Sponsored by: Checkmarx – Application Security Testing Developers Actually Use

Y'know, for all the talk of jet skis, I'd never actually done a weekly update on it. Until today. It's autumn here and the weather is still beautiful so I went for a quick blast and recorded this one. This week, there's my Security Sense column on the futility of aiming for absolute security, a lot of talk on the whole Dun & Bradstreet spam list (let's just call it what it is) and also the Wishbone breach, among other things.

Incidentally, checkout the underwater bit at the end, especially that jellyfish!

iTunes podcast | Google Play Music podcast | RSS podcast

References

1. There is no "zero chance of security risks" (and no chance of a zero road toll either)
2. Dun & Bradstreet's whopping spam list got leaked (no, it's not for "optimising your demand generation engine", it's for sending spam)
3. Wishbone get got hacked and their data dumped (with practices like this, is it any wonder?!)
4. I was on the Reply All podcast (which is actually really good!)
5. Checkmarx is still up in the sponsor bar

Sponsored by: Exabeam - Security doesn’t stop at detection. Automate your response procedures with incident workflows and playbooks. Learn more.

There's a seemingly endless flood of data breaches these days. Pretty much every day I get sent dumps from somewhere or other, usually websites I've never heard of and often dating back to compromises from years ago. They vary in size from thousands of accounts to many millions - and this is just the ones I've looked at. In short, there's way more data than I have time to process.

Occasionally though, an incident floats to the top of the others which is what's happened over the last few days. There was news just recently of a large number of vBulletin forums having been compromised by an actor known as "CrimeAgency" and the data consequently circulating. I had, in fact, been sent this data and the main reason I hadn't processed it was due to the large number of small incidents it contained. There were 140 databases in total, the largest of which totalled a "mere" 43k accounts. But added up, we're looking at just under one million unique email addresses or 942k to be precise. Given that scale, I've decided to load them all in at once and categorise them as a single incident.

Now here's the tricky bit: I can't point to which breach each account was found in. I've loaded the data into HIBP and titled it "CrimeAgency vBulletin Hacks" but finding your email address in there won't tell you specifically which incident it belongs to. What I've decided to do in order to provide at least some support to those trying to work out where their data was exposed is list all the sites below. This is each file listed in descending size followed by the number of unique email addresses found in it. It's actually the output of one of my parsing scripts so this is precisely what I see when I begin processing a multi-file breach like this:

1: Reading file "yojoe.com-vb-2017.txt" at 3,814kb
Found 43,134 distinct emails

2: Reading file "sgcafe.com-vb-2017.txt" at 3,479kb
Found 34,201 distinct emails

3: Reading file "techimo.com-vb-2017.txt" at 3,350kb
Found 46,736 distinct emails

4: Reading file "porno-maniac.org-vb-2017.txt" at 3,285kb
Found 33,770 distinct emails

5: Reading file "forum.jdmstyletuning.com-vb-2017.txt" at 3,055kb
Found 34,994 distinct emails

6: Reading file "sedona.com-vb-2017.txt" at 2,951kb
Found 32,577 distinct emails

7: Reading file "aussievapers.com-vb-2017.txt" at 2,813kb
Found 28,907 distinct emails

8: Reading file "torrent-invites.com-vb-2017.txt" at 2,766kb
Found 39,636 distinct emails

9: Reading file "ewebdiscussion.com-vb-2017.txt" at 2,734kb
Found 25,662 distinct emails

10: Reading file "forums.bandainamcogames.com-vb-2017.txt" at 2,688kb
Found 28,311 distinct emails

11: Reading file "spurstalk.com-vb-2017.txt" at 2,650kb
Found 24,416 distinct emails

12: Reading file "texasguntalk.com-vb-2017.txt" at 2,605kb
Found 29,476 distinct emails

13: Reading file "gamesforum.com-vb-2017.txt" at 2,346kb
Found 33,391 distinct emails

14: Reading file "teens-xxx.org.txt" at 2,240kb
Found 12,478 distinct emails

15: Reading file "vapersforum.com-vb-2017.txt" at 2,206kb
Found 29,386 distinct emails

16: Reading file "divxup.com-vb-2017.txt" at 2,121kb
Found 29,066 distinct emails

17: Reading file "tetongravity.com-vb-2017.txt" at 2,030kb
Found 24,599 distinct emails

18: Reading file "marijuanagrowing.com-vb-2017.sql" at 1,936kb
Found 17,450 distinct emails

19: Reading file "elluel.net-vb-2017.txt" at 1,578kb
Found 16,950 distinct emails

20: Reading file "free-dc.org-vb-2017.txt" at 1,400kb
Found 17,330 distinct emails

21: Reading file "community.playkot.com-vb-2017.txt" at 1,378kb
Found 14,109 distinct emails

22: Reading file "forums.cashisonline.com-vb-2017.txt" at 1,242kb
Found 12,515 distinct emails

23: Reading file "psychonaut.com-vb-2017.txt" at 1,228kb
Found 14,076 distinct emails

24: Reading file "forums.mra-racing.org-vb-2017.txt" at 1,173kb
Found 14,619 distinct emails

25: Reading file "forums.augi.com-vb-2017.txt" at 1,148kb
Found 14,384 distinct emails

26: Reading file "forum.epygi.com-vb-2017.txt" at 1,065kb
Found 13,826 distinct emails

27: Reading file "safeskyhacks.com-vb-2017.txt" at 940kb
Found 9,815 distinct emails

28: Reading file "fpvlab-vb-2017.com.txt" at 915kb
Found 9,845 distinct emails

29: Reading file "xboxforum.com-vb-2017.txt" at 898kb
Found 11,112 distinct emails

30: Reading file "forums.kingsoftherealm.com-vb-2017.txt" at 866kb
Found 3,008 distinct emails

31: Reading file "rangevideo.com-vb-2017.txt" at 856kb
Found 9,520 distinct emails

32: Reading file "maiestas.org-vb-2017.txt" at 855kb
Found 8,434 distinct emails

33: Reading file "joyheat.com-vb-2017.txt" at 785kb
Found 8,391 distinct emails

34: Reading file "wiiuforums.com-vb-2017.txt" at 779kb
Found 7,306 distinct emails

35: Reading file "mernetwork.com-vb-2017.txt" at 764kb
Found 7,861 distinct emails

36: Reading file "breezesysforum.co.uk-vb-2017.txt" at 759kb
Found 8,323 distinct emails

37: Reading file "pixelentity.com-vb-2017.txt" at 755kb
Found 8,152 distinct emails

38: Reading file "gossamerblue.com-vb-2017.txt" at 707kb
Found 6,747 distinct emails

39: Reading file "leakninja.com-100k-vb-jan-2017-full.txt" at 678kb
Found 7,241 distinct emails

40: Reading file "italianhax.com-vb-2017.txt" at 672kb
Found 7,217 distinct emails

41: Reading file "forums.zarafa.com-vb-2017.txt" at 660kb
Found 7,849 distinct emails

42: Reading file "kirupa.com-vb-2017-jan-dump.txt" at 618kb
Found 8,967 distinct emails

43: Reading file "united-muscle.com-vb-2017.txt" at 551kb
Found 5,651 distinct emails

44: Reading file "koboxingforum.com-vb-2017.txt" at 530kb
Found 5,894 distinct emails

45: Reading file "canwatchco.ca-vb-2017.txt" at 511kb
Found 5,514 distinct emails

46: Reading file "hindudharmaforums.com-vb-2017.txt" at 508kb
Found 6,685 distinct emails

47: Reading file "reasonforums.com-vb-2017.txt" at 506kb
Found 5,410 distinct emails

48: Reading file "bleachmyasylum.com-vb-2017.txt" at 472kb
Found 4,977 distinct emails

49: Reading file "righttorebel.net-vb-2017.txt" at 469kb
Found 5,063 distinct emails

50: Reading file "swgreckoning.com-vb-2017.txt" at 453kb
Found 4,900 distinct emails

51: Reading file "progressiveears.org-vb-2017.txt" at 449kb
Found 4,767 distinct emails

52: Reading file "barcaforum.com-vb-2017.txt" at 441kb
Found 4,739 distinct emails

53: Reading file "calltermination.com-vb-2017.txt" at 440kb
Found 4,184 distinct emails

54: Reading file "forum.atlasti.com-vb-2017.txt" at 406kb
Found 4,891 distinct emails

55: Reading file "burningwheel.com-vb-2017.txt" at 402kb
Found 4,631 distinct emails

56: Reading file "pr-rp.com-vb-2017.txt" at 402kb
Found 3,653 distinct emails

57: Reading file "community.freebord.com-vb-2017.txt" at 398kb
Found 4,557 distinct emails

58: Reading file "tequila.net-vb-2017.txt" at 373kb
Found 4,472 distinct emails

59: Reading file "birdphotographers.net-vb-2017.txt" at 367kb
Found 3,917 distinct emails

60: Reading file "vrtalk.com-vb-2017.txt" at 341kb
Found 3,610 distinct emails

61: Reading file "mtsboard.com-vb-2017.txt" at 327kb
Found 3,473 distinct emails

62: Reading file "gaijingamers.com-vb-2017.txt" at 322kb
Found 3,396 distinct emails

63: Reading file "va-outdoors.com-vb-2017.txt" at 314kb
Found 3,513 distinct emails

64: Reading file "systemtools.com-vb-admin-only-2017.txt" at 300kb
Found 4,058 distinct emails

65: Reading file "nflfans.com-vb-2017.txt" at 289kb
Found 3,985 distinct emails

66: Reading file "riseofchampions.com-vb-2017-dump.txt" at 286kb
Found 3,005 distinct emails

67: Reading file "ps4forums.com-vb-2017.txt" at 280kb
Found 2,562 distinct emails

68: Reading file "new-smoke.com-vb-2017.txt" at 268kb
Found 2,856 distinct emails

69: Reading file "zonehacks.com-vb-2017.txt" at 259kb
Found 2,642 distinct emails

70: Reading file "smallworlds.com-vb-2017.txt" at 251kb
Found 2,532 distinct emails

71: Reading file "roaddevils.com-vb-2017.txt" at 242kb
Found 2,460 distinct emails

72: Reading file "clan-gameover.com-vb-2017.txt" at 239kb
Found 2,516 distinct emails

73: Reading file "smallblockposse.com-vb-2017.txt" at 239kb
Found 2,521 distinct emails

74: Reading file "wildraiderz.com-vb-2017.txt" at 236kb
Found 2,522 distinct emails

75: Reading file "forum.rompvp.com-vb-2017.txt" at 200kb
Found 2,174 distinct emails

76: Reading file "downloadpolitics.com-vb-2017.txt" at 190kb
Found 1,746 distinct emails

77: Reading file "pascalgamedevelopment.com-vb-2017.txt" at 177kb
Found 2,431 distinct emails

78: Reading file "pixelgoose.com-vb-2017.txt" at 169kb
Found 1,750 distinct emails

79: Reading file "darkmills.cc-vb-2017.txt" at 154kb
Found 1,564 distinct emails

80: Reading file "forums.supertrapp.com-vb-2017.txt" at 149kb
Found 2,060 distinct emails

81: Reading file "scenesat.com-vb-2017.txt" at 148kb
Found 1,769 distinct emails

82: Reading file "board.uscho.com-vb-2017.txt" at 142kb
Found 1,805 distinct emails

83: Reading file "eirtakon.com-vb-2017.txt" at 136kb
Found 1,691 distinct emails

84: Reading file "aosts.net-vb-2017.txt" at 130kb
Found 1,310 distinct emails

85: Reading file "ftxgames.com-vb-2017.txt" at 126kb
Found 1,304 distinct emails

86: Reading file "nsxprime.com-vb-2017.txt" at 121kb
Found 1,743 distinct emails

87: Reading file "foilforum.com-vb-2017-dump.txt" at 121kb
Found 1,365 distinct emails

88: Reading file "darkstar-gaming.com-vb-2017'.txt" at 117kb
Found 1,278 distinct emails

89: Reading file "backcountrytalk.earnyourturns.com-vb-2017.txt" at 112kb
Found 1,213 distinct emails

90: Reading file "devil-group.com.txt" at 111kb
Found 1,113 distinct emails

91: Reading file "bdsmfap.com-vb-2017.txt" at 110kb
Found 1,182 distinct emails

92: Reading file "greenstandardsltd_companypasses.csv" at 103kb
Found 0 distinct emails

93: Reading file "filmleaf.net-vb-2017.txt" at 101kb
Found 410 distinct emails

94: Reading file "sledderforums.com-vb-2017.txt" at 99kb
Found 1,000 distinct emails

95: Reading file "bluepearl-skins.com-vb-2017.txt" at 93kb
Found 949 distinct emails

96: Reading file "forums.superbetter.com-vb-2017.txt" at 93kb
Found 997 distinct emails

97: Reading file "forum.pitofwar.com-vb-2017.txt" at 85kb
Found 905 distinct emails

98: Reading file "simplelivingforum.net-vb-2017.txt" at 69kb
Found 595 distinct emails

99: Reading file "xsyon.com-mmorpg-vb-2017.txt" at 68kb
Found 989 distinct emails

100: Reading file "tropicalflowersforums.com-vb-2017-dump.txt" at 65kb
Found 938 distinct emails

101: Reading file "atheistfoundation.org.au-vb-2017.txt" at 65kb
Found 872 distinct emails

102: Reading file "edmlife.com-vb-2017.txt" at 59kb
Found 633 distinct emails

103: Reading file "campgroundmaster.com-vb-2017.txt" at 57kb
Found 641 distinct emails

104: Reading file "fishingboard.net-vb-2017-dump.txt" at 56kb
Found 699 distinct emails

105: Reading file "supermensa.org-vb-2017.txt" at 54kb
Found 554 distinct emails

106: Reading file "gonegambling.com-vb-2017-dump.txt" at 53kb
Found 546 distinct emails

107: Reading file "pathfinder-airsoft.com-vb-2017.txt" at 52kb
Found 537 distinct emails

108: Reading file "doublefinish.com-vb-2017.txt" at 49kb
Found 511 distinct emails

109: Reading file "pashnit.com-vb-2017.txt" at 45kb
Found 640 distinct emails

110: Reading file "forum.zenstudios.com-vb-2017.txt" at 39kb
Found 543 distinct emails

111: Reading file "bluepark.co.uk-vb-2017.txt" at 36kb
Found 376 distinct emails

112: Reading file "ulfencing.net-vb-dump-2017.txt" at 36kb
Found 508 distinct emails

113: Reading file "hawkeshealth.net-vb-2017.txt" at 34kb
Found 361 distinct emails

114: Reading file "ridetherock.com-vb-2017.txt" at 33kb
Found 360 distinct emails

115: Reading file "thehousebreakingbible.com-vb-2017-.txt" at 25kb
Found 362 distinct emails

116: Reading file "onlinenutrition.com.au-vb-2017.txt" at 25kb
Found 232 distinct emails

117: Reading file "forums.prowrestling.com-vb-2017.txt" at 24kb
Found 335 distinct emails

118: Reading file "narc.net-vb-2017.txt" at 23kb
Found 255 distinct emails

119: Reading file "koboxingforum.comcrackedPW.txt" at 23kb
Found 0 distinct emails

120: Reading file "callofduty-community.com-vb-2017.txt" at 19kb
Found 193 distinct emails

121: Reading file "sectionseven.net-vb-2017.txt" at 18kb
Found 194 distinct emails

122: Reading file "teamwarfare.com-vb-2017.txt" at 17kb
Found 143 distinct emails

123: Reading file "clubdbsa.org-vb-2017.txt" at 16kb
Found 193 distinct emails

124: Reading file "thefobl.com-vb-2017.txt" at 11kb
Found 138 distinct emails

125: Reading file "mixbizz.com-vb-2017.txt" at 9kb
Found 90 distinct emails

126: Reading file "blaze-gaming.net-vb-2017.txt" at 6kb
Found 59 distinct emails

127: Reading file "ludoria.net-vb-2017.txt" at 6kb
Found 60 distinct emails

128: Reading file "tupacfanbase.com-vb-2017.txt" at 5kb
Found 53 distinct emails

129: Reading file "thewalkingdeadgaming.co.uk-vb-2017.txt" at 4kb
Found 36 distinct emails

130: Reading file "nifgaming.eu-vb-2017.txt" at 3kb
Found 40 distinct emails

131: Reading file "vill.ee-vb-2017-dump.txt" at 3kb
Found 50 distinct emails

132: Reading file "forum.diversitynursing.com-vb-2017.txt" at 3kb
Found 27 distinct emails

133: Reading file "the420room.com-vb-2017.txt" at 2kb
Found 21 distinct emails

134: Reading file "aippm.com-vb-2017.txt" at 1kb
Found 21 distinct emails

135: Reading file "theairtacticalassaultgroup.com-forum-vb-2017.txt" at 1kb
Found 12 distinct emails

136: Reading file "2ndfloor.org-vb-2017-forums.txt" at 1kb
Found 11 distinct emails

137: Reading file "gtsportstalk.com-vb-2017.txt" at 1kb
Found 4 distinct emails

138: Reading file "forums.creative.com.sql" at 1kb
Found 5 distinct emails

139: Reading file "vigilantgaming.net-vb-2017.txt" at 1kb
Found 6 distinct emails

140: Reading file "blacklistedsociety.com-vb-2017.txt" at 1kb
Found 5 distinct emails

Total distinct emails: 942,044

Most of these contain usernames, email addresses and hashed and salted MD5 passwords. When you glance through this list, you may notice that some of the sites are, well, more orientated towards "discerning adults". Consequently, I've flagged this breach as sensitive so it can't be publicly searched. Use the free notification service and click the link sent in the verification email to see if your account was exposed.

Last thing I'll add to this - stop self-hosting vBulletin! Seriously, pay professionals to do it and that goes for other managed platforms too. You're reading this on a blog served by Ghost Pro and I very happily pay those guys to do it properly for me. The 140 databases above and the dozens of other similar ones in HIBP are from people trying to do this themselves and simply not staying up to date with patches. Don't risk it!

Sponsored by: Exabeam - Security doesn’t stop at detection. Automate your response procedures with incident workflows and playbooks. Learn more.

Organisations don't plan to fail. Probably the closest we get to that in the security space is password hashing, which for all intents and purposes is an acknowledgement that one day, you may well lose them. But organisations rarely plan for how they should handle data breaches and when an incident does happen (and that seems to be a near certainty these days), they're left unprepared; they're in unfamiliar territory, there's enormous stress and pressures on them and frankly, they usually react pretty badly.

I've seen a lot of examples of how organisations have dealt with incidents over the years. I've been inside the organisation, advising the organisation, often disclosing incidents to the organisation and of course like everyone else, watching how they handle incidents from the outside. I've seen enough to recognise both good and bad patterns and I'm hoping that by highlighting them here we can learn from the precedents that have been set. Ideally, this will serve as a checkpoint for those who need to communicate an incident publicly and a quick read will keep them from making many of the mistakes I'm about to outline below.

Make it easy to submit security reports

It's hard to explain just how difficult this is unless you've been through it yourself before, preferably many times with organisations of all sizes. There are degrees of difficulty, of course, but even at the best of times it's rarely a smooth process. Let's start with how bad it can be which means starting with CloudPets who had a majorly bad run the other day. Here's what we know of the disclosure timeline (largely covered in the updates at the bottom of my post):

1. Oct: Paul Stone of Context Security attempts to contact CloudPets
2. Dec 31: Victor Gevers attempted to alert CloudPets via their ZenDesk support
3. Dec 31: My (anonymous) contact attempted to alert CloudPets via their published support address
4. Dec 31: My contact attempted to alert CloudPets via the WHOIS record contact
5. Jan 4: My contact attempted to alert Linode, CloudPets' hosting provider
6. Feb: The reporter I worked with attempted to contact them via:
   1. Multiple email addresses
   2. Many different phone numbers
   3. Their development partner

Much of this happened before their database was subsequently pilfered, ransomed and eventually, deleted. They could have significantly reduced the impact of this event simply by being receptive but instead, they now find themselves here:

Haha. All the compromised #cloudpets at the 99 cent store. I like how they covered the name with a sticker hoping nobody notices. pic.twitter.com/Bb2OLeTscn

— Alex von Gluck 🍂 (@kallisti5) March 20, 2017

So how do you make it easy for people to submit security reports? Let's take a look at Tesla's Security Vulnerability Reporting Policy and in particular, the following things they do:

1. They actually have a policy!
2. They have an email address and it's specifically for reporting vulnerabilities
3. They publish their PGP key so people can encrypt their messages
4. They make it clear what you shouldn't do when looking at their security
5. They set an expectation of how quickly they'll respond

The total cost of this is about zero; there is no easier way to get people submitting bugs responsibly than by doing this. This isn't about bug bounties either (although they do run a program with Bugcrowd), it's simply about making it easy for people to do the right thing.

Treat security reports with urgency

This sounds like a ridiculously obvious thing to say, but it's something which can be enormously frustrating for those of us disclosing vulnerabilities ethically and enormously destructive when contact is coming from shadier parties. Let's look at some examples of each.

In October 2015, someone handed me 13M records from 000webhost. I tried to get in touch with them via the only means I could find:

I won't delve into all the dramas I had again here, suffice to say I tried for days to get through to these guys and their support people acknowledged my report of a serious security incident yet couldn't get me in touch with anyone who could deal with it appropriately. I eventually went to the press with the issue and the first proper response they made was after reading about how they'd been compromised in the news headlines.

This attitude of not taking reports seriously and dealing with them promptly is alarmingly common. Let's go back to CloudPets again for a moment and their CEO gave a journalist this comment:

@lorenzoFB "We did have a reporter, try to contact us multiple times last week, you don't respond to some random person about a data breach.

— Michael Kan (@Michael_Kan) February 28, 2017

Yes you do! Random people are precisely the kind you want to respond to because they're the ones that often have your data! Here's a perfect example of that:

. @PayAsUGym We have access to your server + database, please contact me via DMs for more info, ignoring us is not a solution pic.twitter.com/HjixVT3KOD

— 1x0123 (@real_1x0123) December 15, 2016

Now at this point, the individual has to absolutely, positively be taken seriously. Ignoring the tweet is definitely not a strategy and whilst engaging with someone involved in criminal activity may not seem particularly desirable, right now they hold the balance of power. In this case, PayAsUGym ignored the guy despite my attempts to get their attention and ultimately, their data was dumped publicly.

You must disclose

Once an incident is confirmed, one of the first things we need to establish is if it needs to be publicly disclosed. I'm going to refer to a bunch of resources from the EU here because their General Data Protection Regulation (GDPR) is coming into effect next year and it's a good modern incarnation of how data breaches should be handled.

There's a good succinct piece on this by Varonis which talks about whether or not the incident is "likely to affect" those caught up in it. Whilst the term sounds a bit legal-speak, they clarify it as follows:

According to the compliance attorney we spoke to, any personal data identifiers – say, email addresses, online account IDs, and possibly IP addresses — could easily pass the likely-to-affect test

That's pretty much any data breach today; it's very rare to see one without an email address. Now if that's all it was then you could argue on the one hand that "affect" may be nothing more than spam but on the other hand, it's personal information and you've lost it! Plus, you could argue that even just email address alone could be used for malicious attacks such as phishing or as we saw after the Ashley Madison incident, even ransom.

Here's an example of where this goes all wrong: last year, the Minecraft community known as Lifeboat was hacked. Roughly 7 million accounts started circulating and were subsequently passed to me. When confronted about the incident by the media, here's what Lifeboat had to say:

When this happened [in] early January we figured the best thing for our players was to quietly force a password reset without letting the hackers know they had limited time to act

Wow! No. It's not just users' accounts on the service itself that gets put at risk, it's other services as well:

This is really essential to remember: when you have a data breach, your actions (or lack thereof) have a significant impact on many other services. No, people shouldn't reuse their passwords but we all know that's enormously common and it's a risk that can be reduced by early notification of impacted customers.

Disclose early

Specifics may differ in various other jurisdictions, but the "disclose early" sentiment should pervade across borders because quite simply, it's in the best interests of those who are impacted by the breach. Here's a good summary under the GDPR's heading of Notification of a personal data breach to the supervisory authority:

Therefore, as soon as the controller becomes aware that a personal data breach has occurred, the controller should notify the personal data breach to the supervisory authority without undue delay and, where feasible, not later than 72 hours after having become aware of it, unless the controller is able to demonstrate, in accordance with the accountability principle, that the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons

Now this is to the "supervisory authority", what about the individuals themselves? The disclosure to "natural persons" is described as follows:

Natural persons should be informed without undue delay where the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, in order to allow them to take the necessary precautions

The term "without undue delay" is a bit legal-speak again but the intention is clear and the timeline for supervisory authority is pretty clear. Failing to meet this timeline can result in serious consequences too. The ICO in the UK outlines the penalties:

Failing to notify a breach when required to do so can result in a significant fine up to 10 million Euros or 2 per cent of your global turnover

I don't want to get too caught up with the GDPR but simply put, you cannot screw around with notifications; it should be one of the very first things you start focusing on in the wake of an incident. A case like Capgemini and Michael Page where it took 11 days could result in serious consequences and let's face it - it simply doesn't take that long to send customers emails, even when it's millions of them. Same again with Adult Friend Finder who took a week to disclose; delays like this are more reflective of lawyer and PR involvement than they are of genuine concern for customers.

Unfortunately, lengthy delays like this are not unusual:

#PageGroup thank you for letting me know that my details were stolen after 11 DAYS!! I'm certain that who did it had no malicious intent!!!

— Catalina Pascu (@CatalinaPascu) November 11, 2016

It's not just unacceptable in the "this really isn't cool" way, it's also unacceptable under the incoming GDPR legislation, in fact it's more than 3 times the required maximum notification time.

When an incident such as a data breach occurs, people inevitably look for more information. They hear a snippet from friends or read a piece on the news and they're curious. Making factual information readily accessible via a formal channel is enormously important as it allows the organisation to put their message - and the facts - forward to the public.

Going back to PayAsUGym for a moment, this is where they really got it wrong. There was no communication on their Twitter account, nothing on their Facebook and no messaging on their website (i.e. not a notice on the front page, no news or blog section). However, they were still broadcasting promotional messages via social media which is the digital equivalent of sticking your fingers in your ears and saying "la-la-la-la-la-la-la-la".

Compare that to Ethereum who had their forum hacked a few days later. They were quick to write a blog about exactly what happened and socialise it via Twitter:

Security Alert: Ethereum forums database leak. See blog for details https://t.co/E14ObMfF4v

— Ethereum (@ethereumproject) December 19, 2016

As well as on Facebook:

What this allowed them to do was to make their version of events the canonical one. That's the reference the media then referred to, their stated positions were the ones that made headlines and there was much less left to interpretation. When an organisation doesn't have a public position on a data breach, it leaves things open for speculation and often results in people forming incorrect conclusions. Emailing customers is not enough because there will always be other people forming opinions (i.e the social media peanut gallery) and it's important to influence their views on the incident too.

Protect accounts immediately

Clearly, once a database of user credentials has been exposed, those users are at risk of having their accounts accessed. It's normal operating procedure to force password resets on impacted accounts and that's something that needs to happen as a matter of priority, ideally in combination with the disclosure notice which is sent to impacted parties.

On December 17, Bleacher Report notified customers of a breach. Within their notification, they talk about password resets:

If you do not change your password within 72 hours, your existing password will cease to work and you will have to click the “Forgot Password?” link in order to reset your password.

This is both reckless and unnecessary, even more so because they'd actually identified the incident more than a month earlier. There's also something to be said here about the timeliness of disclosure, but clearly the longer they leave stolen credentials active then the longer they can be exploited.

Avoid misdirection and false or misleading statements

This might sound like the most ridiculously obvious thing to say, but don't lie when disclosing an incident. I know the truth may hurt, but the harsh reality of most data breaches is that there's been a failure at some point and now you need to own that.

Case in point: in April 2016, the Philippines election committee known as COMELEC was breached. In that blog post I wrote about how in verifying the legitimacy of the incident with HIBP subscribers, many of the personal attributes in the incident were confirmed, including the names of voters' parents. Fast forward to June and they released a statement which included the following:

This was a blatant lie. Not a misinterpretation, not a question of degrees or shades of grey, but an outright lie. There were over 228k email addresses in that breach and I contacted a small number of them who were subscribed to HIBP and received responses like this:

This is not open to interpretation: Filipino citizens had their email addresses breached, I emailed some of them and they identified their parents in the incident. There's also no denying the presence of fields denoting biometric data, although the practical application of it is not immediately clear. Regardless, the email addresses and parents' details were present.

Same deal again with PayAsUGym who I mentioned earlier. They issued a statement as follows after their incident:

The highlighted point is significant as compromised card data can trigger unwanted attention from PCI which can have pretty serious consequences. Unfortunately though, the statement was false and one look at the data which was widely circulated after the incident tells the story:

In this particular case, PayAsUGym later had to make the very embarrassing admission that actually, yes, credit card data had been compromised. (Incidentally, this is also something they would have known had they been following discussion about this in public forums explicitly showing exposed card data!)

There will always be a temptation to downplay an incident like this and misdirection or misleading statements (let alone outright lies) are not going to do the organisation any favours and pose a real risk of backfiring spectacularly if they're later held to account.

Don't be vague

Closely related to the previous point, it's really important to avoid statements which can be misleading, unclear or otherwise simply just not contribute to the objectives of contacting customers in the first place. For example, this one from JobStreet.com:

@troyhunt another day, another breach... @JobStreetSG pic.twitter.com/BlU7bTBl9I

— KristoferA 🌏 (@KristoferA) December 29, 2016

I've read this over and over again and I'm still confused; was the data on the Malaysian forum actually legitimate? They refer to "claim" as though it's not substantiated but then say you probably should reset your password... but there's no evidence to suggest you should! You can see how confusing this can be and per the earlier comment above on the Lifeboat incident, remember that people who've reused their passwords across services will be wondering what this actually means to their broader risk profile.

Here's a good example of a much clearer and more transparent disclosure courtesy of Soundwave:

Awesome looks like @soundwave used Production data in test and left it there after being acquired by @Spotify

/cc @troyhunt pic.twitter.com/sfHBy5jMXL

— Torvos (@torvos) March 17, 2017

Look at how much was clearly spelled out:

1. They put production data in a test database
2. They hashed the passwords with MD5
3. They list all the impacted data attributes

Now let's be clear - production data in a test database with passwords stored as MD5 is not a pleasant story to tell - but it was the right story to tell under the circumstances. They've been clear and transparent and that's enormously important.

Explain what actually happened

Here's a good example of where lack of information can lead to speculation and misunderstanding. When I wrote about the leak of Michael Page data, I included this image that was sent to me when it was first reported:

If you were to look at that image, you would reasonably assume that data for countries such as Australia was exposed - there is literally a file called "mp_australia.sql.gz"! That then lead to headlines such as The private information of Australian jobseekers has been exposed which would be a perfectly reasonable assumption. However, Michael Page's media statement listed only 3 countries as having been impacted - China, the Netherlands and the UK.

Now I have no insider knowledge on this so I'm just going to speculate, but I suspect the gap here is that they concluded no other files had been downloaded. This would have been so easy to explain and would immediately dispel speculation about why their statement appeared to come up short. It wouldn't emphatically mean none of the data was accessed; we're talking about a badly misconfigured server and making some assumptions about what was successfully logged when and what levels of access were available (logs are frequently tampered with to hide tracks), but you'd get a much better sense of transparency if the situation was simply explained in this fashion.

Compare that to the Mountain Training breach last year (and do read the detailed notification):

This is a really well written breach notice from @MtnTraining, here's the whole thing: https://t.co/5jaw6VYjTm pic.twitter.com/u87t9qqDmP

— Troy Hunt (@troyhunt) November 23, 2016

This talks about how everything unfolded with a great degree of transparency. When you read this, you can't help but feel they're being open and honest about the situation; it doesn't feel like they're covering anything up or misleading people. This isn't hard to do, it doesn't "jeopardise ongoing investigations" and demonstrates both an understanding of what went wrong and a willingness to communicate truthfully with customers.

Keep customers updated

One thing I really liked about the Red Cross' handling of their incident was the follow-up. A couple of weeks after initial disclosure, the CEO sent a message that began like this:

I am writing to you with an update on the data security issue we last contacted you about at the end of October

She went on to talk about the outcome of investigations they'd since done, talked about further strengthening their processes and then apologised for the incident:

I want to say again how truly sorry we are that this happened

When initial communication with customers is done promptly, the impacted organisation rarely has all the answers upfront. For example, per the Red Cross above, there are often investigations that are ongoing. It can take time to join the dots and work out what actually happened. This example from Plex illustrates that - take a note of the timelines:

1. July 2: They write about learning of an intrusion which occurred at 1pm the previous day (nice and prompt!)
2. Later that same day: They add an FAQ to address specific questions they were seeing from customers
3. July 6: They update the post again and advise "the attackers gained entry via exploiting bugs in the forums software"

The point is that they kept people informed as they learned of new information. They didn't wait for ages before they knew everything (we already know why that would be problematic), but they instead added more information and shared what they knew when they could.

Follow-up with customers serves another valuable purpose as well, and that's to explain how you're going to avoid this happening again. Data breaches occur because somewhere, someone screwed up. Not only did they screw up, but the organisation failed to catch that screw up before it resulted in something going very badly wrong. In order to regain trust, you need to convince customers that whatever root cause was behind that failure has now been addressed. If you can't do that, how are you going to regain their trust?

Apologise

This can sound a little trite, but being apologetic for having lost customer data can be a powerful tool in winning back public sentiment. And per the previous paragraph above, there's always something to apologise for.

Now take the CloudPets breach notice which was (eventually) sent out. They begin by saying:

We recently discovered that unauthorized third parties illegally gained access to our CloudPets server

They use words like "unauthorized" and "illegally" to shift blame and their communication is littered with what effectively boil down to excuses. For example, they talked about the prevalence of MongoDBs being compromised but neglected to mention that only occurred when the owner didn't put a password on it! This is clearly a major cock up on their behalf but at no stage did they apologise for losing valuable customer data (including exposing voice recordings of people's children). The word "sorry" simply never appears. Compare that to how the Australian Red Cross Blood Service responded after losing a large amount of customer data (including mine and my wife's):

The title of their disclosure literally has the word "apologises" in it! In this case, it was actually a contractor of theirs that lost the data (and they were very sorry too), but the Red Cross "owned" the incident and took accountability for it.

Whilst writing this post I had someone contact me with a data exposure story of their own. He uses an online accounting service and his account manager had inadvertently sent him personal information about someone else; it was a basic human error scenario. He let them know and went to bed angry, convinced he'd now need to move to another account given their sloppy handling of personal info. And then he woke up to this:

First thing this morning, I had an apology email from my account manager, followed up by a phone call from her boss detailing the very impressive list of things they're doing as a consequence. They'd already contacted the Information Commissioner's Office, and their data protection officer was in the process of compiling a full report on it for submission to the ICO. All their processes will be reviewed. The other client had been contacted and his credentials changed, and they also asked me to delete any copies of the email with the details in. Finally the whole team will be given additional training on the subject of data protection.

This is such a simple thing - such an easy thing - and although this was a small-scale incident ultimately only involving two parties, carefully worded apologies can work well anywhere. In this case, just by simply acknowledging that they'd screwed up and demonstrating that they'd taken quite reasonable steps to prevent it happening again in the future, they retained a customer. How easy is that?!

Summary

Data breaches are never a pleasant thing to deal with either as an individual victim or as the company that lost the data. Add to that the various regulations in different jurisdictions and the potential legal ramifications for the company involved and the whole thing starts to get very messy. That's before the PR people even step in to put their spin on things.

But there are very reasonable expectations that we can align around as an industry. Largely, it boils down to letting all impacted parties know within a few days and giving them honest facts whilst doing your best to protect them from further risk. Frankly, that's just basic decency and it doesn't matter where in the world the company operates or what industry they're in or how important they think their data is, it's just the right thing to do and it's dead easy too!

Sponsored by: Exabeam - Security doesn’t stop at detection. Automate your response procedures with incident workflows and playbooks. Learn more.

Another week down and looking back, I'm not sure precisely what I did. I mean I know I was busy, but you ever have one of those weeks where you just wonder where the time went? Although in fairness, a big chunk of it went to finishing off my latest Pluralsight course on "What Every Developer Must Know About HTTPS". Whilst my work there is done, there's still review and processes and other things that have to happen on Pluralsight's end (they put a lot of effort into quality control), so I suspect I'll feel like I've achieved a bit more in my week once it hits the air. I talk a bit about it in this week's update, plus a bunch of new breaches loaded into HIBP and a piece I've been working on for a long time about how to properly communicate data breaches if (when) they occur.

Lastly, next week I'll be driving after picking up something new and shiny a long way away so I might try the next update from the car with a guest companion. Let's see how that goes :)

iTunes podcast | Google Play Music podcast | RSS podcast

References

1. Another 140 data breaches went into HIBP (WHEN WILL THE MADNESS END?!)
2. Check out the percentage of existing accounts already in HIBP for these new breaches (tl;dr - people keep getting pwned over and over again)
3. How to write (and not to write) a data breach notification message (it's not hard, but it requires some thought... unlike most of the messages we see!)
4. Exabeam is sponsoring the blog this week (big thanks to those guys!)

Sponsored by: Exabeam - Security doesn’t stop at detection. Automate your response procedures with incident workflows and playbooks. Learn more.

I've been watching the cyber-news pretty closely lately and one of the biggest challenges we seem to have is attribution. I mean, stuff is getting hacked left right and centre but who's actually responsible?? I started paying closer attention and I reckon I've worked it out - it's mostly this guy:

He fits the profile to a tee - hoodie, obfuscated face and an apparent love of binary, all calling cards of the modern day cyber-hacker. As you can clearly see from the image, he's suspected of perpetrating the massive Yahoo breach which is very serious business indeed. But it's when you start digging deeper that you realise how far this individual's cyber-raiding goes.

For example, there was real concern he might play an active role in manipulating the democratic process (which may actually explain some things now that I think about it...):

And look, it's not like the guy hasn't been meddling with the government before either, there was that whole Census Bureau thing a couple of years ago which definitely implicates him:

There's good reason to suspect he may be state-sponsored as well, not just because of the government meddling mentioned above, but because of his Iranian ties:

The Iran thing isn't just a one off either, the guy has previous form and right about now, you should be starting to seriously question if perhaps this isn't one arm of the Axis of Evil itself:

There's also the very high likelihood he's been involved in account takeovers, which I guess is inevitable with that much access to valuable user records:

What's more, he's clearly been suspected of playing a role in hacking a large number of vulnerable apps, something we should obviously all be very scared about:

It's not just "traditional" cyber-things he's been active in either, for example he's apparently using a rather ingenious technique that involves registering domains similar to other domains:

But then on the up-side, it looks like the bloke might get involved in a bit of television and let's face it - if they're looking for someone with experience then this is your man:

I worry about the TV career though, because even with these opportunities in front of him, it seems he might also be a bit of a vigilante which could cause some setbacks in the showbiz world:

Now I don't want to alarm anyone here because I know there's a lot of support for the guy, but there's a chance this could be Edward Snowden:

And when you think about it... maybe it is? I mean he certainly has a track record in this space and the guy has a lot of time on his hands these days, perhaps this solves the mystery? Either that, or we may have been seriously misled by the media...

Sponsored by: Exabeam - Security doesn’t stop at detection. Automate your response procedures with incident workflows and playbooks. Learn more.

So the plan this week was to record the update whilst driving from Melbourne to Sydney with Lars Klint in the new car. And I did - record it that is - but due to some screwyness with Lars' GoPro, it turns out that "recording" is not the same as "actually saving it to the SD card". Fortunately, I successfully capture a review we did on the car and I'll look at editing that up later on, but for now there's a short clip on Twitter that illustrates one of the things I love about it (and oh boy - some of the repsonses to that tweet!)

But onto news of the more usual kind, this week I'm talking about "the world's most prolific hacker", why the privacy of everyone's data in HIBP is important and I share some insights into the data behind the (alleged) Apple iCloud hack. That last one in particular is quite fascinating and I'll blog it in detail early next one once I have all the data together.

iTunes podcast | Google Play Music podcast | RSS podcast

References

1. I found the world's most prolific hacker! (but seriously, thin a bit about how this imagery is used in the media)
2. Hacker alert! Apparently they're resetting hundreds of millions of iCloud accounts (spoiler alert - no, they're not)
3. Exabeam is still sponsoring the blog this week (big thanks to those guys!)

Sponsored by: Titania - Find your network security gaps before hackers do with world’s first detailed configuration auditing tool

LastPass had an issue the other day, a rather nasty one by all accounts that under certain (undisclosed) circumstances, it looks like it could lead to someone's password (or possibly passwords) being disclosed by virtue of a remote code execution vulnerability. This is not a good thing - nobody wants an RCE vuln in their software - but as is prone to happen with these incidents, some people went about promptly losing their minds. This prompted me to suggest the following:

Password managers don't need to be perfect, they just need to be better than *not* using them which they unequivocally still are https://t.co/nVG5G6RAWx

— Troy Hunt (@troyhunt) April 1, 2017

The mind-losing generally centred around the premise that here was proof a password manager should never be used because it poses an unacceptable risk. It's the same irrational response we've seen after previous disclosures relating to LastPass and other password managers, my favourite 1Password included in that. It's irrational because it's a single-dimension response: the password manager had a flaw therefore we should no longer use it. But let's stop and think about the alternative for a moment...

Your brain is a very bad password manager. It's incapable of storing more than a couple of genuinely random strings of reasonable length (apologies if you're a savant and I've unfairly characterised you in with the rest of our weak human brains). That leads to compromises. If you're one of these people who says "I've got a formula that always gives me unique passwords that are strong", no you don't, they probably aren't and no they're not. You're making concessions on what we empirically know is best practice and you're kidding yourself into thinking you aren't. I've had this debate many times before and there's dozens of comments raging backwards and forwards about this in my post on how the only secure password is the one you can't remember.

And "compromises" is really where the discussion needs to be because what we should be talking about is how option A compares with option B. In this case, how does putting genuinely strong, unique passwords in a password manager which may have a security risk compare with putting weak passwords in your brain? You're comparing a low chance of something going wrong and resulting in an impact across the breadth of your accounts with a high chance of something going wrong and impacting a smaller number of accounts. Except that last bit probably isn't accurate because we know that the "put it in my brain and hope for the best" strategy usually results in the one weak password being reused all over the place (I've got a couple of billion records of proof on that too, by the way).

I really like the work Tavis is doing in finding these bugs because quite simply, it makes the software better. We all should want one of the smartest blokes in the industry hammering away at password managers and then operating under the banner of Google's Project Zero the disclose vulns responsibly. But it's going to make headlines too and holy cow, don't journos love a good headline! So our challenge now is we need to take that headline, filter out all the bullshit and reach some sort of educated conclusion as to how bad it is. Then we need to compare it to the other bad thing which is not using a password manager at all. So far, we're yet to see a vulnerability with a major password manager worthy of chucking the things out altogether and trusting our brains instead.

Let me give you a great example of the sorts of discussion we should be having: I've had many people share The Personal Internet Address & Password Log Book with me whilst loudly gnashing their teeth at the gall of so many passwords being stored in such a weak fashion:

But let's actually use some common sense for a bit: We all know people for whom LastPass, 1Password and all the other ones pose insurmountable usability barriers. They might be elderly or technically illiterate or just not bought in enough to the whole password manager value proposition to make it happen. They're doing the memory thing and failing badly at it, but then you give them the password book. They write down sites and passwords because hey, it's a pen and paper this is something they understand well. Then they put their unencrypted, plain text passwords in a drawer. Their "threat actors" are anyone who can access that drawer and right off the bat, that's a significantly smaller number of people than what can take a shot at logging onto online services using the usual poorly thought-out passwords people have. See how different the discussion becomes when you look at a security practice like this compared to alternatives rather than in isolation?

The UK gov's National Cyber Security Centre put out a piece on password managers earlier this year. They rhetorically ask the question "should I use a password manager?" and reach a very simple conclusion:

Yes. Password managers are a good thing.

And then, as if it was written just to illustrate the point of this blog post, one bright spark chimes in with a comment and suggests that password managers are a bad idea because "there is no such thing as 100% security". Of course there isn't! But there doesn't have to be to justify using a password manager, it just has to be better than not using one.

Password managers are a good thing. Even when issues like the LastPass one above are found, they're still far superior to our frail human brains when it comes to your overall security posture. Until such time as that changes and either they're worse due to a flaw that actually causes some serious damage or we create something better again, this is where the game is at. Less sensationalism, more pragmatism.

Sponsored by: Titania - Find your network security gaps before hackers do with world’s first detailed configuration auditing tool

I went to Helsinki a couple of years ago. I was there running a security workshop for a local company and whilst in town, I caught up with Mikko Hypponen:

Troy Hunt (@troyhunt) in Helsinki today. Troy's http://t.co/zOiZnkMpNo service is highly recommended! Use it. pic.twitter.com/lf59Hz7zvI

— Mikko Hypponen (@mikko) May 28, 2015

Now Mikko is a very interesting bloke having been around in the security industry since just about forever so he's seen a few things. There's a great TED talk where he talks about the first PC virus and actually travels to Pakistan to track down the guys who wrote it. He's also the Chief Research Officer at F-Secure who make the Freedome VPN, a tool I've used for some years now and it brings me to the point of this post.

I'm having a chat to Mikko and he's talking about Freedome and the importance of trust when he comes out with a really interesting comment:

You know what's great about Finland? We're the least corrupt country in the world!

So I looked it up and he's right! Either Finland or Denmark depending on whose stats you read but there it is, right up the pointy end of the list. And this is actually really, really important when it comes to a VPN because not only do you need to trust the company running the service, you need to trust the jurisdiction they're running in too because to some extent, you're beholden to their local laws.

VPN providers control your traffic. They can inspect it, modify it, log it and have a very good idea of what it is you're up to. And just before you say "ah, but much of my traffic is now HTTPS", as I wrote earlier this week, the negotiation phase of the connection is still observable so the VPN provider knows the site you're connecting to. Even upstream of that, DNS queries can be watched so per that article, there's a hell of a lot anyone inspecting your traffic can glean even on encrypted connections. Whoever can see your traffic - be that your local ISP or the VPN provider you decide to use - has an enormous responsibility and you're placing a huge amount of trust in them.

Which brings me to MySafeVPN. I first heard of these guys when they sent me spam a few days ago:

I woke up to an email allegedly from @plex that seemed very out of character. Looks like it's spam (or worse): https://t.co/FXWcZ1SEnM pic.twitter.com/4ZN5t84QFO

— Troy Hunt (@troyhunt) April 3, 2017

Which lead through to the MySafeVPN.com website:

Now any reasonable person would read that email and conclude that it's intended to represent an offering from Plex because, well, it literally says "Plex reveals...". And thus begins an absolute train wreck of communications as they attempt to explain themselves:

@danielvena @plex Daniel, part of plex's development team is working at MySafeVPN hence they sent the email. The corp Plex is unhappy because they don't earn.

— MySafeVPN (@MySafeVPNcom) April 4, 2017

The basic premise (as it's repeated over and over again), is that there are Plex developers working for MySafeVPN and therefore this is not spam and putting Plex's name on it is cool. Of course, neither of these things are correct and Plex themselves are clearly unhappy about the whole thing:

@MySafeVPNcom @danielvena Sorry, but this is just a flat our lie. Neither our company or any of our employees are affiliated with you.

— Plex (@plex) April 4, 2017

So how do you explain the emails? Well Plex had a data breach back in 2015 and a few hundred thousand email addresses (including mine) were released out into the wild. It's not just them, Boxee lost data in 2014 and they too have been misrepresented by MySafeVPN:

@troyhunt I wasn't going to name them, but they spammed all the old Boxee mailing lists as well https://t.co/OEuzRElHHE pic.twitter.com/buDapVMTf7

— Legost’d’ve (@scott_thewspot) April 5, 2017

In the Plex case, their data breach was as a result of a vulnerability in the IP.Board forum software they were running, a threat which miraculously, MySafeVPN believes their product can protect users from:

@plex @tony_sutton @Scott_Helme @troyhunt @plex You should be happy that we're securing your system. Judging by 2015 you guys do not do a good job with security.

— MySafeVPN (@MySafeVPNcom) April 5, 2017

But let's move past the Plex connection for a moment and look at how the service is presented, keeping in mind of course the importance of integrity and trustworthiness in a service such as this. We'll start with attempting to order the product from the website at mysafevpn.com:

Not a good first impression for a company providing a cryptographic service! You'll also notice we're now off on myvpnhub.com for reasons which aren't exactly clear. We could attempt to force a secure connection, but that just returns a certificate for flfixed.com (which is an empty site with a landing page):

The lack of cryptographic protection didn't go unnoticed by the increasingly large array of people chiming in on the discussion:

@MySafeVPNcom @Scott_Helme @plex @troyhunt Your sign up page have no SSL, which means you're leaving personal data. Everything looks dodgy.

— Tony Sutton (@tony_sutton) April 5, 2017

But as things unfolded, the responses from MySafeVPN became more and more nonsensical, at least for an organisation (or possibly even just one individual), that should understand some of the basic mechanics of how modern day SSL or TLS work:

@tony_sutton @Scott_Helme @plex @troyhunt Our corporate SSL is going to be installed shortly, however the SSL's that actually protect you are very expensive and have a long process.

— MySafeVPN (@MySafeVPNcom) April 5, 2017

Just recently I wrote about what a fantastic time it is for HTTPS and how the free availability of transport layer security from the likes of Let's Encrypt and Cloudflare are transforming adoption rates. And then Scott Helme got involved and helped clarify:

@AdamR0berts @MySafeVPNcom @tony_sutton @plex @troyhunt It's not cheap, it's free. It doesn't take a day, it takes minutes. They should know this. They're just incompetent.

— Scott Helme (@Scott_Helme) April 5, 2017

Now Scott is the last bloke you want to argue the merits of certificates with, he literally runs a training program called The Best TLS Training in the World. Yet this didn't stop them attempting to educate him:

@Scott_Helme @AdamR0berts @tony_sutton @plex @troyhunt Not sure what kind of self signed horrible SSL you're talking about. You should head over to Namecheap and check out the real SSL Certs.

— MySafeVPN (@MySafeVPNcom) April 5, 2017

And it all goes downhill from there in ways I don't particularly want to document blow-by-blow here, but you can always read through their timeline with replies if you're the type of person who likes watching a train wreck in slow motion.

The website itself is full of misleading at best or even outright false statements. For example, their certifications:

Which they explain away as follows:

@tony_sutton @Scott_Helme @plex @troyhunt Tony, our employees are all trained with various certifications from VMWARE Management certs, SYMANTEC VAULT certs, etc.

— MySafeVPN (@MySafeVPNcom) April 5, 2017

Whilst neither VMware or Symantec are mentioned in the list on the site, having a product like a VPN certified is a very different story to having people working for you that have achieved certifications.

Then there's the support number:

I actually tried this yesterday and it went straight to a voicemail service which didn't surprise me in the least. I tried it again earlier today and it was the same story - straight to voicemail. I thought I'd give it one more shot and record it to make a point about it being an unmanned phone, but then, well just listen:

Well that was weird, not exactly what you'd expect from a trustworthy VPN service!

Speaking of getting in touch, they're apparently headquartered in Ontario:

Which you can find on Google Maps and check out using Street View, it's the one with the red seats out front:

And in case that looks like an odd place for a VPN provider to be HQ'd, that's because it's a Vietnamese restaurant:

Apparently the Pho Ga is good but what that has to do with a VPN service is beyond me. Look, maybe it's a guy running it out of his bedroom above the restaurant, I don't know, but the point is that combined with the weird greeting on the support number and other oddities observed earlier, clearly the whole thing is very fishy.

Others have also classified the service as untrustworthy:

@J0k3r_2016 @MySafeVPNcom @troyhunt And... pic.twitter.com/nfgHzwJuac

— Paul Wilson (@pwgolfer) April 5, 2017

And even as I attempted to take screen caps of the site, it was going in and out of suspended mode:

At first, I thought this was the inevitable conclusion of the thing - the hosting provider had pulled the pin - but it did indeed come back to life and remains up at the time of writing.

Whilst looking into MySafeVPN, I was contacted over DM by the account. I won't relay what they said because that was a discussion between the two of us, but I did strongly suggest they stop tweeting, get their shop in order, then come back and explain themselves properly once they've done that. That was after a bit of dialogue back and forth of fairly predictable nature and I didn't hear back from them after that. Clearly the advice wasn't heeded and the engagement via Twitter continued, culminating in racial abuse of a young guy in London who'd joined the discussion:

@Aan_ath @Scott_Helme @MySafeVPNcom @tony_sutton @plex @troyhunt This, my friends, is how @MySafeVPNcom handles their opposition on Twitter. Great way to show maturity of handling a security company. pic.twitter.com/zpJVvzJD4p

— Kelvin Zhang (@KelvZhan) April 5, 2017

Obviously this is all the personification of dodginess. There's been a lot of people chiming in on the topic both via Twitter and over on Reddit where MySafeVPN's behaviour was very eloquently described:

Many people were speculating that this was merely a scam and indeed Motherboard wrote a piece this week about it being a phony service. In that article, they did actually manage to talk to someone on the number I tried and subsequently had a call that culminated in name-calling of the reporter:

This scammer actually called @nicholasadeleon on the phone and called him a nerd

— Motherboard (@motherboard) April 4, 2017

Yet just as I was wrapping up this post, I noticed that they had indeed managed to get a valid certificate on the host name doing the payment processing:

It's newly registered and per the earlier thread where they demonstrated a complete misunderstanding of the value of certs, it was indeed issued by Comodo. They've paid money for this and that shows a commitment to the service. Of course nobody in their right mind should actually pay them anything, but if it's just a scam then it's one they're actually investing in. But then - just to erode any good will that actually securing the billing system may have created, they come out with this:

@aw_nz @Eposig @malwrandpickles @tony_sutton @Scott_Helme @plex @troyhunt The billing area always had ssl.

— MySafeVPN (@MySafeVPNcom) April 6, 2017

We all remember the billing page from the earlier screen grab, right?

Countering the thinking of "maybe - just maybe - it's not a scam and they're just incompetent instead", I get this just before posting the story:

@troyhunt another one in the same vein as MySafeVPN... pic.twitter.com/IbipMvzDGY

— Matt Coutts (@northirid) April 6, 2017

Now you can try going to myvpnhouse.com but you'll then find yourself at... mysafevpn.com! The spam seems to be directing people to multiple different host names and again, when we come back to trust and integrity, this looks anything but legit. And it goes on. And on.

To wrap up, let's move past these guys and back to the original premise on the trustworthiness of VPNs. You need to know who you're trusting your data with. You need to have confidence that they'll handle it responsibly. You want a proven track record and identifiable individuals who'll back the service. Increasingly, you also want them running in a jurisdiction that values privacy and that means the UK with their Snoopers' Charter is out, the US with ISPs now able to sell your browsing habits is also out and even Australia that's mandated the collection of browsing meta data is out. Canada (where MySafeVPN is allegedly based) forms another leg of the Five Eyes intelligence alliance and frankly, that quintet doesn't have a real good track record when it comes to respecting privacy. People often ask me what I think of [insert other VPN service here] and there's a simple answer - I have no idea. I made my decision based on trust more than anything else and I simply don't have it to that same level with any other provider.

You can get into Freedome for €4.16/m (less than half the price of MySafeVPN) and in case you're wondering, no, I'm not in any way incentivised to recommend their service and have bought my own licenses at full retail price for years.

Edit: About 12 hours after posting, it looks like they've now been taken offline:

And that's (probably) the end of @MySafeVPNcom https://t.co/1axlSzFH6W https://t.co/O7hJAquleG pic.twitter.com/nbtT4SJWuz

— Troy Hunt (@troyhunt) April 6, 2017

Sponsored by: Titania - Find your network security gaps before hackers do with world’s first detailed configuration auditing tool

The tech news recently has seen quite a lot of chatter about an alleged haul of Apple credentials, apparently about 250 million of them in all. Allegedly. Maybe. Or was it 300 million?. No - wait - it might have only been 200 million. The number itself has been the source of plenty of debate even within the members of the Turkish Crime Family (TCF) themselves. Now who really knows if they're Turkish or a family, the only part of the name we can get any consensus on is the "crime" component courtesy of them attempting to extort Apple as they threaten to delete account contents and remote-wipe Apple devices if payment isn't forthcoming by... today. The 7th of April. Which, of course, it won't be but it all begs the question - what data do they actually have?

Zack Whittaker who wrote the first story I mentioned above has been following this incident pretty closely. He managed to get his hands on a sample of the alleged haul of data and sent it through to me for further analysis. By running Have I been pwned (HIBP) and having 2.6 billion accounts from various data breaches to refer to, I've got a great data set with which to reference incidents like this. I want to walk you through what I've found and ultimately how I've identified where the vast majority of accounts have come from.

The data Zack received looks like this:

[redacted]@icloud.com;Kid123
[redacted]@icloud.com;hihihi
[redacted]@icloud.com;rita00
[redacted]@mac.com;Jungheepak
[redacted]@icloud.com;215100

There are 69,355 email addresses and they're almost entirely spread across 4 domains:

1. mac.com: 42,051
2. me.com: 24,459
3. icloud.com: 2,720
4. me.com.au: 45

That's 99.88% of the addresses on those 4 Apple domains. Throughout this analysis, you'll see figures that are very close to absolutes, but just not quite "perfect". Ultimately, I'm going to show how this list was cobbled together so keep in mind that we're talking about humans (likely children or very young adults), doing fallible human things.

Here's the top 10 passwords:

1. Football95: 2,345
2. disney1: 1,270
3. [blank]: 841
4. 123456: 773
5. 111111: 705
6. dthomas: 414
7. Password: 344
8. Cannon: 200
9. conrad76: 176
10. duece2: 168

There's the usual selection of poor choices people make here in terms of simplicity and predictability, but those first 2 in particular are way too specific to be from a generic collection of data. It suggests bias in either the sample set or the way the data was extracted from it, that is there's a factor that's skewed the results towards these two.

So far, this is all just pretty generic analysis of the data as it was provided to me, I really wanted to see how it stacked up against what's in HIBP because that's where I can actually add a unique perspective. So I took the 69,355 records but before going any further, grabbed a distinct list of email addresses which turned out to only total 52,742. In other words, 24% of the records contain email addresses that appear more than once. (Also, keep that in mind when hearing figures of "hundreds of millions of records" - how many people does that actually mean?) I took this unique set and fired it all into HIBP which returned results like this:

You're looking at the tail end of the analysis here and for each email address, I'm showing which breaches it appeared in. There were two things that really stood out to me when I first ran this:

Firstly, there's a very high hit rate here. Just eyeballing it I could see that almost every account in the Apple data I checked had been breached before (I'm going to show how this isn't actually from Apple, but I'll call it that for simplicity's sake.) This is really unusual because if you read back through the HIBP Twitter feed, you'll see there's usually around half of the accounts in any given data set that are already in the system. In this case, 51,707 of the unique 52,742 email addresses had a hit. More than 98% of the email addresses had already appeared in data breaches loaded into HIBP. This says to me that they were almost certainly sourced from existing breaches, which brings me to the second observation:

There's a lot of Evony entries in the screen above. It appears on almost every row and Evony is a breach with "only" 29 million accounts. That pales in comparison to the likes of Dropbox (68 million), LinkedIn (164 million) and MySpace (359 million). It also made me curious - what was the spread of accounts in data breaches? So I pulled the stats:

1. Evony: 40,751
2. MySpace: 17,635
3. Lastfm: 11,137
4. Adobe: 9,629
5. LinkedIn: 8,773
6. RiverCityMedia: 8,416
7. Dropbox: 7,397
8. Tumblr: 4,319
9. Fling: 1,498
10. AshleyMadison: 1,362

Look at how high Evony is here - more than 77% of the email addresses in the TCF data are also in the Evony breach. That's more than double MySpace even though the social media platform had 12 times as many accounts exposed in their breach. Now keep in mind that the numbers above add up to way more than the number in the Apple data as many accounts appear in multiple breaches. As the earlier image shows, a bunch of these accounts have been pwned over and over again; the second one from the top was in Evony, Modern Business Solutions and River City Media. But Evony remains way over-represented which is also enormously coincidental in terms of the timing:

I was sent the Evony data right around the time the Apple ransom came out. As data starts circulating, it's rapidly picked up by nefarious parties and used for, well, nefarious reasons and that appears to be precisely what happened here. I decided to pull the original Evony data I was sent back out of my local archives and take a closer look. Here's what it looks like:

The first file contains the usernames, email and IP address and an unsalted MD5 hash of the password. The second file contains cracked passwords alongside email addresses:

Note the dates on the files too - the first one is mere weeks before the TCF shenanigans began and the second one looks like it was prepared around the middle of August last year which is consistent with reports. In fact, cracking data breach passwords and selling them to anyone who would pay was what the now defunct LeakedSource was infamous for, and indeed they appear to have been the source of this incident coming to light according to the article (this practice also inevitably contributed to why it's now defunct!)

Having the Evony data from the breach alongside the Apple data allowed me to work out how many of the email address and password pairs in the latter was sourced from the former. I started out with a sanity check of the total intersection based on email address alone:

That's a total of 40,751 matches which aligns with the check I did against the live HIBP system. What's really important is when the match is done on password as well:

99.9% of the accounts that are in both the Evony breach and the Apple data share the same password. This is way too high to represent password reuse from across systems so in other words, the folks that cobbled this together constructed a significant portion of it from the Evony data. Clearly, they were leaning very heavily on this particular breach in order to construct the Apple list and that now poses a very interesting question - how many of the alleged millions of accounts actually are there? I mean they've said "Hey, we've got this massive list we're going to reset, here's a sample to prove we're serious" and they sent 69k rows to Zack, can we look at this data and draw some conclusions about the 200 or 250 or 300 million - or whatever hundreds of millions claim? Is the data anywhere near that size?

Let's look at it like this: if they built up a big list from various data breaches (of which Evony is obviously the predominant one) and then took a small slice of those hundreds of millions of accounts to send to Zack as a sample, then the Apple addresses in that sample would represent a small part of those in the overall Evony data breach too. This is a theory that's easy to test via one simple query:

Think about what this means: irrespective of the list TCF built up, there are 40,866 Apple email addresses in the Evony breach belonging to those 4 popular domains. Yet somehow - miraculously - the TCF "sample" included 99.6% of all Apple accounts in the Evony breach they relied so heavily on. The chances of them grabbing something like 0.02% of their alleged hundreds of millions haul, sending them to Zack as a "sample" and that amazingly representing almost every single last Apple address in the Evony data breach is unfathomably slim.

We've already established that more than 77% of the unique email addresses in the Apple data came from Evony so that clearly accounts for the lion's share of it, but what about the last 22.x%? When I looked at that top 10 sites the Apple data was found in via the HIBP queries, the one that stood out the most after Evony was Last.FM. Whilst it had less matches than MySpace (11,137 versus 17,636), it had a significantly higher proportion of accounts based on the size of the breach which was 37 million records, a mere tenth of the size. So I pulled the source data for that breach and dug deeper.

I grabbed a list of all Apple email addresses that I hadn't already matched via the Evony data (that is both the email and password matched) and found 12,044 distinct ones left. Of those, 9,008 were also in the Last.FM breach so I joined across the data and dumped out all the MD5 hashes from that breach and all the plain text passwords from the Apple data. This meant I had one big hash list from Last.FM and one big plain text password list from Apple and what I was curious about was how many of these matched. This would tell me how much of the remaining Apple data was potentially cobbled together by cracking Last.FM password hashes.

Those 9,008 common accounts had 8,565 unique plain text passwords from Apple and 8,776 MD5 hashes from Last.FM. The former gave me a word list with which to attempt cracking the latter and the result would illustrate how many of the 9,008 accounts where potentially sourced from this breach. Here's what I found:

Here we're seeing hashcat cracking a third of all the Last.FM hashes using the passwords in the Apple data. But it's more than the 2,893 records shown here because multiple accounts had the same password and once expanded out, we get a lot more. A further 3,243 email addresses not already found in the Evony data matched perfectly to accounts in the Last.FM breach. So between that and Evony, we're up to about 44k of about 53k accounts now accounted for or in other words, we've clearly identified the likely source of 83% of the records. I could keep going - I could load the MySpace breach and the LinkedIn breach and keep cracking hashes and filling in gaps, but the source of the data was now abundantly clear. Let's apply Occams Razor to this and I'll draw the most obvious conclusion possible from the whole thing:

The list of Apple accounts is not hundreds of millions, it is instead less than 53k and it's compromised predominantly of accounts from the Evony data breach and a small handful of others.

Now, that's not to say there's no risk at hand here, but rather that the risk is no different to the one we're faced after every data breach: a bunch of people have reused their passwords and they're now going to have other accounts pwned as a result. But that's a very different story to the headlines of "hundreds of millions of Apple accounts will be reset and iPhones wiped". It's nowhere near as bad 53k either because a significant chunk of those people won't have reused their passwords. Of those that have, many my no longer even be valid for Apple services and indeed Zack found that when he reached out to people listed in the sample data. But here's something even more significant - Apple has the sample set I've been analysing which puts them well and truly one step in front of TCF. That doesn't necessarily mean they're going to lock accounts out or force password resets, but it does mean they can associate a much high risk rating to these accounts and protect them in other ways. Plus of course there's a small portion of those who will have multi-factor authentication enabled so even a correct password will be useless. Think of all these factors as a funnel which gradually decreases the usefulness of the accounts such that only a tiny fraction of the alleged haul is actually of any use whatsoever:

The conclusions above are all pretty reasonable based on the evidence at hand. There are probably some nuances I've missed (I usually get some pretty insightful comments on these sorts of posts so I'm looking forward to those), but for the most part I think we can all be reasonably sure about what's gone on here. With that now understood, let's turn our attention to TCF for a moment and I'll start with Zack's commentary here:

Immature and naive "hacker" thinks wiping over 200 million iPhones will get him rich, and not bludgeoned to death by an angry mob. How cute. pic.twitter.com/lkysePbuFb

— Zack Whittaker (@zackwhittaker) March 27, 2017

Zack has been pretty blunt here but it's hard to argue with his logic. These are very likely kids, either in the legal sense or in the "they're a lot younger than most of us" one and Zack is right - they're painting a big target on their backs. Of course they're full of bravado and frankly, are probably a bit excited about how much attention they've received, but this is now starting to play out in a very familiar way. If they keep going, it will also have a very familiar ending.

It's familiar in the same way it was for kids like Jake Davies of Lulzsec fame. Like TCF, he felt beyond reach as he went about wreaking havoc on the internet until his inevitable capture. In that link you see him turning up at court with his mum and judging by the look on her face, she wasn't very amused by the whole thing. (Side note: Jake has gone on to do fantastic things and is a great example of how these kids can later turn their lives around.) Same again for Alex Davros who was running LeakedSource; seemed like a great idea at the time as he revelled in internet anonymity, not such a good idea now. Similar story again for the guy behind the TalkTalk attack, just that we have no idea who he is; when you're 17 there are child protection acts in place because hey, kids do stupid things and need saving from themselves.

And their behaviour is generally pretty consistent with that demographic too. At one stage an old pic of me appeared as their profile photo:

It later appeared in a tweet which was subsequently deleted. It doesn't bother me in the least but again, it gives you a pretty good idea of the sophistication of the "threat actor" involved here.

There's more oddness in the Twitter profile itself, namely with the follower count:

At first glance, that's a good effort for an account only set up last month! Except, of course, they're mostly fake:

There's obviously a lot more accounts following now than just a couple of weeks ago, but they're clearly mostly fake. Whether this is intentional to artificially inflate their perceived sense of significance or it's someone else altogether messing with their reputation is not clear, but it's still part of the broader set of observations around consistency, trustworthiness and the general likelihood that they can actually deliver on their threats.

The chances of anything of significance happening to Apple accounts today is near zero. Not just because of the observations above but due to the simple fact that the locations they've harvested the data from have well and truly already been pilfered by others attempting to do the same thing. This is classic credential stuffing and services like Apple's are amongst the biggest targets after breaches such as Evony. The only people likely to be adversely impacted by this are those who chose poor passwords that were readily cracked, reused them across services, had them exposed in (probably) the Evony data breach, don't have multi factor auth turned on at Apple, failed to change them after all the news about this and finally, were not protected by Apple come the deadline. In other words, innocent people who made a series of very bad security choices.

As for TCF, they're at a bit of a crossroads as of now. On the one hand, they've inevitably got some small number of accounts that actually work and they may even be able to wipe some data from a number of them. Thing is though, it almost certainly won't be any more than a tiny fraction of a percent which won't do great things for their credibility. Yet even if it is a small number, once you start destroying other people's things the law tends to take you a bit more seriously and the inevitable conclusion of that isn't pretty. On the other hand, now seems like a good time to get out while the getting is good. They had some fun, got some good press and to their credit, certainly put the issue of password reuse and account security back in the headlines. Apple obviously isn't giving them any dough and they'll have realised that by now, seems like a really good time to let this all drift off into data breach history...

Sponsored by: Titania - Find your network security gaps before hackers do with world’s first detailed configuration auditing tool

Wow, what a crazy week! Three pretty serious blog posts, my Security Sense column plus a bunch of stuff I've been doing in the background around arranging travel for the European summer. I didn't mention it in my weekly update, but unfortunately I had a workshop in Dublin cancel due to an unexpected change on their end so I had to fill that gap. The good news is that it took all of 24 hours and I lined up another one in Amsterdam which actually works out better due to me doing a subsequent one after than in Utrecht so looks like more time eating fries with mayonnaise (yes, the opening scene of Pulp Fiction is true).

There's a lot more in the pipeline for the next week too: I'm going to post about my brand new Pluralsight course on personal branding later today and there's another one on Azure that may land next week. Those are both Play by Play courses so myself and another author having a discussion, but next week we should also see a brand new big one titled "What Every Developer Must Know About HTTPS" and there's never been a better time for that one to land. Every week I seem to be talking about something related so I've got big expectations of that course and hopefully I'll be talking about in next week's update. For now though, enjoy this one!

iTunes podcast | Google Play Music podcast | RSS podcast

References

1. Stop losing your minds over password managers! (no seriously, bugs don't mean you chuck 'em out and go back to trying to use your feeble brain to remember them)
2. If you look at weird stuff over HTTPS, your ISP (probably) still knows (there are bits of the HTTPS comms that leak info about the sites you're visiting)
3. MySafeVPN is not safe, it's stupid! (the more I think about it, the more I'm convinced it's an outright scam rather than incompetence)
4. I tracked down where the "Apple accounts" The Turkish Crime Family is threatening to wipe came from (they're almost certainly pretty disorganised kids and oh yeah - one of them has been arrested already)
5. Titania is sponsoring my blog this week (big thanks to those guys, check them out, they help me keep those nasty traditional ads off the blog)

Sponsored by: Titania - Find your network security gaps before hackers do with world’s first detailed configuration auditing tool

This whole "personal brand" thing is a really interesting space. I mean here we are talking about people as individuals such as you and I yet applying a term to us in the same way as we'd talk about brands like, say "Ferrari" or "Apple". I pick those simply because they're two of the strongest, most recognisable brands I can think of which makes it a whole lot easier to draw some of the parallels I'm about to.

The first thought I really gave to brand was about 7 and a half years ago when I wrote my first ever blog post on Why online identities are smart career moves. Now if I'm honest, that post looks much more insightful in retrospect than what it did when I first wrote it. I was guessing. Speculating. Thinking that maybe - just maybe - having an online identity and a brand of my own may come in useful one day. It took almost 6 years, but the blog post on How I optimised my life to make my job redundant is a really good bookend to that one as it's effectively the hypothesis come true.

Fast forward another couple of years and I've just published a course on the topic, a "Play by Play" with my good mate Lars Klint whose gone through a journey to independence of his own. By pure coincidence, this course launched just after I gave a talk at a Microsoft MVP event in Sydney on this very topic and I thought I'd share a few things that really stuck out at me from that talk.

Firstly, let me try and illustrate this brand thing by referring to the two I mentioned earlier on then applying it to us as humans. Let's take a cap, in this case it's a "men's microfibre baseball cap":

It costs $14 off the web and it's a perfectly fine hat. It has an adjustable strap and a peak to keep the sun off you. It's functionally identical in every way to this other "men's microfibre baseball cap"":

Except this one costs $90... from the Ferrari store. That one little barely visible badge merits a six-and-a-bit fold increase in value (and I'll come back to that term in a moment) merely by the presence of the brand. Yes, they make sensational cars but this is just a hat! People are paying for the brand.

Apple epitomises brand like few other companies can. I mean sure, they make good phones, but they've curated their image to the point where people will do frankly ludicrous things just because they're Apple. The queues stretching around the block sometimes days before a new iPhone launch is a perfect example. Is the phone really worth that much? Evidently, for many people, it is.

Which brings me back to the point of personal branding and I'll give you an example of my own: Last year I was asked to run a workshop for a company in the US. In this case, rather than me waltzing in and doing my usual thing, they wanted me to teach an existing syllabus. For all intents and purposes it was similar content to what I normally teach, but there was one aspect of the proposed engagement that was rather different. I charge ten times more than they were proposing. Ten times! Now their normal rate was a perfectly reasonable one and indeed it wouldn't have been that many years ago that I'd have been happy commanding it, but it really got me thinking - why? I mean why is there such a massive discrepancy in what someone effectively doing the same thing can command? And that brought me back to this whole value thing I mentioned earlier.

Defining value is enormously difficult because it's so subjective. For example, I spend very little on clothes (thanks in part to living near the beach and basically just wearing board shorts every day!) so I have a pretty low tolerance for cost there. On the other hand, I really like fast cars and others simply cannot wrap their head around why I'd spend what I do on them when I could just as easily get from point A to point B for a fraction of the price. So here's my great insight on all of this: Something is only worth what others are willing to pay. Lots of people buy Ferrari hats and iPhones because they're worth it to them and the same is true of the workshops I run. Because of the brand I've established, lots of companies get me across to wherever they are in the world to teach their developers. Now I also think I do a pretty good job of that, but I don't think it's measurably 10 times better than whoever the company I mentioned earlier ended up getting.

Brand is important to me as an independent, but clearly based on that first ever blog post, I was thinking about it well before then and that brings me to the whole point of this new course. We all have a brand. Regardless of what it is you're known for, you have some degree of reputation and recognition and as that increases, you start to get more choices in life. For example, you may be happily working away in a 9 to 5 job (similar to what I was in that first blog post), but you're also getting involved in some open source projects. Or you start doing some user group talks. Or you start a simple blog. Or you begin contributing to a forum around your favourite tech. All of these activities contribute to this broader thing we call brand and at some time in the future, that has a real potential to do very positive things for you. It may be that one day you decide you'd really like a different job. Or - as with me - your existing one may be made redundant. Or another company sees you as your brand grows and says "hey - we really want that person on our team because they're obviously great at what they do".

Lars and I talk a lot about why a personal brand is important regardless of where you are in your career, plus of course we talk about ways to define it, some of which I've mentioned above. We also cover some of the rough stuff you go through along the way and believe me, it's not all roses. I've written about abuse before and perhaps unsurprisingly, as you become more prominent, more crazies come out of the woodwork.

Personal brand is enormously valuable and we all have one to some extent, whether it's consciously curated and very public as with Lars and I or it's merely a by-product of you going about your everyday life. This course helps you think about your brand in ways that I genuinely hope will do good things for you in your professional life as it's done for the both of us.

Crafting a Brand for Growth and Prosperity is now live on Pluralsight!

Sponsored by: Titania - Find your network security gaps before hackers do with world’s first detailed configuration auditing tool

Someone sent me an email today which essentially boiled down to this:

Hey, Microsoft's Azure Active Directory alerted me to leaked credentials but won't give me any details so there's very little I can do about it

This is a really interesting scenario and it relates to the way Microsoft reports risk events, one of which is the discovery of leaked credentials that match those within AD. In other words, they've identified that someone used the same email address and password in multiple places and they've let the administrator of this particular AD instance know. As you can imagine from my work with Have I been pwned (HIBP), I have many thoughts on the subject. Rather than keep them to myself, I thought I'd dump them here because the whole thing raises a bunch of really interesting technical, ethical and legal issues.

What are we actually talking about here?

An increasingly large number of organisations are doing precisely what's described above - trawling the underbelly of the web, obtaining breached data then using it to better protect their own accounts. You think about it - if, for example, Amazon finds a dump of data that has thousands of their customers in there with the same username and password as on their own service, that's really useful info for them. We know this credential stuffing thing is rampant and I illustrated that last week with the folks trying to blackmail Apple (which incidentally, failed spectacularly and surprised no one beyond themselves).

Knowing this is very useful to Microsoft or Amazon or Apple because now they can protect their customers. For example, they can force password resets. They can flag the account as being at higher risk and request additional verification at login, for example via SMS as MailChimp does:

They can do all manner of things to limit the ability for bad guys to login to a customers' account not only because it protects the customer, but fraud costs the organisation dearly when it happens en mass too. But there's a problem...

You've been pwned... (but we can't tell you where)

This was the crux of the message I was sent this morning and I've heard it many times before. All of these companies which are essentially saying that they've found their customers in a data breach won't tell them which one. That leaves the customer in the uncomfortable position of knowing that somewhere on the web their data has been taken and circulated, but they're at a loss as to where.

Think about the implications of this: we all have dozens of accounts online these days. Some of us have hundreds. If a company tells me that the username and password I use on their service just turned up in a breach of a totally unrelated system, I'm gonna have absolutely no idea where that other system is. (Incidentally, by virtue of using a password manager and creating unique passwords everywhere, this isn't going to happen to me, but you get the idea.) I wouldn't know which other system to change my password on. I wouldn't know what other info about me was just leaked. I'd have absolutely no idea as to the broader risk this now exposes me to.

This isn't a situation we've arrived at by accident, there are good reasons for this, let's go through a few.

It's a legal minefield

Let's think this through for a moment and we'll imagine it's Amazon who's got their hands on the LinkedIn data. They notify their impacted customers that their data has appeared in a data breach and for the purposes of playing out this train of thought, they tell their customers it's LinkedIn.

One of the first issues here is that the legitimacy of this data in terms of who should hold it is grey at best. I - more than probably just about anyone - know that and believe me, I think about it a lot! A company like Amazon would be very wary about publicly acknowledging that they had another company's entire client base including their customers' passwords. They'd be worried about LinkedIn demanding they remove it, about common customers getting cranky that they were holding data they don't own and about either of those parties getting legal on them.

Imagine also how that plays out with the impending GDPR legislation which has some pretty tight rules about how personal data is handled. Now not telling people they have their data doesn't exactly absolve them of compliance obligations, but it's the sort of thing they probably don't want to outwardly discuss.

There's another legal issue around all this too, and that's this:

What happens if the breached company doesn't know they were breached?

There's a heap of data out there being traded around that's known fairly well in those circles but not known by the impacted company. Sometimes it's relatively tightly held, other times it's a new incident and public disclosure hasn't yet occurred.

Let's play out another hypothetical: imagine eBay got their hands on the VTech data. This was a very tightly held set of data and to this day, I'm quite confident only the hacker, Motherboard and myself ever saw it. But imagine for a moment that one of eBay's security folks got their hands on it, now what?

On the one hand, you could argue that eBay should notify VTech because that's the responsible thing to do. But now you're sort of projecting an online auction site into the realm of ethical disclosure to other organisations and that also brings with it a bunch of legal issues; can you imagine how many lawyers would be involved in a discussion like that?! Plus, it puts us back at the previous point in that this is very shadily obtained data and you've got a big multinational admitting they have it.

Yet on the other hand, eBay wants to protect their customers. They know bad guys have the data, they know people reuse passwords and they know that they could proactively protect accounts. But they can't "show their hand" to their customers and say "VTech got hacked and you reused your credentials" because not only will eBay customers start asking hard questions of VTech, it'll also end up all over the news.

And we haven't even touched on the technical aspects yet...

Password hashing makes it "interesting"

So you're one of these organisations attempting to protect your customers and you have a big whack of someone else's data you want to compare against yours. Email addresses are plain text in both so that's easy, but passwords are another story. We'll assume the organisation doing the retrieval of other people's data is using a strong hashing algorithm with a high work factor, say bcrypt. But it's what the other site is doing which makes things interesting.

If they stored data in plain text then you're going to need to grab every single one of those passwords which belongs to common email addresses and hash them with your own algo and corresponding salt for the account. You could exclude the ones that don't meet your own password rules but there's going to plenty left and remember, you've got a strong hashing algorithm which means it's going to be slow going, especially if we're talking large amounts of data.

But let's imagine the breached site hashed them - now it gets interesting. The immediately obvious answer is that you crack the other party's hashes but things now start to get extra murky. Firstly, I'm no lawyer but having another company's data is one thing, I imagine that actively trying to break a cryptographic protection such as a hash is quite another. Imagine Big Company A going "Yeah, we've got Big Company B's data and we're actively cracking all their hashes". That's a minefield.

But say they're doing it anyway and it's MD5 with no salt. No biggy, they'll tear through a big whack of those quite quickly. Add a salt and suddenly things are massively harder. Still relatively easy in the grand scheme of things when it's a fast algorithm like MD5 or SHA1, but it's going to take a heap longer. Do you invest in dedicated hash cracking gear like what Sagitta make? How far down the rabbit hole do you go because once you start getting too slow hashing algos like the aforementioned bcrypt, things start getting very hard. A heap of recent breaches have been in that category too - Ashley Madison, Dropbox, Ethereum and despite their many other shortcoming, even CloudPets.

Thing is, a good enough hashing algorithm across a large enough set of data is going to rule cracking out, at least in terms of resolving any reasonable number of credentials back to plain text. So you need to think about other options...

What if you didn't crack hashes?

If you had the plain text password, you wouldn't need to crack hashes to figure out if the one from another data breach matched those in your own system. There's no magic involved in gaining access to your customers' plain text passwords, you just have to wait until they login!

So here's the workflow: someone (not necessarily your customer) attempts to login with a set of credentials. You hash that with your own algo and establish whether the creds are correct, then you also hash with the algo of the breach you want to compare the password to and see if it matches there (obviously the correct salt may also be required). If it matches then you know they're reused credentials, but then what?

Well firstly, you could simply flag the account as higher risk at that time. For example, perhaps they can browse around your online store but not order anything or view account settings until they verify their identity. Or depending on the organisation's tolerance for potentially pissing off legitimate customers, immediately after login you prompt them to do a password reset. There are options, not all of them pretty and subject to some pretty major other issues.

One of those issues is that this isn't particularly proactive - you need to wait until the customer (or someone else with their creds) logs in. The other one - and this is a biggy - is that this can have serious overhead. You're now saying "hey, let's create hashes of the password and check other breached systems" but how many other breached systems? Do you just do recent ones where the data is circulating? Or heaps of them, some of which have slow hashing algorithms and when done en mass result in a lot of overhead on your own system?

Alternatively, you run this in the background asynchronously to everything else the user is presently doing to log in. Maybe it takes a minute, but once executed it flags the account and you fall back to the aforementioned position of challenging for verification a little later on in the session before something important happens. There are a lot of different ways you can slice this.

Summary

This is not exhaustive and it was literally me sitting down dumping many of the thoughts and discussions I've had over the years, but hopefully it gives you an idea of how much more complex this issue is. When you next get one of those emails saying "you've been pwned but we can't tell you where", understand that there are all sorts of reasons why you can't be told and indeed why you may only be learning about it much later after the incident.

Sponsored by: Titania - Find your network security gaps before hackers do with world’s first detailed configuration auditing tool

It's a great time for HTTPS. Actually, there's never been a better time and as each day goes by, we see constant reminders of how important it is. Someone sent me a great example of this just the other day by virtue of a bug that had been lodged with Mozilla:

Your notice of insecure password and/or log-in automatically appearing on the log-in for my website, Oil and Gas International is not wanted and was put there without our permission. Please remove it immediately. We have our own security system and it has never been breached in more than 15 years. Your notice is causing concern by our subscribers and is detrimental to our business.

If this sounds a bit cryptic, here's what had upset the reporter of this "bug":

This is very good. It's good because Firefox is explicitly telling the user that they can't trust this page because it's been loaded over an HTTP connection. In this case, it doesn't even post to HTTPS but even if it did, the very fact it's already loaded insecurely could have led to compromise.

What I really like about the original complaint though is this - "Your notice is causing concern by our subscribers" - because that's exactly why the notice is there in the first place! It works! That's precisely Mozilla's intention because subscribers should be concerned. Yet somehow, those managing this particular site didn't quite get the significance of Firefox's warning.

Another great example of how companies struggle to come to grips with HTTPS and the protections that browsers provide users came just a few days ago via Wycombe District Council in the UK courtesy of this tweet:

Technical hitch with our website. Click "Continue to this website" or "Advanced" to access content. Working to fix asap.

— WycombeDC (@wycombedc) April 10, 2017

This resonates with the oil and gas example insofar as what we're observing here is the browser attempting to save users from a potentially risky situation and giving them a very clear warning to that effect. Yet miraculously, both organisations are attempting to solve the problem by circumventing the error message! In this case, it's painfully obvious where it all went wrong:

The certificate expired 2 days before the tweet and the browser is (quite rightly) telling people that without a valid certificate, they shouldn't trust the site. Their advice about proceeding past the warning anyway is, well, this response sums it up well:

@wycombedc pic.twitter.com/HzR5gqPFbL

— Derek (@Palmer_DC) April 11, 2017

Organisations are still struggling to do HTTPS right, which gives me a nice way of transitioning to talking about my latest Pluralsight course...

I actually started this course late last year and whilst writing, recording and editing it, I also wrote about how HTTPS has reached the tipping point. The timing was just perfect as a confluence of events aligned to really drive adoption of HTTPS. Firefox's behaviour as of version 51 above is one, Chrome doing similar when 56 hit in Jan is another, Let's Encrypt smashing the incumbent CAs out of the park with free certs is another and Cloudflare doing HTTPS for free is yet one more (CloudBleed turned out to be inconsequential so no changes to my Cloudflare endorsement there).

Then there's the actual adoption of HTTPS: When I started recording the course in Jan, I referred to how the New York Times is now HTTPS only and how it was significant to see a media outlet with mostly public content go secure. But I also lamented how Qantas couldn't get their act together and that HSBC was loading the bank's landing page insecurely. However, such is the rate of change at the moment, by the time I got to recording the end of the course a couple of months later, Qantas had finally done it right and if you try the HSBC link above, you'll now find the landing page loading securely. Great progress on both fronts, although whilst showing HSBC they unfortunately demonstrated another issue which illustrated precisely why I wrote this course - the developers got it wrong:

This is just a simple issue of embedding insecure content in an otherwise secure page, but then it's wammo! No more padlock. No more "secure". No more green HTTPS scheme. The fix is obviously easy - embed the content securely - but there are other things they could have done to avoid stuff breaking even with the insecure scheme in place. Using the upgrade-insecure-requests content security policy, for example, is pretty essential when rolling out HTTPS. Using HTTP strict transport security would have also avoided the insecure request. Modifying embedded insecure references to secure ones on the fly using an approach such as Cloudflare's HTTPS rewrites is yet another. There are a bunch of things that can be done to help you fall into the pit of HTTPS success and that's really what the course is about.

I put a huge amount of work into telling stories about technology in a way that makes it enjoyable to watch and really makes it stick; let me give you an overview of how I've approached that in this course. I've broken it down into 5 modules:

1. The HTTPS Value Proposition: This sets the stage as to both where we're at with HTTPS (i.e. the sites I mentioned above moving over), and why we need it. I always use heaps of industry precedents in my courses and there's no shortage of them here.
2. HTTPS Fundamentals: This is the foundation that every developer needs if they're going to start sending their traffic securely. It talks about certificate authorities, TLS negotiation, developing with HTTPS and a bunch of other things you really need to know from the outset.
3. Securing the Application: This is a lot of the nuts and bolts of the course and it explains precisely what needs to be done at the app level to make it play nice over secure connections. That includes applying some of the tricks I mentioned above such as using a CSP and implementing HSTS.
4. Overcoming (Perceived) Barriers to Adoption: This is pretty much the way I kick off this module in my workshops: "If HTTPS is so awesome, why aren't we using it more?" I go through all the typical arguments such as cost, speed and management overhead... and then tear them apart!
5. Beyond the Basics: I wanted to round out the course by going into detail beyond the fundamentals you need for securing just the app. Things like using SSL Labs to test your TLS (and yes, I talk about the interchangeability of those two acronyms too!) and public key pinning. I also use the opportunity at the end of the course to reflect on the observations earlier on, that is how much things had changed just since beginning the course.

One thing to be really clear on here: this is "What Every Developer Must Know About HTTPS". I don't talk about what cipher suites to support or how to configure the server as most devs are working in environments where sys admin people are doing that for them. One other thing that's really important is that this is a technology agnostic course; whether you're living in ASP.NET world or PHP or whatever other thing is serving content over the web, it doesn't matter. A significant portion of this course is about how HTTPS behaves with web browsers and in that regard, your choice of server side stack is pretty much irrelevant.

So that's what I've created and I'm enormously happy to now see it up live on Pluralsight. If you've not tried them before, you can get into it for less than $1 a day and gain immediate access to thousands of courses, including some very good content on HTTPS, if I do say so myself 😀

Sponsored by: Titania - Find your network security gaps before hackers do with world’s first detailed configuration auditing tool

I didn't mean to talk for 42 minutes today, but somehow, I kinda ended up there. A good whack of that went to explaining how I'd done the subscription implementation you see below, especially as people had asked why there are two CAPTCHAs and indeed I wanted to explain why I'd even added the feature in the first place. Anyway, I've had hundreds of people sign up to it since yesterday so hopefully it's proving useful to those folks (I did end up fixing that IE bug too). There's that plus some commentary on the jokers who tried to extort Apple (and obviously failed spectacularly) along with the Cloudflare webinar I did this week, why security is too hard for "normals" and my very, very exciting new Pluralsight course on HTTPS. Ok, well I think the current state of HTTPS is exciting anyway! But try the course and decide for yourself, just to be sure :)

iTunes podcast | Google Play Music podcast | RSS podcast

References

1. I built a thing to email you stuff (it's uh, down there, give it a go and get updates daily or weekly)
2. The Turkish Crime Family got paid over 400BTC! (no, of course they didn't, they've now scurried off and disappeared)
3. Security is too hard for mere mortals (seriously, spend some time trying to get your layperson doing the stuff we know they should be - it's not easy)
4. Every developer must know all this stuff about HTTPS! (I'm so excited to have this course finally live, it was a labour of love and per the examples in that link, holy cow we need some better education!)
5. Titania is sponsoring me again this week (there's a free trial of their risk assessment tool behind that link)

Sponsored by: Gold Security - Keep your Customer's Data Safe from Breaches - Hackers don’t wait. Act Now!

Well, good one Australia, UK and whoever else has embarked on this hare-brained scheme, you've just made things a whole lot worse. Our respective governments (in all their ivory-towered wisdom), have decided that because one of us could one day decide to become a terrorist, they'd better keep a big whack of our internet browsing history just in case. The theory these genius policy makers have is that if they can probe into all our lives far enough, they'll be able to see when we're doing terrorist kinda stuff. And really, what better way is there than siphoning up info on the websites we go to? Job done, beer o'clock, glad we solved that one.

Except no, they've just made a metric shitload of things much, much worse. Let's take Australia where the subject is topical due to mandatory meta data retention laws becoming well, mandatory, just last week. If you're in the UK then refer instead to your Snoopers' Charter and all the same observations apply. So anywho, our ISPs now have to store metadata on our browsing habits and right off the bat, there's a big problem - our government isn't quite sure what metadata is:

This isn't just some random pollie trying to wrap his head around it either, it's George Brandis, the bloody Attorney General! So there's your first problem - those who want the data aren't actually sure what it is. But hey, they've got advisers and some of them are probably quite switched on so let's move past the inability of a politician to explain technology for a moment.

Regardless of George's stammering about what it is the gov is actually forcing ISPs to store, the sentiment is simply that they want to know what you're looking at on the internet. So that's that, they've got your data, now your private things are no longer private. Except because people are kinda pissed about their privacy being eroded, we're being flooded with advice on how to circumvent the new law. For example, Lifehacker talks about How To Protect Your Metadata With A VPN, the ABC is relaying the EFF's advice to 'get a VPN' and then - just in case you missed it the first time - the next day Lifehacker backed it up with How To Choose The Best VPN In Australia. And this is just a tiny sample of just what I've seen down under in recent days.

There has never been more information available about how to hide your traffic from authorities!!

Every single day over the last week, I've seen VPN how-tos in places I'd never seen them before. There's a barrage of stories in the mainstream media telling you precisely how to circumvent the law in just a few simple steps. Of course, just like much of the security and tech advice targeted at "normals", a bunch of it is also pretty bad but hey, a whole heap of people who couldn't even spell VPN a few weeks ago now know how to use one with ease.

Let's take Bruce. Bruce is considering a career in terrorism (and no, I don't care that Bruce's name doesn't align to the expected stereotype of a terrorist). A couple of years back, Bruce would have happily discussed terroristy things via SMS, email and whatever messaging app he preferred because hey, that's how you have conversations in the modern era. But now Bruce knows that the gov is watching his every move because, well, that's exactly what they've said they want to do with this law. Bruce knows that he has to get smarter about his comms. Fortunately, Bruce reads Lifehacker and the ABC so he invests a few minutes of his time and gets a VPN, routes his traffic out through a foreign location via a provider that doesn't store logs and it's happy days for Bruce. Not so happy for the rest of us because he's now flying under the radar, but hey, at least it looks like the government is doing something useful!

Now take Sharon. Sharon's not a terrorist, she's quite happy with her career as it stands and isn't considering a switch. But Sharon has a different problem - she's suffering from depression (possibly after watching George Brandis on the telly). It's a real medical condition and she's doing her best to deal with it, but it's a private matter and she wants to keep it as such. She's been visiting Beyond Blue and seeking guidance from there but even though the site is served over an HTTPS connection, Sharon is smart enough to know that this doesn't hide the sites she's visiting from her ISP. Like Bruce, she reads Lifehacker and the ABC and quickly learns about VPNs so she goes and gets herself one in order to help keep her condition private. Problem is, Sharon also likes watching Netflix and that poses a bit of a problem:

VPNs are awesome for many reasons, but equally, there are many reasons why I wouldn't run one 24x7, for example: pic.twitter.com/ukRT7DBXor

— Troy Hunt (@troyhunt) April 13, 2017

Because the MPAA doesn't want Sharon watching her favourite shows via the massively more extensive US library, they've forced the likes of Netflix to block anyone using a VPN from accessing the service. Yes, Sharon is suffering from a serious mental illness and doing her best to fight it whilst retaining her privacy, but there's a chance she may watch reruns of Breaking Bad which Aussies aren't really meant to have access to on Netflix because "reasons", so best just block her altogether. Oh - and per the responses to that tweet above, there's a heap of other stuff that breaks on a VPN too because who knows how many shady characters might be hiding shady things. Ok, so they're things they simply don't wish to share but hey, that's makes them shady too, right? Guys? Hello?

It doesn't take Sharon long to realise that a VPN is just not a practical everyday thing to run 24x7. Yes, her privacy is important to her but we humans have a habit of sacrificing that pretty quickly when there's a convenience upside; simple passwords, smart phones without PINs, listening devices in our homes courtesy of voice activated assistants and smart TVs - they all erode our privacy but damn they make our lives better! When a technology makes an immediate-term improvement to our lives, it will be adopted. When it makes things harder, it will struggle to get traction. VPNs are the latter.

Now, faced with the inevitability that terrorist minded folks will simply turn on the VPN before discussing terroristy things, there has been much discussion over the years about simply banning encryption. Putting aside for a moment the insurmountable challenge of doing this without us all getting pwned six ways from Sunday day in and day out, let's imagine how Bruce would handle this if he and Macca had to work out how to talk about terrorist stuff:

Bruce: Right Macca, we've gotta be smart about this and encrypt our communications when we talk about blowing shit up.

Macca: Oh, haven't you heard? The government has banned encryption.

Bruce: Ah, good point, we'd better not use it then.

This is not how it's gonna go down!

Bad guys don't just simply stop being bad because the government says they shouldn't be bad! They use the broad array of readily accessible encryption technologies that are freely available all over the web regardless of what their government does and doesn't like and they behave like bad guys anyway!

I don't know exactly what percentage of us are terrorists or paedophiles or any of the other genuinely nasty things the community as a whole agrees we don't really want amongst us, but I betcha it's small. Very small. By extension, the number of us that are good guys is massively large yet somehow, we've arrived at this entirely nonsensical point where the gov is trying the catch the infinitesimally small minority at the expense of the vast majority and it does stuff all good anyway because now there's more info than ever about how to avoid interception in the first place!

And just to make the whole thing even more nonsensical, VPN providers aren't subject to the same data retention laws, indeed they may not even operate within your political jurisdiction. Good VPN providers also store absolutely nothing about your traffic and thus have no metadata to give the government anyway should they ask. Or perhaps of greater relevance to all of us, they have nothing on us that they could lose and that's extremely important because once information is captured and digitised such as metadata retention laws require, there's always the risk of disclosure to unintended parties.

So, where all this leaves us is that Bruce and Macca have more access than ever to encryption technologies that enable them to hide genuinely nasty deeds whilst Sharon now has unquestionably private information about her personal life in the hands of her ISP and upon request, in the hands of the government. This is the law of unintended consequences; this is not the outcome anyone wanted yet somehow - miraculously - here we are.

Edit: I've had some feedback from a few fellow Aussies around the definition of "metadata" as the gov here sees it. It doesn't change the fundamental premise of this post (it actually makes a bunch of things more confusing), but let me ensure it's addressed anyway.

The piece I was most consistently pointed at was LifeHacker's Everything You've Been Told About Data Retention Is Wrong written in 2015. The basic premise is that ISPs need to store info on when you connect to the web and how much data you store, but not the sites you're connecting to (host name, IP, etc). On that basis, the metadata retention law (and frankly, this is now a very loose use of the word "metadata" as it's no longer really even "data about data"), doesn't include anything that identifies where people are browsing to. Now in case you're thinking "wait a minute - didn't Troy just link to two stories from LifeHacker about how to use a VPN to avoid metadata collection?", yes I did and now you're seeing just part of the reason why people are so damn confused.

Someone made the point that these logs are retained in order for the cops to be able to match IP address activity on some external service back to the individual connecting to the ISP. This is precisely what a VPN protects against because those server logs contain the address of the VPN exit node, not that of the user's ISP. So long as the VPN provider doesn't store logs, the traffic can't be traced back to the source. But that doesn't mean the ISP's mandated data collection specifies the site, although technically they can observe this both for traffic over unencrypted HTTP connections and as I said earlier, even communications over the HTTPS scheme still leak info about the target site. The ISP can see this and if they were legally required to capture it, a VPN would also circumvent that.

Regardless of how much the Aus gov is or isn't forcing ISPs to store, the pattern of governments requesting increasingly extensive amounts of data to be collected and retained is obviously one that's playing out across the world. I mentioned the UK Snoopers' Charter and by all accounts it's one of the most invasive examples of this and appears to go well beyond our approach down under. All of this is driving the push towards VPNs and regardless of how much the gov is trying to collect (or have collected on their behalf), there's never been more info available on VPNs and they do make it much harder to track down illicit activity. There's undoubtedly confusion about what's in and what's out of the Aussie law and even since writing this piece, I continue to see stories on how to use a VPN to circumvent it.

Whichever way you define it, mandatory ISP data retention laws are causing more people than ever to attempt to hide their traffic with a VPN.

Sponsored by: Gold Security - Keep your Customer's Data Safe from Breaches - Hackers don’t wait. Act Now!

A Twitterer sent me this a few days ago:

.@troyhunt you've got SSL issues in Chrome 58+ on @ASafaWeb pic.twitter.com/qtUiMxV9tW

— Jonathan (@Eonasdan) April 13, 2017

Now normally when I get a report about an SSL thing not working (by which we mean TLS, but we say SSL anyway), I jump on over to SSL Labs (see?!) and run a report I can then direct people to. This usually provides emphatic proof that the SSL configuration is fine and they've just got an old client or some funky MitM stuff going on in their local network. However, this time was different:

"Grade will be capped to T". Now I didn't immediately realise what "T" was, but I know it's lower than "F" and that's bad! But one look at the link on that row and the penny dropped - it's the WoSign debacle. This goes back to them doing a bunch of dodgy things last year, amongst which was the way they acquired StartCom, the CA whose cert I was using on ASafaWeb:

As detailed in the explanation of the "T" grade:

From 8 May 2017 such certificates will be graded with a T (no trust)

What Jonathan was seeing in that earlier tweet was the next version of Chrome distrusting the cert and indeed Google have been flagging this for some time now. As you can see from the date in the cert above, I obtained it from StartCom just before the whole WoSign situation. If I had grabbed it only a couple of weeks later then it would have been distrusted as of Chrome 56 which shipped back in Jan. Instead, ASafaWeb falls into this category:

In subsequent Chrome releases, these exceptions will be reduced and ultimately removed, culminating in the full distrust of these CAs

I knew this, but honestly hadn't given it any more thought since reading it. ASafaWeb is frankly just in maintenance mode these days anyway so I rarely touch it, but so are many other sites on the web hence why I thought writing this post as a little reminder would make sense.

In terms of migrating away, I still run ASafaWeb on AppHarbor and use their PaaS hosting model. I have no shell access to the machine and they have no Let's Encrypt integration exposed via a UI, but frankly I prefer Cloudflare anyway for all the other features it gives me and like Let's Encrypt, it's free. So it's over to Cloudflare, add the site and then in a fraction of the time it's taken me to write this blog post, it's job done:

So that I can keep the connection from Cloudflare to ASafaWeb fully encrypted and not have to worry about them not trusting StartCom or having to put another cert on the origin later on, I issued one of their free Origin CA certs and loaded that into AppHarbor.

If you use a StartCom cert on your site, you need to replace it now.

It can be an easy job and if you don't do it soon, you're about to start hearing about it from your customers! And if you're reading this and thinking "wow, it'd be worthwhile learning a bit about some of these SSL nuances", last week my Pluralsight course on What Every Developer Must Know About HTTPS went live so check that out. As this example shows, it's easy to screw this up so it's well worth brushing up on your SSL / TLS / HTTPS things if you're not already well and truly on top of them.

Sponsored by: Gold Security - Keep your Customer's Data Safe from Breaches - Hackers don’t wait. Act Now!

I've been really actively involved with building things on Microsoft's Azure cloud for probably about 4 or 5 years now. Many of you will know already that Have I been pwned (HIBP) was built from the ground up on Azure (in fact, one of the reasons I built the service was to play with Azure "in anger"!), what less people know is the work I'd been doing before that. In my previous life looking after Pfizer's software architecture in this corner of the world, I was pushing hard to move apps we were building into Azure, in particular the PaaS constructs they have available. Time and time again, the discussion would go like this:

Vendor: (Pfizer outsourced all their dev work to vendors) We're building this web app for you so we need a virtual machine and a SQL database.

Me: Is there a reason we can't run it in the Azure App Service under a PaaS model?

Vendor: Uh, we want control!

Me: Control of what?

Vendor: We need to be able to remote into the machine.

Me: Why?

Vendor: Uh, because that's the way we've always done it. No - we mean to troubleshoot stuff and access logs!

Me: So everything you've just described to me (and it's usually a lot more than just the above point!) can be done with the App Service and the information surfaced in the portal, PowerShell and APIs.

Vendor: Well, we still want a SQL database!

Me: Why?

Vendor: Because we want to store data - everyone knows that whenever you want to store any data of any kind the only possible way to do it is with a full-blown SQL Server database!

Me: What about other storage constructs such as blobs, tables and queues? They can be significantly cheaper and there are use cases where they're faster too. Or a combination of these storage constructs and an RDBMS, how about that?

Vendor: Uh, but then we'd have to learn new things...

Which brings me to this new course because yes, if you want to learn how to do things more efficiently you do need to learn new things! That was the most common barrier I faced back then: I struggled to move things in the right direction because people were happy doing what they'd always done and consequently, there was a kludge of virtual machines all over the place managed by all sorts of people and connecting to expensive SQL Server databases that were massively underutilised. But I digress, let's get back to Azure.

I've written extensively in the past about how I've built HIBP on Azure. In fact, there's a great "thousand foot" view of it here in an infographic I did a couple of years ago (it's still mostly accurate as of today, the addition of Cloudflare is the biggest change):

There you'll see a liberal use of PaaS constructs for the web and database as well as the use of tables, blobs, queues and web jobs, alongside the aforementioned RDBMS. I love this model because it's a hybrid of technologies which applies each in a way that leverages their strengths including performance, scalability and cost. Table storage is probably the epitome of that: I store about 2.7 billion (yes, with a "b") records in there and it takes as little as a single-digit millisecond to look up a record. It scales in a totally linear fashion too so imagine one line shooting for the sky and that reflects traffic numbers (into 7 digit unique visitors in a day at times) and another line that's just perfectly horizontal which is the table storage performance. And the cost for such performance? My last table storage bill was $50 in our Aussie money for the month which is about $38 in the US - and that's for over 400GB of data performing at those levels too.

The point of all this is that there are better ways of building applications on the cloud than just taking yesterday's patterns and repeating them in this new paradigm. When I was in London for the NDC event in January, I got together with Aaron Powell and we recorded the Play by Play course in the title of this blog post - Azure Beyond Websites - to talk about many of the things I touched on above. More importantly though, we show these in action. This is a very demo-centric Play by Play so there's a lot of this sort of stuff going one:

In the one-and-a-half hours the course runs for, we end up building out a heap of features from the ground up including creating the website, provisioning the Azure resources, committing to GitHub, configuring auto-deployment, connecting to table storage, using queues, creating a WebJob, using Functions and eventually, tying it all together to watch as data flows between everything. I'm really happy with the way this all came together, particularly the way the workflow right at the end shows how easy it is to use this technology to do awesome things.

Play by Play: Azure Beyond Websites is now live on Pluralsight!

Sponsored by: Gold Security - Keep your Customer's Data Safe from Breaches - Hackers don’t wait. Act Now!

Another beautiful spot today while I'm back in Sydney working on the agenda for NDC here in August. It's a quick trip albeit one very jammed-packed as we work through over 700 talk submissions and try to distil them down to the best ~135 of the bunch. There's a few weeks of early bird tickets left so if you're down here in Aus (or feel like a holiday), get in and grab them cheap.

This week, I'm really excited about this:

This is awesome - for the first time after 5 years and 30 @pluralsight courses, I've got one rating a perfect 5! https://t.co/awZ2Ow8qKu pic.twitter.com/IZ4BB57D3b

— Troy Hunt (@troyhunt) April 20, 2017

All of us who create things for other people love to see them being positively received. Amongst the many courses that have done very well over the years, I've never been able to break through the 4.x mark and hit a perfect 5.0. This makes me enormously happy not just to see the course doing well, but to see so many developers embracing HTTPS and moving the industry forward in a positive direction so kudos to everyone who's played a role in doing that. I also talk metadata, StartCom, another new Pluralsight course and yet another data breach in HIBP.

iTunes podcast | Google Play Music podcast | RSS podcast

References

1. The HTTPS course on Pluralsight is killing it! (this is stuff every developer should know to help us move to a "secure by default" web transport layer)
2. Mandatory metadata retention laws are making things worse (no, it doesn't matter what's actually being stored, what matters is that it's driving the uptake of VPNs)
3. Get rid of your StartCom certs! (they're going to break your site pretty soon, get a Let's Encrypt cert or use Cloudflare)
4. There's a lot of sites with StartCom certs that are going to break (wait and see what happens once Chrome 58 hits...)
5. New Pluralsight course on Azure (do more with Azure than websites - storage, web jobs, functions - heaps of demos!)
6. Fashion Fantasy Game got pwned (seems like a heap of people knew about it... except for them)
7. Gold Security are sponsoring me this week (you'll see them a bunch more this year, big thanks to those guys!)

Sponsored by: Protect your Mobile and Web Apps from Attacks - Let Gold Security Pentest your Business.

The title of this blog post is what many of us techie folks dream of - free reign to build your own home network! It might seem like a pretty geeky dream (ok, it is a pretty geeky dream), but the reality is that we're increasingly dependent on our home networks these days because of the amount of stuff we connect to them. That little consumer-grade combination modem and wireless access point your ISP gave you or the one you bought from the local PC store is going to struggle to provide fast, reliable connectivity across the house to all your devices; that very architecture predates smart phones, connected TVs and the (frankly ridiculous) array of IoT things we have spread all over the place. Think about it - one access point plugged into the most convenient location for the phone or cable line is precisely what we did 15 years ago and that just doesn't cut it today.

Last year, I'd finally had enough of my own dodgy wifi and decided to fix it with Ubiquiti gear (that's required reading before this post too, I'm going to refer to a lot of concepts already explained there). I went out and bought all the bits to extend wifi to every corner of the house and actually make it all reliable! I was fortunate enough that the house we're in already had ethernet wired throughout (albeit the slower Cat5e kind) and ports in every room so I bought a 5 pack of their UAP‑AC‑PRO access points and did this:

The results in terms of network behaviour were awesome: no more dead spots, no more dodgy speed, no more degradation of signal quality requiring a reboot, just rock-solid performance in a way that frankly, I've never needed to really even think about. The only downside to this whole model is the 5 dish-like access points sitting in view. I could mount them permanently in less obtrusive positions (they're presently just sitting next to ethernet jacks), but we're looking at a combination of wiring to be done and semi-permanent decisions to be made about where holes get drilled. Oh - the other downside is what the cupboard in my garage looks like. I'm going to show you a picture and I don't want you to flip out, ok? Alright, brace yourself:

Now I'm sure there are many of you in a similar mess when it comes to cables under the desk or behind the TV or even with your own network setup, but I'm not real proud of this. Unfortunately, some design decisions made by whoever installed this when the house was built weren't real good:

1. The switch and patch board aren't mounted in a standard 19-inch server rack
2. There's no space to mount other peripherals such as the Netgear Arlo base station
3. There's only 2 power points nearby hence the power board
4. The switch embedded in the wall is only 10/100 and not gigabit hence the 8 port Ubiquiti switch

So whilst the mechanics of my network are functioning beautifully, it's not exactly how I'd do things if I was designing everything from ground up and that left me... wanting. Fortunately, I found a channel through which to vent my wanna-be-network-engineer inner self courtesy of my brother and his wife buying a new house. Actually, it was better than a new house because it was an old house they were renovating which meant a significant amount of internal work and plenty of scope to design a network properly. This is a place they'll probably be in for decades too so they wanted things done right.

Scott and Cathy are a pretty good example of a modern family with increasing connectivity needs. Scott runs the country's third-largest personal training business and Cathy is an Apple Distinguished Educator who does many similar things to me in terms of travel, speaking etc. They both work from home a lot, they both have multiple devices and they've got 2 young kids who are both increasingly demanding on the existing network connected devices (by which I primarily mean Netflix!) and of course will have their own multitude of connected devices before you know it.

The first design network decision was easy - in-wall access points:

This is Ubiquiti's UAP‑IW and it's literally a wireless access point inside an ethernet outlet. What's awesome about this is that you're going to be putting these face plates in rooms you want ethernet run to anyway, doing it like this also satisfies the requirement for wifi so you don't need wall jacks and access points. What's less awesome though is that they don't do 5G and they don't do 802.11ac either so in other words, regardless of how cool they are, they're yesterday's wifi technology.

But there's a new one, and that's the UAP–AC–IW:

Physically, this is slightly different to the previous generation in that the jacks are at the bottom of the unit so the cables go straight down rather directly out into the room like most ethernet outlets. It looks like this underneath:

But more importantly, it can talk 5G and 802.11ac so in other words, it's a modern-day spec wifi access point. It's not quite as fast or has as long a range as the UAP-AC-PRO devices I put in my home, but it doesn't need to either when the scope of coverage is predominantly the room it's mounted in.

This was the perfect solution for wifi, only problem was... they hadn't been released. There was a lot of pre-release info around but they hadn't quite hit the market and Scott and Cathy were about to start making construction commitments that required devices we could wire in. I reached out to Ubiquiti and it turned out the delay was due to quality controls having not yet been fully met. Functionally they were perfect, but they weren't yet 100% happy with the fitment of the covers. But if I wasn't the fussy type, how many did I need and would I like them to send me over a box of near perfect ones for free? 7, and yes please :)

So that's my disclosure bit, I got my hands on the APs courtesy of a manufacturing shortcoming that frankly, I can't see. They look perfect to me and besides, they were going to be mounted and rarely touched anyway. With that sorted, the workers could start knocking holes in the right places and running Cat6 cabling:

The benefits of Cat6 over 5e includes speeds of up to 10 Gbps rather than only 1 and an improved signal to noise ratio. Cost isn't much more and you're basically making a lifetime decision on cable quality here so 6 was a no brainer. Consequently, we ended up with a bunch of cabling run to one corner of the house:

The wrong corner. Ultimately, all these cables needed to terminate at a patch board. That would sit alongside a switch. Ideally in a cabinet. In which we'd place other peripherals too. The electrician (in all his YOLO wisdom) had decided that placing all this stuff in the home office made sense. It didn't and the main reason for that is that this is stuff you rarely touch once it's set up. It's also stuff that may have audible fans too and by the time it's all put in a server cabinet (which I'll get to soon), it's going to take up a bit of space. Particularly because this was an older house with 1980s views on room sizes, space was important and it made absolutely no sense to unnecessarily chew up valuable bits of it in a location where it was at a premium.

I'd always wanted it out of the way in the garage or an otherwise non-premium location, preferably mounted up out of the way of everything else. Consequently, there was some arguing with the sparky followed by feet-stamping on his part and eventually acknowledgement that he ran the cables to wrong bloody place counter to instructions. So we got our way and it was re-run appropriately, but there's certainly a moral to the story here about not letting tradesmen make decisions like this and watching them like a hawk.

With that now under control, there were a bunch of other bits to order. I'm going to list everything here in one go because it will make it easy for others to replicate should they want to do the same build:

1. UAP-AC-IW in wall access points with ethernet jacks
2. 24 port Cat6 patch panel
3. US-24-250W 24 port gigabit switch
4. USG security gateway
5. UC-CK Cloud Key
6. 6RU wall mount server rack
7. Pack of 10 x 25cm Cat6 patch cables

Let me explain the mechanics of these parts here for those who may not be familiar with all of this (that included Scott and Cathy too so there was a bit of education throughout this) and we'll start with the patch panel:

This is simply the other end of the cables that connect to each of those in-wall access points. It's a dumb unit in that it's not powered and it doesn't provide any form of communication, it's simply a row of female jacks. We didn't need 24 of them, but by the time you buy a unit that can mount in a rack it's that wide anyway, plus it was only a $95 purchase. (Also, all prices are Aussie dollars, multiple by about 75% for USD, 71% for EUR and 60% for GBP.)

Next up is the switch which is both the most essential and most expensive component of the whole setup:

This is a US-24-250W and as the name suggests, there's 24 ports that'll enable everything to be networked up together. It's a "power over ethernet" switch (PoE) which means that each of those ports can send power down over the Cat6 so devices like the in-wall jobs don't need a local power socket. The relationship to the patch panel above is simply that after each room is hard wired into the panel, it's "patched" into the switch so you end up with a bunch of short cables from one to the other (I'll show what that ultimately looks like a little later on). Strictly speaking, we didn't need 24 ports and could have gotten away with 16, but even in the immediate term we were going to use 10 of them and I could conceive of future requirements getting us close to the 16 limit on the next model down. Besides, we're talking a difference of $175 (tax deductible dollars) which was easily justified.

I won't go into the purpose of the USG Security Gateway and Cloud Key here as I discussed them in detail in the previous post. Suffice to say that the former performs routing and firewall tasks whilst the latter contains the management software to configure the entire thing. You want both and cost wise they're a small part of the overall spend.

To tie everything in neatly together, we ended up getting a pretty generic 6RU cabinet from Data World for $150:

I was undecided as to whether we should go that direction or a similar offering for nearly twice the price as I frankly wasn't sure about the quality. But having now seen it, it's absolutely fine. I can see where extra money could go (such as the quality of the hinges which make the door sag a little), but there's certainly no regrets. We went for a 6RU (rack units, or how many standard height rack items it can fit) rather than 4 because we need 1 for the patch panel, 1 for the switch and then plenty of room to sit other devices such as the modem and other networking bits. Here's what it looked like once it arrived:

And whilst sitting out by the pool opening goodies, here's how the patch panel came out:

It's hard building a network in a construction zone whilst trying to keep the dust out so I assembled the cabinet and patch panel outside then moved in with the box of Ubiquiti goodies:

You'll also see there's a UAP‑AC‑HD sitting on top. Ubiquity recently sent me over a few of these to try and they're the big brother to the UAP‑AC‑PRO devices I have in my own home (that's also the only other disclosure here - everything else was paid for by Scott and Cathy). They'll support 500+ users which oughta do it! But it also gave us an easy way of getting everything set up in the one place given the in-wall units were spread around the house and the patch panel wasn't yet wired.

Before starting to add hefty bits to the cabinet, we did a quick placement test:

This is such a good spot for it - it's up out of the way in the room that'll be used as a gym so a bit of fan noise is ok and it fits just perfectly in that gap. It could go high whilst being easily accessible with a stool yet still have sufficient room for airflow above and provide plenty of room underneath for shelving. And everything that needed to go in that unit could easily fit, so that's what I did next:

About here, I started getting a bit jealous because this is looking very nice! The shelf in the rack is perfect for resting the Cloud Key on and we've got the NBN modem (Australia's new National Broadband Network) sitting bottom left, Optus' access point in the middle (they're the ISP and the device apparently also provides phone connectivity) and the security gateway on the right. The UAP‑AC‑HD access point is sitting out of sight and wired into the bottom right port of the switch. And that's how I left it, waiting for the cabinet to be mounted on the wall (it comes with the required brackets), the mass of cables you see in the background to be patched in and power outlets to be installed on the wall behind it and routed into the cabinet. I left all the patch leads in place to make it crystal clear which ports I'd like wired in to keep everything neat:

I mentioned the electrician was a bit unreliable, right? A week later things still weren't patched but the cabinet had been mounted so I headed back over to take a look. I realised that all the Cat6 cables actually had RJ45s installed on them anyway (which is pointless when they should be wired into the patch panel) so whilst it wasn't going to be pretty, I could wire the whole thing in and then setup the in-wall units. Here's how it now looked:

Then it was just a matter of adopting each of the access points. This is ridiculously simple: plug it in, go to the list of devices in the management interface served by the Cloud Key and click "adopt" next to each one. Same for upgrades because there was new firmware available so a quick update on those and everything was connected:

Because they all inherit the existing wifi settings I configured for use with the UAP‑AC‑HD, as soon as the adopted clients around the house begin connecting, it makes for a very pretty picture:

You'll see these are all named in a friendly: there's a "locate" feature on each access point which causes the light on it to flash when triggered by the management interface so we figured out which was which then put a logical name on it (APs in the kids' rooms have their names obfuscated for their privacy). We also named each client on the network which is why you see things like "Troy's Lenovo P50". This is great for troubleshooting, identifying which client is sucking down the most data or simply stalking who's coming and going (it's all logged). It also means you can make really cool maps like this:

This is the original 1983 floor plan loaded into Ubiquiti's management interface then each access point is dropped in place. When you load in a map, you can drag a line between two points then tell it how long that distance is so that the range of each AP can be plotted appropriately. The UAP‑AC‑HD we named "Waterside" (every time I see this I can't help but think they really need a water slide...) is the UAP‑AC‑HD so it has a greater range than the in-wall units. (This unit isn't yet mounted in the indicated location, we're still waiting on the electrician to run another Cat6 line.) Based on this diagram, signal strength is weakest around the deck area in the first picture but this is also plotted against the 5G signal which whilst faster, has less range. Here's the same map with the 2.4G spectrum instead:

Devices can switch between either spectrum so the bottom line here is that there's more than enough coverage everywhere. Of course there are many other variables such as the walls and floors the devices need to pass through, their construction, other radio interference and so on, but this gives you a pretty good idea of things.

Finally, let me show you what the in-wall access points look like fitted in the painted house because I suspect that's what will really get a lot of people thinking differently about their home network. Here's a good sample set:

I think that's a sensational outcome! Each unit is really well integrated with the room and blends in well with the existing power outlets, not to mention the colour scheme. They're slim enough and stylish enough that unlike the UAP‑AC‑PRO units I have scattered around my house, they actually feel like a part of the place. For the folks concerned that their non-tech-significant-other isn't real keen on the larger units like I have messing up the room's aesthetics, this absolutely nails it on the design front.

There was only one issue I ran into during the entire build and it was when I went back to setup the in-wall units after the cabinet had been mounted on the wall. I'd set everything up perfectly earlier on - it was glorious - but when I came back, the management interface was dead. The power had been pulled during installation (who knows how many times) and long story short, the Cloud Key wouldn't boot and I couldn't access the admin interface. I struggled with it for probably 20 minutes then decided to cut my losses and factory reset it with an expectation of having to spend another 20 minutes setting it all up again. But as soon as it booted, I was presented with the following:

I'd enabled automatic backups to the local micro SD card in the Cloud Key so once a day, the entire configuration was saved. When the device booted after factory reset, it allowed me to simply grab the latest backup and it was job done. That's pretty cool.

I'll finish this post where I started the first one I wrote about Ubiquiti:

I'm increasingly of the view that both my time and my sanity are worth more and more as the years progress

A new (or renovated) house is like a blank canvas when it comes to designing a network that helps you keep your sanity. We're so increasingly dependent on connectivity for work and play alike be that via PCs, mobile devices or the IoT stuff we could barely conceive of even a few short years ago. If you're in the same boat as Scott and Cathy, take the time to design a home network upfront and get it done right. It's too early to give a full review of what it's all like to use day by day but based on everything above I reckon it's a pretty fair assumption to say that they'll never even think about it, which is exactly how a home network should work!

Sponsored by: Protect your Mobile and Web Apps from Attacks - Let Gold Security Pentest your Business.

Home again and blog wise, it was a quiet week. I've been working on some new material you'll see next month as well as preparing for upcoming Europe travels where I've got a heap of events to get to. I've got a new Lenovo to show you in this update plus I do talk quite a bit about that one blog post on building out a Ubiquiti network for my brother and his family which I'm now kinda jealous of! All that and a few other things in the update below, I've got a few extra things in the works for next week.

iTunes podcast | Google Play Music podcast | RSS podcast

References

1. Here's the full specs on that Lenovo Yoga 910 (get the silver if you don't like fingerprints!)
2. I spoke at the Global Azure Bootcamp, Brisbane edition (that's a link to the Ignite talk, same content)
3. "What Every Developer Must Know About HTTPS" is killing it! (been up to number 9 out of more than 6k courses and rating 5.0 out of 5 stars!)
4. I built a new network in a new(ish) house with Ubiquiti (I'm so happy with this, I wish my house was this cool...)
5. Gold Security are sponsoring me this week (you'll see them a bunch more this year, big thanks to those guys!)