today!
  2. The Harvey Norman website outage was just, dumb (some people suggested it was a deliberate strategy to create demand)
  3. Unifi has launched a search feature for license plate recognition in their Protect app (I'd really like to see this data surfaced into Home Assistant so I can trigger events off specific vehicles)
  4. I mentioned Ubiquiti's funny ads about subscription services for video being reminiscent of the old "Mac versus PC ads" (there's a whole series of these, check out their YouTube channel for more)
  5. Australia Post's approach to verifying identities using digital driver's license appears to be "she'll be right mate" (let's see if that's just a teething problem and they start using the proper verifier soon)

Weekly Update 374

By Troy Hunt
Weekly Update 374

Think about it like this: in 2015, we all lost our proverbial minds at the idea of the Kazakhstan government mandating the installation of root certificates on their citizens' devices. We were outraged at the premise of a government mandating the implementation of a model that could, at their bequest, allow them to intercept traffic without any transparency or accountability. The EFF said the following at the time:

If the country's ruling regime were to successfully implement this plan, it would be able to snoop on, impersonate, and alter the online communications of anyone within their bordersβ€”effectively performing aΒ Man in the MiddleΒ attack on its entire population.

Now watch the video, listen to Scott and ask yourself how different the technical capacity he discusses is from the Kazakhstan situation. Not from a policy perspective or the intentions of the respective government bodies, but rather it terms of the capabilities and lack of transparency it results in. It's nuts. But hey, it's a good time to be in this industry!

Weekly Update 374
Weekly Update 374
Weekly Update 374
Weekly Update 374

References

  1. Sponsored by:Β Identity theft isn’t cheap. Secure your family with Aura the #1 rated proactive protection that helps keep you safe online. Get started.
  2. If it looks like a duck, swims like a duck, and QWACs like a duck, then it's probably an EV Certificate (Scott's original Jan 2022 post on the emergence of QWACs)
  3. What the QWAC?! (Scott's post from this month that expands on eIDAS, root certificates and other - to use the technical term - batshit crazy ideas)
  4. Dead we learn nothing from the death of EV certificates?! (I posted that more than 4 years ago now after the EV indicator was removed from browser omnibars, effectively making them invisible to all but the most tech-savvy people)

Weekly Update 373

By Troy Hunt
Weekly Update 373

Most of this week's video went on the scraped (and faked) LinkedIn data, but it's the ransomware discussion that keeps coming back to mind. Even just this morning, 2 days after recording this live stream, I ended up on nation TV talking about the DP World security incident and whilst we don't have any confirmation yet, it has all the hallmarks of another ransomware case. In advance of that interview, I was trawling through various ransomware Tor sites and the volume of big names appearing there is just staggering. It does get me thinking: how many other individuals and corporations alike are being exposed through these and are never told about it? I wonder...

Weekly Update 373
Weekly Update 373
Weekly Update 373
Weekly Update 373

References

  1. Sponsored by:Β Webinar: 'How to Defend Against the Evilginx2.' Kuba Gretzky (Evilginx2) & Marcin Szary (Secfense) show a tool that counters MFA bypass.
  2. The LinkedIn scrape was a combination of data intended to be publicly consumable and lots of guessed email addresses (if you guess enough email addresses, you're bound to get some right!)
  3. The ransomware situation is getting just nuts, and it seems like there's no level criminals won't stoop to (that's a fascinating thread by Matt Johansen)
  4. The RDBMS component of HIBP is now running on "serverless" SQL Azure (yes, there are still servers, but it's not as obvious any more)

Weekly Update 372

By Troy Hunt
Weekly Update 372

Yes, the Lenovo is Chinese. No, I'm not worried about Superfish. Yes, I'm running windows. No, I don't want a Framework laptop. Seemed to be a lot of time this week gone on talking all things laptops, and there are clearly some very differing views on the topic. Some good suggestions, some neat alternatives and some ideas that, well, just seem a little crazy. But hey, I'm super happy with the machine, it's an absolute beast and I expect I'll get many years of hard work out of it. That and more in this week's video, enjoy 😊

Weekly Update 372
Weekly Update 372
Weekly Update 372
Weekly Update 372

References

  1. Sponsored by:Β Need centralized and real-time visibility into threat detection and mitigation? We got you! Discover the CrowdSec Console today.
  2. My primary mobile machine is now a Lenovo P16 Gen 2 ThinkPad (super happy with this machine, it's an absolute beast!)
  3. If you don't want my Coinhive script running on your website, don't put my Coinhive script on your website (I don't mean to state the obvious, but yeah...)
  4. I Lenny Troll'd our Ubiquiti doorbell to mess with kids on Halloween (these audio files are great, I've gotta actually put them to use against scammers 🀣)
  5. The kitchen is done! (compare that to where we started in the first tweet 😲)

Weekly Update 371

By Troy Hunt
Weekly Update 371

So I wrapped up this week's live stream then promptly blew hours mucking around with Zigbee on Home Assistant. Is it worth it, as someone asked in the chat? Uh, yeah, kinda, mostly. But seriously, having a highly automated house is awesome and I suggest that most people watching these vids harbour the same basic instinct as I do to try and improve our lives through technology. The coordination of lights with times of day, the security checks around open doors, the controlling of fans and air conditioning to keep everyone comfy, it just rocks... when it works 😎

Weekly Update 371
Weekly Update 371
Weekly Update 371
Weekly Update 371

References

  1. Sponsored by:Β Got Linux? (And Mac and Windows and iOS and Android?) Then Kolide has the device trust solution for you. Click here to watch the demo.
  2. 1Password got caught up in the Okta incident (it had no impact, but it does make you wonder about the soundness of passing around HAR files...)
  3. Does a service use HIBP for their "dark web" search? (it depends: some state it explicitly and some explicitly ask it not to be stated, so I simply neither confirm nor deny)
  4. It's finally time to migrate HIBP away from Table Storage (that post is almost a decade old now and explains why I went with this construct to begin with)
  5. I'm rolling all my Zigbee things from deCONZ with a Conbee to ZHA with Home Assistant Yellow (it's painful, but shout out to those who helped during the live stream and followed up later via Twitter)

Weekly Update 370

By Troy Hunt
Weekly Update 370

I did it again - I tweeted about Twitter doing something I thought was useful and the hordes did descend on Twitter to tweet about how terrible Twitter is. Right, gotcha, so 1.3M views of that tweet later... As I say in this week's video, there's a whole bunch of crazy arguments in there but the thing that continues to get me the most in every one of these discussions is the argument that Elon is a poo poo head. No, seriously, I explain it at the end of the video how so constantly the counterarguments have no rational base and they constantly boil down to a dislike of the guy. Ironically, continuing to use Twitter to have a rant about stuff just shows that Twitter is just the same as it always was 🀣

Weekly Update 370
Weekly Update 370
Weekly Update 370
Weekly Update 370

References

  1. Sponsored by:Β Got Linux? (And Mac and Windows and iOS and Android?) Then Kolide has the device trust solution for you. Click here to watch the demo.
  2. I put out a little tweet about Twitter charging new accounts in a couple of test markets $1... (...and people lost. their. minds.)
  3. The virtual cards service Simon mentioned is privacy.com (I gave it a go and got about 10 seconds into it before getting "You must be a US resident, and agree to the terms and authorizations", after which I was asked for name, DoB and address... and this helps anonymity?!)
  4. If you were IM'ing like it's 1999, you may be one of 75k people in the Phoenix breach (it's "vintage messaging reborn")
  5. The AndroidLista breach with 6.6M records went into HIBP (that one had been around for a while but with no disclosure and no response when I reached out, it just took a while)

Weekly Update 369

By Troy Hunt
Weekly Update 369

There seemed to be an awful lot of time gone on the 23andMe credential stuffing situation this week, but I think it strikes a lot of important chords. We're (us as end users) still reusing credentials, still not turning on MFA and still trying to sue when we don't do these things. And we as builders are still creating systems that allow this to happen en mass. All that said, I don't know how we build systems that are resilient to a single person coming along and entering someone else's (probably) reused credentials into a normal browser session, at least not without introducing additional barriers to entry that will upset the marketing manager. And so, I'm back at the only logical conclusion I think we can all agree on right now: it's a great time to be working in this industry 😊

Weekly Update 369
Weekly Update 369
Weekly Update 369
Weekly Update 369

References

  1. Sponsored by:Β Online fraud is everywhere. Secure your finances and personal info with Aura’s award-winning identity protection. Protect your identity now.
  2. 23andMe has been getting hammered in a credential stuffing attack (as I always say, defending against this is a shared responsibility: individuals need to work on their account security hygiene, and websites need to expect and defend against this sort of thing)
  3. And now they're getting sued in a class action, a mere 4 days after the event πŸ€¦β€β™‚οΈ (someone really should write a blog post about how stupid this is...)
  4. ...here's a blog post about how stupid class actions like this are! (when I'm getting lawyers asking me to advertise their class action suits on HIBP, you know damn well who's getting rich out of all this, and it ain't the plaintiffs)
  5. The Bureau van Dijk data breach is now in HIBP (we should be asking a lot more questions about why data aggregators collecting this sort of info still exist)

Weekly Update 368

By Troy Hunt
Weekly Update 368

This must be my first "business as usual" weekly update since August and damn it's nice to be back to normal! New sponsor, new breaches, new blog post and if you're in this part of the world, a brand new summer creeping over the horizon. I've now got a couple of months with very little in the way of travel plans and a goal to really knock a bunch of new HIBP features out of the park, some of which I talk about in this week's video. Enjoy! 🍻

Weekly Update 368
Weekly Update 368
Weekly Update 368
Weekly Update 368

References

  1. Sponsored by: NTT’s Samurai XDR offers affordable enterprise-grade security for businesses of any size. $40 /endpoint/year. Try it free for 30 days!
  2. The Horse Isle breach went into HIBP (if you're a big fan of fantasy horse games, this one is for you!)
  3. The Activision breach also went into HIBP (only employees and what looks like contractors in this one, probably more embarrassing for the organisation than actually impactful)
  4. And the Hjedd breach went into HIBP too (if you're a big fan of Chinese porn, well, uh, yeah...)
  5. You never actually believed the claims of "safe, secure, anonymous", did you? (turns out that's literally horseshit 🐎)

Weekly Update 367

By Troy Hunt
Weekly Update 367

Ah, home 😊 It's been more than a month since I've been able to sit at this desk and stream a weekly video. And now I'm doing it with the glorious spring weather just outside my window, which I really must make more time to start enjoying. Anyway, this week is super casual due to having had zero prep time, but I hope the discussion about the ABC's piece on HIBP and I in particular is interesting. I feel like this whole story has a long way to go yet, hopefully now having a few months at home will give us an opportunity to lay the foundation for the next phase. Stay tuned!

Weekly Update 367
Weekly Update 367
Weekly Update 367
Weekly Update 367

References

  1. Sponsored by: EPAS by Detack. No EPAS protected password has ever been cracked and won't be found in any leaks. Give it a try, millions of users use it.
  2. "A strange sign of the times" (the ABC's piece on HIBP and I)
  3. I mentioned "Outliers, the Story of Success" as one of my favourite books (turns out it's a combination of hard work and good luck, neither of which is sufficient by itself)
  4. Talking about good luck, the story of my leaving Pfizer is in one of my favourite evers talks, "Hack Your Career" (I need to do a follow-up on this, there's so much more to add now)

Weekly Update 366

By Troy Hunt
Weekly Update 366

Well that's it, Europe is done! I've spent the week in Prague with highlights including catching up with Josef Prusa, keynoting at Experts Live EU and taking a "beer spa" complete with our own endless supply of tap beer. Life is good 🍻

That’s it - we’ve peaked - life is all downhill from here 🀣 🍻 #BeerSpa pic.twitter.com/ezCpUC6XEK

β€” Troy Hunt (@troyhunt) September 21, 2023

All that and more in this week's video, next week I'll come to you from back home in the sunshine 😎

Weekly Update 366
Weekly Update 366
Weekly Update 366
Weekly Update 366

References

  1. Sponsored by: Report URI: Guarding you from rogue JavaScript! Don’t get pwned; get real-time alerts & prevent breaches #SecureYourSite
  2. I caught up with Josef Prusa in Prague (what he has created at Prusa is massively impressive!)
  3. Experts Live EU was an awesome event 😎 (felt a lot of love in Prague, thanks everyone 😊)
  4. The dbForums data breach went into HIBP (and... that's me pwned again 😭)
  5. The ApexSMS spam operation that exposed data a few years back also went into HIBP (it's one of those ones you really can't do anything about, think of it as an "FYI")

Weekly Update 365

By Troy Hunt
Weekly Update 365

It's another week of travels, this time from our "second home", Oslo. That's off the back of 4 days in the Netherlands and starting tomorrow, another 4 in Prague. But today, the 17th of September, is extra special 😊

1 year today ❀️ pic.twitter.com/vsRChdDshn

β€” Troy Hunt (@troyhunt) September 17, 2023

We'll be going out and celebrating accordingly as soon as I get this post published so I'll be brief: enjoy this week's video!

Weekly Update 365
Weekly Update 365
Weekly Update 365
Weekly Update 365

References

  1. Sponsored by: 1 in 3 families have been affected by fraud. Secure your personal info with Aura’s award-winning identity protection. Start free trial.
  2. We had a great visit to Politie Nederland in Rotterdam this week (lots of common goals shared, and I'm really happy we've been able to assist with victim notification via HIBP)
  3. 932k Viva Air email addresses went into HIBP (that's a Colombian airline which no longer exists, they were pwned and ransomed last year)
  4. 4.3M Malindo Air email addresses went into HIBP (it's a 2019 breach so not new, but a third of people in there had never appeared in a loaded breach before)
  5. Wasn't really expecting to be named on a notorious ransomware website, but here we are (2 days after recording I still haven't heard anything further)
  6. I wasn't expecting anything revolutionary, but I'd really hoped for more excitement in the new iPhones (but I ordered us both Pro Max units anyway 😎)

Weekly Update 363

By Troy Hunt
Weekly Update 363

I'm super late pushing out this week's video, I mean to the point where I now have a couple of days before doing the next one. Travel from the opposite side of the world is the obvious excuse, then frankly, just wanting to hang out with friends and relax. And now, I somehow find myself publishing this from the most mind-bending set of circumstances:

Heading to 31C. Cold beer. Warm pool. How is this in England?! 🀯 pic.twitter.com/tQSbHaoLhG

β€” Troy Hunt (@troyhunt) September 6, 2023

On that note, straight into the video, links below and I'll do it all again in a couple of days from Spain:

Weekly Update 363
Weekly Update 363
Weekly Update 363
Weekly Update 363

References

  1. The FBI took down Qakbot and sent the data over to HIBP (that's both email addresses and passwords that are now searchable)
  2. CERT Poland also sent over a bunch of data snagged from phishing activities (another 68k records now searchable in HIBP)
  3. The Pampling breach went into HIBP despite not being able to get a response from them... (...until it went into HIBP and customers started asking questions)
  4. PlayCyberGames was also breached and the data went into HIBP... (...and they also didn't respond to disclosure attempts - at all)
  5. If you're building websites and you haven't given Report URI a go yet, you don't know what you're missing! (seriously, CSPs are so cool 😎)
  6. Sponsored by: Fastmail. Check out Masked Email, built with 1Password. One click gets you a unique email address for every online signup. Try it now!

Weekly Update 362

By Troy Hunt
Weekly Update 362

Somehow in this week's video, I forgot to talk about the single blog post I wrote this week! So here's the elevator pitch: Cloudflare's Turnstile is a bot-killing machine I've had enormous success with for the "API" (quoted because it's not meant to be consumed by others), behind the front page of HIBP. It's unintrusive, is super easy to implement and kills bots dead. There you go, how's that for a last minute pitch? 😊

Weekly Update 362
Weekly Update 362
Weekly Update 362
Weekly Update 362

References

  1. Sponsored by: Unpatched devices keeping you up at night? Kolide can get your entire fleet updated in days. It's Device Trust for Okta. Watch the demo!
  2. Fight the bots with Cloudflare's Turnstile (and hey, if you can find a way through it, let me know and I'll pass your feedback on to Cloudflare)
  3. If you enjoy discussing escorts on public forums, you may be in the ECCIE breach (along with your email and IP address 😳)
  4. But you probably won't be in the Atmeltomo breach (unless you're Japanese and looking for a friend)
  5. The Duolingo scrape from earlier this year is now doing the rounds (that's a 100% hit rate with other breaches)
  6. And SevenRooms had their near half a TB breach from December start circulating (that's one of the largest we've seen in a long time)

Weekly Update 361

By Troy Hunt
Weekly Update 361

This week hasd been manic! Non-stop tickets related to the new HIBP domain subscription service, scrambling to support invoicing and resellers, struggling our way through some odd Stripe things and so on and so forth. It's all good stuff and there have been very few issues of note (and all of those have merely been people getting to grips with the new model), so all in all, it's happy days 😊

Weekly Update 361
Weekly Update 361
Weekly Update 361
Weekly Update 361

References

  1. Sponsored by: Unpatched devices keeping you up at night? Kolide can get your entire fleet updated in days. It's Device Trust for Okta. Watch the demo!
  2. Brett Adams built a really cool Splunk app using the new domain search API (and he talked me into adding a couple of other ones too)
  3. iMenu360 had 3.4M customer records appear in a breach (and ignored every single attempt made to disclose it πŸ€·β€β™‚οΈ)
  4. We now have a model for education facilities, non-profits and charities (for now, it boils down to "log a ticket and we'll help you out")

Weekly Update 360

By Troy Hunt
Weekly Update 360

So about those domain searches... 😊 The new subscription model launched this week and as many of you know from your own past experiences, pushing major new code live is always a bit of a nail-biting exercise. It went out silently on Sunday morning, nothing major broke so I published the blog post Monday afternoon then emailed all the existing API key subscribers Tuesday morning and now here we are!

One thing I talk a bit about in the video today are the 2 new APIs someone reached out and requested. This was an awesome idea and I can't wait to show you what they've built with them. I expect I'll blog that this coming week and probably quietly slip out the documentation on the 2 new endpoints in advance. Stay tuned for that one, what he's done with this looks so cool 😎

Weekly Update 360
Weekly Update 360
Weekly Update 360
Weekly Update 360

References

  1. Sponsored by: Secure your assets, identity and online accounts with our award-winning ID theft protection. Get started with Aura today.
  2. It's almost all about the domain searches today (I'm really happy about how this has been received!)
  3. Education facilities and non-profits have come up a bit as organisations we might need to treat a bit differently (we're working a model for them, for now that's a link to the KB requesting they log a ticket we can then review)

Weekly Update 359

By Troy Hunt
Weekly Update 359

Somewhere in the next few hours from publishing this post, I'll finally push the HIBP domain search changes live. I've been speaking about it a lot in these videos over recent weeks so many of you have already know what it entails, but it's the tip of the iceberg you've seen publicly. This is the culmination of 7 months of work to get this model right with a ridiculous amount of background effort having gone into it. Case in point: read my pain from last night about converting thousands of words of lawyer speak T&Cs from Microsoft Word to HTML. As if preparing these wasn't painful enough, trying to make them simply play nice on a web page has been a nightmare! (I settled for dumping stuff in a <pre> tag for now and will invest the time in doing it right later on.)

I hope you enjoy this week's video, I'll talk much more about the domain search bits in the next video, hopefully following a successful launch!

Weekly Update 359
Weekly Update 359
Weekly Update 359
Weekly Update 359

References

  1. Sponsored by: EPAS by Detack. No EPAS protected password has ever been cracked and won't be found in any leaks. Give it a try, millions of users use it.
  2. What's the best tooling to start teaching kids to code Python on Windows with? (I decided taking Python from the Windows store then using Visual Studio Code with the Python extension made the most sense)
  3. The MagicDuel Adventure MMORPG got breached (it's a short disclosure notice, but kudos to them for that probably being the fastest turnaround from me reaching out to them disclosing I've ever seen!)
  4. My Home Assistant Yellow has finally landed! (hoping it solves the intermittent restart problems which now that I think about it, haven't happened for weeks πŸ€”)
  5. Finding a CM4 was the hard bit (Amazon link to the unit I bought a month ago... at A$274 at the time 😭)
  6. It's the final hours before the all new bits for domain search go live in HIBP! (the community input has been awesome - thank you!)

Weekly Update 358

By Troy Hunt
Weekly Update 358

IoT, breaches and largely business as usual so I'll skip that in the intro to this post and jump straight to the end: the impending HIBP domain search changes. As I say in the vid, I really value people's feedback on this so if nothing else, please skip through to 48:15, listen to that section and let me know what you think. By the time I do next week's vid my hope is that all the coding work is done and I'm a couple of days out from shipping it, so now is your time to provide input if you think there's something I'm missing that really should be in there πŸ™‚

Weekly Update 358
Weekly Update 358
Weekly Update 358
Weekly Update 358

References

  1. Sponsored by: Kolide ensures that if a device isn't secure, it can't access your apps. It's Device Trust for Okta. Watch the demo today!
  2. Messing with door-knocking real estate agents is a really good use of Home Assistant and Ubiquiti IMHO (channelling my inner Password Purgatory demons on this one!)
  3. The BookCrossing breach went into HIBP (plain text passwords FTW!)
  4. An old Roblox breach surfaced and also went into HIBP (Roblox has had quite the time of it lately...)
  5. BreachForums, was itself, breached (definitely legit too, given the presence of a "lurker" account I created there)

Weekly Update 357

By Troy Hunt
Weekly Update 357

Sad news to wake up to today. Kevin was a friend and as I say in this week's video, probably the most well-known identity in infosec ever, and for good reason. He made a difference, and I have fun memories with him 😊

Felt really sad waking up and seeing β€œRIP Kevin” in my timeline. I doubt there is a more well known name in our industry but if he’s unfamiliar to you (or you haven’t read this book), go and grab β€œGhost in the Wires” which is an exceptional read.

Kevin started regularly coming… pic.twitter.com/w1UMm7mGa8

β€” Troy Hunt (@troyhunt) July 20, 2023

In other news, I share a lot more on the upcoming domain search changes in this week's video and I've gotta say, I'm feeling pretty good about them. I spent most of the day after recording this writing code and drafting the blog post and I'm pretty damn happy with each right now. I'll keep sharing more info via these updates to the extent that by the time everything launches in a couple of weeks, you'll know it all anyway if you're paying attention here 😎

Weekly Update 357
Weekly Update 357
Weekly Update 357
Weekly Update 357

References

  1. Sponsored by: Kolide ensures that if a device isn't secure, it can't access your apps. It's Device Trust for Okta. Watch the demo today!
  2. If you haven't done already, go read Ghost in the Wires, the Kevin Mitnick story (it's a genuinely entertaining read)
  3. If you mistype an email address, it will go to the wrong place! 🀯 (the .mil conflation with .ml story has received way more airtime than what it's due IMHO)
  4. Shellys, Shellys everywhere (after feedback from Richard and Lars on this week's video, I'm pretty sure I'm going to ditch MQTT altogether now)
  5. The Roblox Developers Conference had 4k people's data leaked (goes back a few years and they did eventually disclose, but it would have been nice for them to beat me to it)
  6. It's more than a month ago now that I wrote about the impending domain search changes (but not long to go now πŸ™‚)

Weekly Update 356

By Troy Hunt
Weekly Update 356

Today was a bit back-to-back having just wrapped up the British Airways Magecart attack webinar with Scott. That was actually a great session with loads of engagement and it's been recorded to so look out for that one soon if you missed it. Anyway, I filled this week's update with a bunch of random things from the week. I especially enjoyed discussing the HIBP domain search progress and as I say in the video, talking through it with other people really helps crystalise things so I think I'll keep doing that as the dev work continues. Stay tuned for more on that next week, see you then 😊

Weekly Update 356
Weekly Update 356
Weekly Update 356
Weekly Update 356

References

  1. Sponsored by: Americans lost $8.8B to identity theft in 2022. Secure your online info with Aura the #1 rated identity theft protection. Start free trial.
  2. Scott Helme and I did a Report URI webinar just before this video, all about the Magecart attack on British Airways (stay tuned for the recording)
  3. The renos have been very trying on my patience (but the garage is looking totally epic 😎)
  4. I finally fixed this hum when the camera was on... by using a USB cable to charge it instead (this was so painful, obviously some sort of electrical interference going on there)
  5. I completely forgot to talk about my IoT lock batteries (but yeah, that linked tweet sums it all up)
  6. A full "baker's dozen" of MVP awards! (that's 13 years running now 😲)

Weekly Update 355

By Troy Hunt
Weekly Update 355

Alrighty, "The Social Media". Without adding too much here as I think it's adequately covered in the video, since last week we've had another change at Twitter that has gotten some people cranky (rate limits) and another social media platform to jump onto (Threads). I do wonder how impactful the 1k tweet view limit per day is for most people (I have no idea how many I usually see, I just know I've never hit the limit yet), and as I say in the video, I find it increasingly hard to tell when community outrage is evidence-based versus "because Elon". Strange times, for now I'll just keep a foot in each camp and then who knows how the whole thing will play out in the future.

Weekly Update 355
Weekly Update 355
Weekly Update 355
Weekly Update 355

References

  1. Sponsored by: EPAS by Detack. No EPAS protected password has ever been cracked and won't be found in any leaks. Give it a try, millions of users use it.
  2. We're still seeing the sights in Thailand (food, scenery, wildlife, people - it's all πŸ‘Œ)
  3. I'm now on Threads by Instagram owned by Meta (because we needed yet another social media platform to fragment across...)
  4. Some spammer somewhere has been spoofing my phone number (no further incidents since recording, but clearly the phone system is a mess as it relates to verifying phone numbers being used)

Weekly Update 354

By Troy Hunt
Weekly Update 354

I'm in Thailand! It's spectacular here, and even more so since recording this video and getting out of Bangkok and into the sorts of natural beauty you see in all the videos. Speaking of which, rather than writing more here (whilst metres away from the most amazing scenery), I'm going to push the publish button on this week's video and go enjoy it. Seeya! 😊

Weekly Update 354
Weekly Update 354
Weekly Update 354
Weekly Update 354

References

  1. Sponsored by Kolide. Kolide can get your cross-platform fleet to 100% compliance. It's Zero Trust for Okta. Want to see for yourself? Book a demo.
  2. We're in Thailand, and it's amazing 🀩 (the pictures speak for themselves, check out the linked thread)
  3. The Insta360 GO 3 is a really impressive piece of hardware (editing software could do with work, but that's fixable)
  4. The BreachForums clone got itself breached (irony upon irony, and oh so predictable too )
  5. The FBI sent me a really cool piece of recognition (definitely going straight to the pool room!)

Weekly Update 353

By Troy Hunt
Weekly Update 353

This feels like a week of minor frustrations with little real world consequence but they just bugged the hell out of me. Couldn't record in my office due to a weird ground loop problem, my Home Assistant instance was unexpectedly rebooting, the Yale IoT door locks had near unprecedentedly bad UX... and then I saw Miele's IoT 😭 Other than that, everything is fine 😊

Weekly Update 353
Weekly Update 353
Weekly Update 353
Weekly Update 353

References

  1. Sponsored by: Kolide can get your cross-platform fleet to 100% compliance. It's Zero Trust for Okta. Want to see for yourself? Book a demo.
  2. Is my Home Assistant a bit unstable because of SD cards, or other? (it's been fine since this video and I did realise later that powering it off mains and having an IoT switch controlled by HA would allow me to power it down, but not back up 😭)
  3. When IoT door locks work as they should, they're beautiful (not in this week's video - both locks had successfully dropped off the network so all remote functionality was dead 😭)
  4. The Miele IoT experience is extraordinarily painful (separately to the IoT, the automatic function to cook a roast completely failed last night and I came downstairs to a cold leg of lamb 😭)

Weekly Update 352

By Troy Hunt
Weekly Update 352

Domain searches in HIBP - that's the story this week - and I'm grateful for all the feedback I've received. I've had a few messages in particular since this live stream where people gave me some really excellent feedback to the point where I've now got a much clearer plan in head as to what this will look like. I need to keep writing code, revising the draft blog post to announce it then sometime in hopefully about a month, push it all live. What I'm zero'ing in on now is a free tier that covers most domains, a very low entry fee for almost every personal or small business case you can think of and then a few tiers above that to cover the rest. Do keep that feedback coming, it's all read, it's all taken onboard and I'm responding to absolutely everyone that sends it to me. If you're one of those people, thank you 😊

Weekly Update 352
Weekly Update 352
Weekly Update 352
Weekly Update 352

References

  1. The kitchen renovation thread marches on (hopefully during this coming week we'll get it all done other than the stone tops)
  2. My Azure API Management woes have been well and truly solved! (just added those last stats I mentioned to the tweet thread, still don't know why it's going so damn fast now πŸ€·β€β™‚οΈ)
  3. The Zacks breach is now in HIBP (disclosure took more effort than it should have, but we got there in the end)
  4. I pushed out a whole new domain search experience along with 5 announcements (the biggy is the impending charges for larger domains, do have a listen and provide your feedback if this feature is important to you)
  5. Sponsored by Kolide can get your cross-platform fleet to 100% compliance. It's Zero Trust for Okta. Want to see for yourself? Book a demo.

Weekly Update 351

By Troy Hunt
Weekly Update 351

I spent most of this week's update on the tweaking I went through with Azure's API Management service and then using Cloudflare to stop a whole bunch of requests that really didn't need to go all the way to the origin (or at least all the way to the API gateway sitting in front of the origin Azure Function instance). I'm still blown away by how cool this is - tweak the firewall via a web UI to inspect traffic and respond differently based on a combination of headers and response codes and bam! A massive reduction in unnecessary traffic follows. That's so cool, I love cloud 😊

Weekly Update 351
Weekly Update 351
Weekly Update 351
Weekly Update 351

References

  1. I couldn't help but talk about Yale smart locks again (they've been oh so painful, but I do actually have them working well now)
  2. I went down a bit of a rabbit hole trying to optimise Azure's APIM service (I'm super happy with the result though, that's a whole heap of traffic I no longer need to process in Azure - thanks Cloudflare!)
  3. Why no, I can't think of anything whatsoever that could go wrong by letting anyone set whatever photo they like to appear on the Apple device of the person they're calling 🀣 (if this ships consistent with my understanding of the feature, much hilarity - and scamming - will ensue)
  4. Sponsored by: Kolide can get your cross-platform fleet to 100% compliance. It's Zero Trust for Okta. Want to see for yourself? Book a demo.

Weekly Update 350

By Troy Hunt
Weekly Update 350

And so ends a long period of back-to-back weeks of conferences and talks. It's funny how these things seem to cluster together at times and whilst the last 6 or 8 weeks (I honestly lose track!) have been chaotic, I've now got a few weeks of much less pressure which will give me time to finally push out some HIBP stuff that's been in the wings for ages. I've just got to get through this weekend first, stay tuned for pics on social for that, it's going to be pretty epic 😎

Weekly Update 350
Weekly Update 350
Weekly Update 350
Weekly Update 350

References

  1. The garage joinery is looking epic (the promised pic from just before this week's video started)
  2. The Yale IoT locks are beautifully made, but the digital UX is an absolute nightmare (I'll look at doing the Zigbee and Home Assistant bits properly next week)
  3. But hey, at least the doors look good! (they'll outlive the IoT by a massive order of magnitude and I suspect they'll see many different locks over the years)
  4. I promised axe throwing pics! (how they serve you beer before throwing them is... curious)
  5. There was a rather sizeable dump of Polish credentials (I'm not normally loading credential stuffing lists these days, but this one was a little different)
  6. And then there was the RaidForums dump (you'd have to be feeling pretty uneasy if you were on there doing criminal things)
  7. Sponsored by: Kolide can get your cross-platform fleet to 100% compliance. It's Zero Trust for Okta. Want to see for yourself? Book a demo.

Weekly Update 349

By Troy Hunt
Weekly Update 349

This week's update is dominated by my experience with "Lena", the scammer from Gumtree who tried to fleece my wife of $800. There's a blow-by-blow rundown of how it all happened in this video and it's fascinating to think that these things can actually be successful given all the red flags. But they are, and in Australia alone innocent victims are stung to the tune of more than 3 billion dollars every year by fraudsters which is a staggering number. Understanding how these scams work and sharing that knowledge broadly with the less technical of those around us is part of how to combat this, so please share the tweet thread generously... and enjoy the entertainment 😊

Weekly Update 349
Weekly Update 349
Weekly Update 349
Weekly Update 349

References

  1. That Xbox problem with all the suggestions around weird HDMI behaviour? (not one single person suggested checking I'd plugged the cables into the right inputs πŸ€¦β€β™‚οΈ)
  2. When disclosure doesn't happen and victims are notified by a third party, it can leave the implicated service in a really uncomfortable position (this shouldn't be happening, and I'm sympathetic to Synduit's position here whether they were actually breached or not)
  3. Our household didn't escape unscathed from the Luxottica data breach (congratulations Charlotte!)
  4. I blew a lot of hours on a really flakey Azure Functions / storage queue problem that only appeared after a recent update (that pretty much wrote off my entire Wednesday)
  5. Ah, scammers, the source of endless entertainment for us all! (but also a source of great pain for so many people, so it was nice to inflict some back on them for a change 😊)
  6. Sponsored by: Kolide can get your cross-platform fleet to 100% compliance. It's Zero Trust for Okta. Want to see for yourself? Book a demo.

Weekly Update 348

By Troy Hunt
Weekly Update 348

I feel like the .zip TLD debate is one of those cases where it's very easy for the purest security view to overwhelm the practical human reality. I'm yet to see a single good argument that is likely to have real world consequences as far as phishing goes and whilst I understand the sentiment surrounding the confusion new TLDs with common file types, all "the sky is falling" commentary I've seen is speculative at best. But hey, there's no rolling it back now, we can start judging by what actually happens with the TLD rather than sitting around creating misuse hypotheses.

Weekly Update 348
Weekly Update 348
Weekly Update 348
Weekly Update 348

References

  1. The .zip TLD situation really isn't going to impact phishing (and if you don't agree, too bad, it's here now so we'll know for sure soon enough)
  2. The ABC's "mosaic effect" visualisation of HIBP data is really cool (give this a go, it's a great way of seeing what the impact of data breaches really looks like)
  3. Luxottica had over 70M unique customer records exposed (also looks like they never contacted impacted individuals)
  4. Sponsored by: Kolide can get your cross-platform fleet to 100% compliance. It's Zero Trust for Okta. Want to see for yourself? Book a demo.

Weekly Update 347

By Troy Hunt
Weekly Update 347

A late one this week as I cover from the non-stop conferencing that was the Azure user group in Perth, followed by the Cyber West keynote, then the social drinks that night, the flight back home straight into the AusCERT gala dinner, the panel on data governance that morning then wrapping up with the speed debate Friday arvo. I think that's all... Anyway, better later than never and nothing too serious in this week's update. Personally, I'm finding the house works the most fun to talk about so I'm going to hit the publish button on this post now then go back to drafting the blog series on everything we've done 😊

Weekly Update 347
Weekly Update 347
Weekly Update 347
Weekly Update 347

References

  1. The RentoMojo data breach entered circulation and ended up in HIBP (another couple of million accounts right there)
  2. I started a thread with before and after shots of the house works (writing up a much more comprehensive blog series right now...)
  3. This is the story I mentioned about the bloke in Melbourne copping it from the public for craning his McLaren into his apartment (its' "guitar lessons" all over again!)
  4. To the audience question about door locks, I did go back and look again and there's a Yale Assure Lock 2 that supersedes the SL I had an order (still no Apple HomeKey support though πŸ˜”)
  5. Sponsored by: Kolide ensures only secure devices can access your cloud apps. It's Zero Trust tailor-made for Okta. Book a demo today.

Weekly Update 346

By Troy Hunt
Weekly Update 346

It's a bit of a mixed bag this week with a very light-hearted look at the death of the browser padlock icon (which has been replaced by an icon that looks like a sex act), and a much more serious discussion about divorce. It took a long time to write and be ready to publish that blog post, many years in fact, but I'm so glad I did. You don't have to scroll far through the responses to the launch tweet or the comments on the blog itself to get a sense of how it's impacted people, and as I said in the very opening of the post, this sort of openness tends to be really well received. Wherever you are in your own stage of life, I hope you enjoying reading that post and share it generously with those for whom it might just make a real difference.

Weekly Update 346
Weekly Update 346
Weekly Update 346
Weekly Update 346

References

  1. Catch me at the cybersecurity unlocked meetup in Perth next week (super casual, no idea what I'm going to be talking about yet πŸ€”)
  2. You can also catch me keynoting at the Cyber West Summit (loads of good stuff about what I've learned processing billions of breached records for HIBP)
  3. The padlock icon is dead! (long live the, uh... "you know exactly what it looks like" icon πŸ™„)
  4. The feedback to my blog post on divorce has been pretty amazing (it's obviously a delicate topic and it took me a long time to be ready to talk about it, but doing so seems to have made a difference to a lot of people)
  5. Sponsored by: Kolide ensures only secure devices can access your cloud apps. It's Zero Trust tailor-made for Okta. Book a demo today.

Weekly Update 345

By Troy Hunt
Weekly Update 345

I stand by my expression in the image above. It's a perfectly accurate representation of how I looked after receiving the CityJerks breach, clicking on the link to the website then seeing what it actually was 😳 Fortunately, the published email address on their site did go through to someone at TruckerSucker (😳😳) so they're aware of the breach and that it's circulating broadly via a public hacking website. That segment is last up in this week's video and I do give fair warning just in case you're not in the best environment to be watching that part of the update. Viewer discretion advised!

Weekly Update 345
Weekly Update 345
Weekly Update 345
Weekly Update 345

References

  1. Apparently, there are a whole bunch of accounts impersonating me on Mastodon (my tweet was deliberately crafter for amusement value hence the popcorn and tongue in cheek emojis, but that didn't stop people on Twitter losing their minds about Twitter)
  2. Hence, "Exhibit B" (even with a follow-up tweet containing a meme of a massive box of popcorn, some minds have been lost 🍿)
  3. Terravision got breached to the tune of more than 2M accounts (no reply to multiple attempts to disclose either)
  4. MEO face masks in New Zealand also got breached (they did reply to me, but only by their Facebook account and then didn't engage any further)
  5. CityJerks, the, uh, "mutual masturbation" website got breached (I think you just need to watch the video to properly understand this one 😳)
  6. As to the question about garage progress, here's a thread with some cool internal shots (ok, so it's mostly car shots, but it gives you a good sense of the mood in there now)
  7. Sponsored by: Kolide ensures only secure devices can access your cloud apps. It's Zero Trust tailor-made for Okta. Book a demo today.

Weekly Update 344

By Troy Hunt
Weekly Update 344

I feel like a significant portion of this week's video went to discussing "the Coinbase breach that wasn't a Coinbase breach". There are various services out there that are used by the likes of password managers to alert their customers to new breaches (including HIBP in 1Password) and whoever Dashlane is using frankly, royally cocked up the attribution. What was a garden variety list of email addresses someone had just chucked the "Coinbase" name on had absolutely nothing to do with a breach of the crypto company. It's frustrating to watch, and I suspect that will come through when you watch the video too. See what you think.

Weekly Update 344
Weekly Update 344
Weekly Update 344
Weekly Update 344

References

  1. I take an inordinate amount of pleasure in screwing with scammers / spammers (and judging by the reactions to that thread, so do you! 🀣)
  2. Misattributing a data breach can be a pretty serious issue, and Dashlane's provider incorrectly implicating Coinbase as having been pwned isn't a good look (I'm especially frustrated given how much time I invest doing verification so precisely this doesn't happen!)
  3. Domain searches via API are coming to HIBP! (that's a link to a "started" UserVoice idea, vote there if you'd like to be kept in the loop on progress)
  4. I'm trialling using a Twitter subscription to provide earlier insights into breaches and seek community support in handling and disclosing them (no need to explicitly let me know if that's not of interest, just don't sign up πŸ™‚)
  5. Sponsored by: Kolide ensures only secure devices can access your cloud apps. It's Zero Trust tailor-made for Okta. Book a demo today.

Weekly Update 343

By Troy Hunt
Weekly Update 343

A bit late this week as I've prioritised time out with the family doing as many New Zealand adventure things as we can. And we've seriously maxed out the time, as you can see via the FB link below. But that hasn't stopped a couple of new data breaches flowing into HIBP nor me having some pretty direct thoughts on the premise that the vast bulk of IT pros are being told not to report data breaches. I hope you enjoy this impromptu vid from a faraway location at an odd time, I'll be back to normal again next week.

Weekly Update 343
Weekly Update 343
Weekly Update 343
Weekly Update 343

References

  1. New Zealand has pretty much just been back-to-back adventure activities 😎 (I've tended to put most of these on Facebook, loads of pics there)
  2. The Kodi Foundation self-submitted their 400k record breach to HIBP (really high hit ratio for both existing pwned accounts and HIBP subscribers in the breach)
  3. OGUsers got breached again - for the fifth time now! (no news on it to link to, just remember that if you're part of one of these communities your data is almost certainly going to end up in law enforcement hands sooner or later)
  4. Apparently 71% of IT pros are being told to keep quiet about data breaches (if you're in this category, may you perpetually be looking over your shoulder waiting for an email from me...)
  5. Sponsored by: Kolide ensures only secure devices can access your cloud apps. It's Zero Trust tailor-made for Okta. Book a demo today.

Weekly Update 342

By Troy Hunt
Weekly Update 342

Next time I post a poll about something as simple as "when is next Friday", I don't expect I'll get as much interest. Of course "next time" will be whatever poll follows the last one, not the poll that falls after that one! But more seriously, I cannot think of a better example of ambiguous language that's open to interpretation and so easily avoided (hello MM-DD people!)

Also, Genesis Market and Operation Cookie Monster. This is just amazing stuff and a testament to a coalition of law enforcement agencies across the globe that have now made well over 100 arrests. Off the back of the NCA's DDoS market honeypot, the BreachForums admin arrest and the takedown of RaidForums before that, if you're playing in this space you'd have to be looking over your shoulder by now. Interesting times in cyber(crime) space.

Weekly Update 342
Weekly Update 342
Weekly Update 342
Weekly Update 342

References

  1. I'll be in New Zealand next Friday, which is the Friday that falls at the end of next week, not the week after (what is wrong with 78% of people?! 🀣)
  2. And now I know how an epoxy floor is laid (think of it as "feeding chickens")
  3. "Operation Cookie Monster" is a fascinating story of identity theft, a coalition of law enforcement agencies, and HIBP 😊 (millions of email addresses and passwords provided by the FBI are now searchable)
  4. Sponsored by: Kolide ensures only secure devices can access your cloud apps. It's Zero Trust tailor-made for Okta. Book a demo today.

Weekly Update 341

By Troy Hunt
Weekly Update 341

Most of this week's video went on talking about the UniFi Dream Wall. What a unit! I mean it's big, but then it wraps a lot of stuff up in the one device too. If you watch this and have thoughts on how I can integrate it into the new garage such that it doesn't clash with the dark theme, I'd love to hear about it. I'll share more once I set it up in the coming weeks but for now, enjoy this week's video πŸ™‚

Weekly Update 341
Weekly Update 341
Weekly Update 341
Weekly Update 341

References

  1. The UniFi Dream Wall is an impressive unit (that's a link to the video I was referring to and it does show 2 HDDs so... πŸ€·β€β™‚οΈ)
  2. The tweet that went nuts (can we all just agree that Twitter - and Elon - are polarising, but both are still here, still working and probably not going anywhere soon?)
  3. Pwned Passwords has now surpassed 4 billion monthly requests! (I'm getting kinda curious as to just how big this thing is going to get...)
  4. Sponsored by: Kolide ensures only secure devices can access your cloud apps. It's Zero Trust tailor-made for Okta. Book a demo today.

Weekly Update 340

By Troy Hunt
Weekly Update 340

I'm excited about coming to Prague. One more country to check off the list, apparently a beautiful city and perhaps what I'm most stoked about, it's the home of Prusa 3D. Writing this as I wrangle prints out of my trusty MK3S+, I'm going to do my best to catch up with folks there and see some of the super cool stuff they're doing. Other than that, this week is full of the usual; data breaches, IoT and a cold 🍺

Weekly Update 340
Weekly Update 340
Weekly Update 340
Weekly Update 340

References

  1. I'm coming to Prague! (Experts Live Europe, see you there September 18)
  2. I'm crow-sourcing a new and improved version of the HIBP email extractor (and no, it's not going to facilitate cybercrime πŸ€¦β€β™‚οΈ)
  3. TheGradCafe was breached (they apparently know about it, but just won't reply to anyone trying to reach them on it)
  4. The kitchen shall be black! (as you can probably glean from this thread, there's a huge amount of thought going into this)
  5. My network got, uh, too big 😲 (it was always going to be better to VLAN the IoT devices anyway, and now it's done)
  6. The garage is now starting to look more finished (within the next couple of weeks, other than the joinery work it should look pretty complete)
  7. Sponsored by: Kolide ensures only secure devices can access your cloud apps. It's Device Trust tailor-made for Okta. Book a demo today.

Weekly Update 339

By Troy Hunt
Weekly Update 339

Why can't I audio right? It's my 339th video and I still make mistakes πŸ™‚ But it came good and we got a decent show out of it with lots of interesting engagement even though doing this a lot later in the day than usual. I found the discussion around IoT door locks especially interesting as it's a real nexus of security, usability and a bit of critical thinking about real world risks. That term "security absolutism" that came up in the comments is gold, I hope you enjoy watching this episode.

Weekly Update 339
Weekly Update 339
Weekly Update 339
Weekly Update 339

References

  1. Yale IoT door locks seem to be the least bad ones you can buy! (you can have that slogan for free guys πŸ™‚)
  2. The HDB Financial Services breach went into HIBP (after their parent company denied the breach...)
  3. Canada's Shopper+ also went into HIBP (another 878k records dating back to 2020)
  4. Latitude Financial announced a breach this week (another major one down under as Australia continues representing in data breach land)
  5. At long last, Eye4Fraud has acknowledged their breach... (via one the most half-arsed disclosure statements I've ever seen)
  6. Sponsored by: Kolide ensures only secure devices can access your cloud apps. It's Device Trust tailor-made for Okta. Book a demo today.

Weekly Update 338

By Troy Hunt
Weekly Update 338

I'm going lead this post with where I finished the video because it brought the biggest smile to Charlotte's and my faces this week:

This. Is. Amazing 😍 pic.twitter.com/wOl4kpK841

β€” Troy Hunt (@troyhunt) March 3, 2023

When I talked about the McLaren in this week's video, Frits made the comment "the smile on your face says it all", which absolutely nailed it. But more than that, it brings a smile to the face of everyone who sees it (I suspect the colour helps), we're just loving seeing the excitement expressed by kids and adults alike. It's so much fun 😊

Less fun is dealing with Eye4Fraud. 24 hours on from recording this video, there's still zero visible progress and I lament that this one is just going to slip beneath the radar. If you're in the breach, do push for answers, it really shouldn't be this hard. All that and more in this week's video, enjoy!

Weekly Update 338
Weekly Update 338
Weekly Update 338
Weekly Update 338

References

  1. Oh Namesco, you do provide entertainment! (still selling SSL like it's 2015)
  2. Eye4Fraud - the one that gives merchants "guaranteed protection" - had lots of millions of their merchant's transactions dumped (and to date, they don't appear to have actually told anyone)
  3. Cloudflare's cache reserve is pretty amazing stuff (as expected, the cache hit ratio is even better one day on with 100 less origin requests and only a slight decrease in overall traffic)
  4. It was almost a decade ago when I last wrote about a car (should I do another one for the McLaren?)
  5. Sponsored by: Kolide ensures only secure devices can access your cloud apps. It's Device Trust tailor-made for Okta. Book a demo today.

Weekly Update 337

By Troy Hunt
Weekly Update 337

Guns! You know, the things you kinda want to keep pretty well protected and out of the hands of nefarious parties, like the kinds of folks that following their data breach could match firearms to an individual at an address on a phone number of a gender and specific age. But don't worry, no financial information was compromised! πŸ€¦β€β™‚οΈ

All that and more in the 337th addition of my weekly update, enjoy!

Weekly Update 337
Weekly Update 337
Weekly Update 337
Weekly Update 337

References

  1. GunAuction.com got pwned (it only took them 2 months to tell absolutely nobody about it too)
  2. The Ticketcounter hackers have been pwned (3 kids, surprise surprise)
  3. The office acoustic work is finally complete! (I love this, it's amazing 😍)
  4. The Ubiquiti AI 360 cam is really impressive (check out how that fisheye view can be flatted into frames of other parts of the room)
  5. We got burgled - but only a little bit (I'm more annoyed about the lapses in my own security, but mitigating controls ultimately made this a non-event)
  6. Sponsored by: Kolide ensures only secure devices can access your cloud apps. It's Device Trust tailor-made for Okta. Book a demo today.

Weekly Update 336

By Troy Hunt
Weekly Update 336

Hey, it's double-Troy! I'm playing with the Insta360 Link cam, a gimbal-based model that can follow you around the room. It's tiny and pretty awesome for what it is, I'm doing some back-to-back with that and my usual Sony a6400 this week. A little note on that: during the live stream someone suggested there was some lag from that camera (very minor, they suggested), but others couldn't see it. I've just been watching a bit of the video while writing up this post and I reckon they're right. Try the 3:02 mark, for example, where on Insta360 Link I have my finger up but on the Sony a6400, I don't:

Weekly Update 336

It's very minor, but it's just enough to notice. Anyway, see what you think, all that a much more in weekly update 336:

Weekly Update 336
Weekly Update 336
Weekly Update 336
Weekly Update 336

References

  1. I spoke at the Association of Superannuation Funds Australia this week (very happy to see cybersecurity on the agenda at a finance conference)
  2. These Insta360 cameras are kinda blowing my mind 🀯 (super weird to think of 360 video that allows you to later go back and "point the camera" wherever you wanted it to be)
  3. 🐰 🐰 🐰 🐰 🐰 🐰 (maybe I just like putting rabbit emojis in a blog post title, or maybe the firewall stuff with Cloudflare, Stripe and OWASP was an interesting little adventure)
  4. Twitter is killing SMS-based 2FA if you're not paying them any money (their messaging was poor, but the outcome is probably the right one)
  5. What happens if your DNA get pwned? (probably nothing... yet)
  6. Sponsored by: Kolide ensures only secure devices can access your cloud apps. It's Device Trust tailor-made for Okta. Book a demo today.

Weekly Update 335

By Troy Hunt
Weekly Update 335

No cyber. It's literally a "cyber-free" week, as least far as the term relates to security things. Instead, I'm unboxing an armful of Insta360 goodies and lamenting the state of IoT whilst putting even more IoT things into our massive garage renovation. I'm enjoying it though. Honestly. I think...

Weekly Update 335
Weekly Update 335
Weekly Update 335
Weekly Update 335

References

  1. The Ubiquiti AI Bullet camera with license plate recognition is... 😲 (as for criticism received for pointing a security camera into a public place, that's... πŸ€¦β€β™‚οΈ)
  2. Trying to find an IoT door lock that does everything is... 🀬 (unfortunately, the best one I can find doesn't actually exist yet)
  3. When it does launch, the Aqara U100 looks pretty sweet (really liking the Apple Home Key integration in particular)
  4. The digitally rendered video for our upgraded garage is... 😲 (lots of detail needs to change, but you get the idea)
  5. Sponsored by: Kolide ensures only secure devices can access your cloud apps. It's Device Trust tailor-made for Okta. Book a demo today.

Weekly Update 334

By Troy Hunt
Weekly Update 334

Did I really need to get a connected BBQ? No more than I needed to connect most of the other things in the house which is to say "a bit useful but not entirely necessary". But it's a fascinating process when looked at through the lens of how accessible the technology is to your average person given it's embedded in a consumer-orientated product. In short - it's painful - but listen to this week's update to hear precisely why. Plus, there's a heap of new data breach and some really, really good news about the NTLM hashes now being available in Pwned Passwords. Enjoy 😊

Weekly Update 334
Weekly Update 334
Weekly Update 334
Weekly Update 334

References

  1. BBQ'ing shouldn't be this hard (not the cooking, I mean getting the damn thing connected to the network!)
  2. Instant Checkmate was breached (12M email addresses right there)
  3. TruthFinder was also breached (same parent company, another 8M addresses there)
  4. The LimeVPN breach also went into HIBP (you really want to be able to trust your VPN provider)
  5. Weee was breached too (another case where it was too hard to get in touch with them)
  6. Full parity for NTLM hashes in Pwned Passwords is now live! (once again, bit shout out to StefΓ‘n JΓΆkull SigurΓ°arson for his work on this)
  7. Sponsored by: Kolide ensures only secure devices can access your cloud apps. It's Device Trust tailor-made for Okta. Book a demo today.

Weekly Update 333

By Troy Hunt
Weekly Update 333

Getting everything out nice and early today so we can get out there in hit the wake park in the balmy "well over 30C" weather (the radio is talking about "severe heatwave weather" as I write this). But hey, we're surrounded by water and a beer delivery is due today so no crisis 😎 There's also a heap more data breach news and I'll be putting that connected BBQ to use for the first time today, stay tuned for epic pics on all of the above over the coming hours!

Weekly Update 333
Weekly Update 333
Weekly Update 333
Weekly Update 333

References

  1. HTTPS still doesn't equal trust, it never did, it never will and Aussie Broadband were way off the mark to imply otherwise (they did later recant on that position, but the messaging still isn't completely right)
  2. Namesco in the UK sent out messaging to customers which shows they have absolutely no idea about some of the most basic, fundamental tents of how SSL works (hoping we get a follow-up on this, it's inexcusable in this day and age)
  3. Planet Ice in the UK was breached (240k people with 82% of them already in HIBP)
  4. Pitt Meadows School District in British Columbia was breached (only 0.1% of accounts were already in HIBP)
  5. I'm getting seriously sick of the lack of proper disclosure from many organisations (it really isn't this hard - it shouldn't be this hard)
  6. I bought a connected BBQ! (stay tuned for deliciousness 🀀)
  7. Sponsored by: CrowdSec - Gain crowd-sourced protection against malicious IPs and benefit from the most accurate CTI in the world. Get started for free.

Weekly Update 332

By Troy Hunt
Weekly Update 332

Breaches all over the place today! Well, this past week, and there's some debate as to whether one of them is a breach, a scrape or if the term just doesn't matter anyway. Plus, we've been kitchen shopping, I'm helping friends out with connected doorbells and other random but somehow related things this week. Enjoy 😊

Weekly Update 332
Weekly Update 332
Weekly Update 332
Weekly Update 332

References

  1. I'll be "at" GOTO Aarhus in May (there online, but definitely speaking at the show)
  2. Following all the awesome input, we decided to forego the teppanyaki plate on the Bora Professional 3.0 (there's a surprising amount of good culinary advice from my audience!)
  3. Zurich Japan was breached (big name, but small portion of people already in HIBP)
  4. Autotrader had a heap of data breacraped (breached? scraped? does it matter?)
  5. Speaking of which, when actually is a scrape a breach? (my more concerted thoughts on the matter all in one place)
  6. Norwegian adventure store KomplettFritid was also breached (apparently, they decided to not tell their customers)
  7. GoTo, the owner of LastPass, "shared more bad news" (I do have some historical views on this organisation...)
  8. Hey, it's my views on GoTo! (nearly 13 years old now, but this remains poor behaviour IMHO)
  9. Sponsored by: CrowdSec - Gain crowd-sourced protection against malicious IPs and benefit from the most accurate CTI in the world. Get started for free.

Weekly Update 331

By Troy Hunt
Weekly Update 331

Well and truly back into the swing of things in the new year, I think what I've found most satisfying this week is to sit down and pump out a decent blog post on something technical. It's an itch I just haven't had enough time to scratch properly in recent times and I really hope Pwned or Bot makes up for that. I love that it's generating discussion (both for and against) and that it's causing people to stop and think about how we establish the legitimacy of identities in an increasingly bot-centric world. I hope you enjoy this week's update and all the conversation surrounding it.

Weekly Update 331
Weekly Update 331
Weekly Update 331
Weekly Update 331

References

  1. Pollies, porn and pyrotechnics (and now I know why Canberra is know for porn)
  2. The Twitter API situation is a complete flustercuck (I'd be less upset if they made the native app way better)
  3. What is 1Password had a data breach? (read about how they protect your keychain such that even after a data breach, the master password alone would be useless)
  4. Since recording this morning, I've poured hours into what presently has a working titled of "Down the Cloudflare / Stripe / OWASP Rabbit Hole: A Tale of 5 Rabbits Deep 🐰 🐰 🐰 🐰 🐰" (I just kept going until I got stuck and pumped out the linked tweet)
  5. Pwned or Bot is drumming up plenty of good feedback and in true Twitter form, plenty of controversy (no, you shouldn't be penalised for not being breached, go back and read the whole thing again)
  6. Sponsored by: CrowdSec - Gain crowd-sourced protection against malicious IPs and benefit from the most accurate CTI in the world. Get started for free.

Weekly Update 330

By Troy Hunt
Weekly Update 330

Big week! So big, in fact, that I rushed into this week's update less prepared and made it a very casual one, which is just fine 😊 It's mostly password books and kitchen equipment this week, both topics which had far more engagement than I expected but made them all the more interesting. Next week I'll get back into the pattern of switching between last thing Friday and first thing Friday so it'll be my morning again on the 20th, see you then!

Weekly Update 330
Weekly Update 330
Weekly Update 330
Weekly Update 330

References

  1. After all this week's action, I was a little bit less organised today (link through to a Facebook post, I put a lot more pics and vids there than on other platforms)
  2. I'm ok with password books (you can buy them down at our local post office)
  3. I'm so ok with password books, that I wrote an entire blog post on it a few years ago (well, on that and other aspects of why chasing the perfect security solution isn't the right approach)
  4. It's looking increasingly dire for 3rd party Twitter clients using their API (surely it would be communicated in advance if they were being killed?)
  5. My kitchen rebuild tweet thread had some awesome responses to it (the suggestions there will definitely help shape the final product)
  6. Sponsored by: CrowdSec - The open-source & collaborative security stack: respond to attacks & share signals across the community. Download it for free

Weekly Update 329

By Troy Hunt
Weekly Update 329

Strap yourself in, this is a big one! Big video, big breach (scrape?), and a big audience today. The Twitter incident consumed a heap of my time before, during and after this live stream, but then I go and get a sudden itch to do stuff like the number plate capturing and, well, there goes even more hours I don't have. But hey, I love what I do and I have no regrets, I hope you enjoy watching this week's vid 😊

Oh - one more thing: today I set up an official Mastodon account for HIBP. If you've got a footprint in the fediverse, please go and give the account a follow. There are a bunch of others out there that definitely aren't run by me, it's only this one, it only follows me personally and it has a verified website of haveibeenpwned.com so should be easy to find even if you don't follow the link above.

Weekly Update 329
Weekly Update 329
Weekly Update 329
Weekly Update 329

References

  1. The old legacy rate limit for the HIBP API is now gone (loads of warning on this, but the stats show a lot of extra requests being rate limited since the change hit)
  2. The Deezer breach has been really poorly communicated on their behalf (seems like they forgot to notify, well, everyone!)
  3. Looks like the scraped Twitter data all came by throwing previously breached email addresses at a vulnerable API (you can't even blame Elon for that one... but you can probably blame him for the zero comms on the incident)
  4. I had way too much fun letting ChatGPT mess with a spammer (he wasn't quite as amused as me 🀣)
  5. I've been playing around with capturing number plates via my Ubiquiti gear (after more trialling today, my conclusion is that I need to get my hands on some of their new AI gear and stop trying to build this myself)
  6. Sponsored by: 1Password, a secure password manager, is building the passwordless experience you deserve. See how passkeys work

Weekly Update 328

By Troy Hunt
Weekly Update 328

We made it! That's 2022 done and dusted, and what a year it was, both professionally and personally. It feels great to get to the end of the year with all the proverbial ducks lined up, some massive achievements now behind us (not least of which was the wedding), and a clean slate coming into 2023 to do amazing things. I'm super excited about next year and can't wait to share a whole bunch of new stuff over the coming 52 Fridays. For now though, here's the last of it from a pretty crazy year, enjoy 😊

Weekly Update 328
Weekly Update 328
Weekly Update 328
Weekly Update 328

References

  1. We spent Xmas day poolside in Singapore (yes, some places in the world are actually hot when Santa comes!)
  2. Could ChatGPT be used to toy with spammers? (let's find out, I'll keep the thread updated with any responses πŸ™‚)
  3. I've been shuffling around a bunch of my Home Assistant entities from switches to lights (anecdotally, these changes appear to have really improved things thus far)
  4. Sponsored by: 1Password, a secure password manager, is building the passwordless experience you deserve. See how passkeys work

Weekly Update 327

By Troy Hunt
Weekly Update 327

It's my last weekly update on the road for a while! As enjoyable as travel is, I'm looking forward to getting back to a normal routine and really starting to smash out some of the goals I have for the coming year. For now though, I've published this a couple of days after recording, and a day after an awesome hot, beachside Christmas. Hope yours has been amazing too, see you from home next week 😊

Weekly Update 327
Weekly Update 327
Weekly Update 327
Weekly Update 327

References

  1. LastPass has added an update re their recent security incident (if keychains have been downloaded - even fully encrypted ones - that's bad news)
  2. Personally, I quite like the public view count on all tweets (if you dislike it just purely because it was introduced under Elon's reign, that's a different problem)
  3. Sponsored by: 1Password, a secure password manager, is building the passwordless experience you deserve. See how passkeys work

Weekly Update 326

By Troy Hunt
Weekly Update 326

Despite having both my tripod and mic in the wrong suitcase in the wrong place, Scott and I still pulled together a weekly vid from the Norwegian mountains. Much of this week is a combination of our travels here, responses to my tweets around cookie warnings and reactions to Elon's various decisions (and undecisions) on Twitter. Plus, there's the CoinTracker and Gemini breaches which appear to have stemmed from the SendGrid breach, the connection to that incident having been made by CoinTracker just after we had a friendly exchange about the description in HIBP πŸ™‚

I'll leave you with some epic pics we snapped a few hours after this video, what a sight to behold, especially whilst sitting in the hot tub with good friends and cold beer 😊

🀯 pic.twitter.com/Q5hYc0tGHd

β€” Troy Hunt (@troyhunt) December 17, 2022
Weekly Update 326
Weekly Update 326
Weekly Update 326
Weekly Update 326

References

  1. 99% of people vehemently hate cookie warnings, and 1% just want to argue about whose fault it is πŸ€·β€β™‚οΈ (that tiny minority is really missing the point)
  2. Reading Elon's tweets is... entertaining (but the propensity for some to be outraged at his every move is also... entertaining)
  3. The penny dropped whilst doing this livestream that CoinTracker has now published a post specifically naming SendGrid as the "third party" that exposed their data (wonder why they - and Gemini - didn't initially name them?)
  4. Sponsored by: Kolide believes that maintaining endpoint security shouldn’t mean compromising employee privacy. Check out our manifesto: Honest Security.

Weekly Update 325

By Troy Hunt
Weekly Update 325

For the first time in I don't know how long, I couldn't do this live. Turns out both cell and wifi in Lapland are, with the benefit of hindsight, exactly what you'd expect from a remote location in the Arctic circle. The rest of the place was pretty amazing though, and a good deal of this week's content has gone to that. Plus, there's the whole "Australia becoming the world's most cyber-secure country" goal which deserves discussion. Oh - and the tweet with that pic I discuss - I'll just leave that one here 😊

Sometimes, life feels like a fairytale. This is now my favourite photo ever ❀️ pic.twitter.com/lspKwVVSly

β€” Troy Hunt (@troyhunt) December 9, 2022
Weekly Update 325
Weekly Update 325
Weekly Update 325
Weekly Update 325

References

  1. Will Australia become the world's most cyber-secure country by 2030? (Is it feasible? Measurable? Does it even matter?)
  2. Abandonia was breached again (7 years on, and still salted MD5 password hashes πŸ€¦β€β™‚οΈ)
  3. I mentioned my Hack Your Career talk as it relates to dealing with snarky comments online (deep linked to the point where I cover this exact topic)
  4. Sponsored by: Varonis. Reduce your SaaS blast radius with data-centric security for AWS, G Drive, Box, Salesforce, Slack and more.

Weekly Update 324

By Troy Hunt
Weekly Update 324

We're in Copenhagen! Scott and family joined us in Oslo for round 2 of wedding celebrations this week before jumping on the ferry to Copenhagen and seeing the sights here. There's lots of cyber things in this week's vid relating to HIBP's birthday, Medibank and financial penalties for breaches, but I'm just going to leave you with one of the most amazing moments of my life captured in pics:

πŸ‡³πŸ‡΄ ❀️ πŸ‘°β€β™€οΈ 🀡 pic.twitter.com/pPY49DArIF

β€” Troy Hunt (@troyhunt) December 2, 2022
Weekly Update 324
Weekly Update 324
Weekly Update 324
Weekly Update 324

References

  1. Scott joined Charlotte and I for our second wedding celebration in Oslo (a very special occasion with some amazing pics... just wait until you see what's coming)
  2. I stopped by NDC in Oslo this week to do a joint user group for them and NNUG (first time back in Oslo for almost 3 years!)
  3. It's HIBP's 9th birthday today (well that escalated... quickly?)
  4. The ransomware crew that hit Medibank has announced "case closed" (it's certainly far from that for Medibank, but hopefully that's the end of dumped data)
  5. The Ministry of Foreign Affairs of Russia is throwing shade at Australia for attributing the Medibank hack back to Russian criminals (this was always going to get messy)
  6. The Aus government has laid down some serious maximum penalties for future data breaches ("maximum" being the operative word, this isn't about killing companies)
  7. Sponsored by: Kolide is an endpoint security solution for teams that want to meet SOC2 compliance goals without sacrificing privacy. Learn more here.

Weekly Update 323

By Troy Hunt
Weekly Update 323

Finally, after nearly 3 long years, I'm back in Norway! We're here at last, leaving our sunny paradise for a winter wonderland. It's almost surreal given how much has happened in that time, not just the pandemic but returning to Oslo with Charlotte as my Norwegian wife is super cool 😎 Other things this week are not so different, namely people complaining on Twitter (albeit also complaining about Twitter). As I find myself continually caveating, YMMV but it does feel like events are being overly dramatised by some at present. Time will tell, but I think we'll all still be using the platform to complain about things just as effectively in a year from now as we are today πŸ™‚

Weekly Update 323
Weekly Update 323
Weekly Update 323
Weekly Update 323

References

  1. Catch me this week in Oslo doing a free meetup for NDC and NNUG (Tuesday from 17:00 onwards)
  2. Have you heard there's some controversy surrounding Twitter at present? (geez this thread opened a can of worms, it's a massively divisive topic right now)
  3. Acxiom didn't get breached, but that doesn't stop people shipping around "The Acxiom Breach" (I hate breach misattribution with a passion)
  4. You can now get Pwned for 30% less! (because it's a holiday in America, we've made my book cheaper 😊)
  5. Sponsored by: 1Password, a secure password manager, is building the passwordless experience you deserve. See how passkeys work

Weekly Update 322

By Troy Hunt
Weekly Update 322

It's very strange to have gone 1,051 days without spending more than a few hours apart, but here we are... very temporarily:

Only 15,501km away 😒 And only 4 days until I head back to Oslo 😊 pic.twitter.com/PDn1Syplig

β€” Troy Hunt (@troyhunt) November 20, 2022

Which means that right now, I'm throwing myself into a gazillion other things to keep me busy including how schools advise parents to manage devices, wrapping gup that HTML signature, asking probing questions about paying ransoms and, unbelievably, fighting off the most ridiculous claim of HIBP having been P'd. That last one especially, FFS, just listen...

Weekly Update 322
Weekly Update 322
Weekly Update 322
Weekly Update 322

References

  1. Does your child's school provide any guidance around the use of native parental controls on their devices? (not a poll, but a near unanimous "no" response anyway)
  2. My HTML email signature is finally done - it was not a fun process 😭 (for my next trick - making it actually work in Exchange for iOS)
  3. Should there be a government ban on paying a ransom to stop breached data from being publicly leaked? (this one is a poll... with a very clear result)
  4. Have I Been Pwned didn't get pwned (I can't believe how this got written in the first place, nor how anyone ever even took it seriously πŸ€¦β€β™‚οΈ)
  5. Sponsored by: Varonis. Reduce your SaaS blast radius with data-centric security for AWS, G Drive, Box, Salesforce, Slack and more.

Weekly Update 321

By Troy Hunt
Weekly Update 321

What a week to pick to be in Canberra. Planned well before things got cyber-crazy in Australia, I spent a few days catching up with folks in our capital and talking to the Australia Federal Police for scam awareness week. That it coincided with the dumping of Medibank customer health records made it an especially interesting time to talk with police, politicians and industry leaders. A bit of a bizarre, whirlwind week if I'm honest, but full of very positive encounters even though it coincided with such a demanding time for many of us in this industry down here.

Weekly Update 321
Weekly Update 321
Weekly Update 321
Weekly Update 321

References

  1. Mastodon has been... entertaining 🀣 (just a collection of fun tweets that perfectly illustrate how much many of us have struggled to wrap our heads around it)
  2. HTML email signatures are a complete nightmare ("mjml" bubbled to the top a few times as a way of tackling this)
  3. HIBP API keys can be bought at different rate limits and paid a year in advance! (by some unexplainable miracle, 100% of feedback has been positive!)
  4. I've honestly become a bit lost for words over the Medibank ransom saga, it's just absolutely horrendous (that's a link to my thread commentating on the data dumps)
  5. Sponsored by: Varonis. Reduce your SaaS blast radius with data-centric security for AWS, G Drive, Box, Salesforce, Slack and more.

❌