Presently sponsored by: Report URI: Guarding you from rogue JavaScript! Don’t get pwned; get real-time alerts & prevent breaches #SecureYourSite

It's another week of travels, this time from our "second home", Oslo. That's off the back of 4 days in the Netherlands and starting tomorrow, another 4 in Prague. But today, the 17th of September, is extra special 😊

1 year today ❤️ pic.twitter.com/vsRChdDshn

— Troy Hunt (@troyhunt) September 17, 2023

We'll be going out and celebrating accordingly as soon as I get this post published so I'll be brief: enjoy this week's video!

References

1. Sponsored by: 1 in 3 families have been affected by fraud. Secure your personal info with Aura’s award-winning identity protection. Start free trial.
2. We had a great visit to Politie Nederland in Rotterdam this week (lots of common goals shared, and I'm really happy we've been able to assist with victim notification via HIBP)
3. 932k Viva Air email addresses went into HIBP (that's a Colombian airline which no longer exists, they were pwned and ransomed last year)
4. 4.3M Malindo Air email addresses went into HIBP (it's a 2019 breach so not new, but a third of people in there had never appeared in a loaded breach before)
5. Wasn't really expecting to be named on a notorious ransomware website, but here we are (2 days after recording I still haven't heard anything further)
6. I wasn't expecting anything revolutionary, but I'd really hoped for more excitement in the new iPhones (but I ordered us both Pro Max units anyway 😎)

Presently sponsored by: Report URI: Guarding you from rogue JavaScript! Don’t get pwned; get real-time alerts & prevent breaches #SecureYourSite

I'm super late pushing out this week's video, I mean to the point where I now have a couple of days before doing the next one. Travel from the opposite side of the world is the obvious excuse, then frankly, just wanting to hang out with friends and relax. And now, I somehow find myself publishing this from the most mind-bending set of circumstances:

Heading to 31C. Cold beer. Warm pool. How is this in England?! 🤯 pic.twitter.com/tQSbHaoLhG

— Troy Hunt (@troyhunt) September 6, 2023

On that note, straight into the video, links below and I'll do it all again in a couple of days from Spain:

References

1. The FBI took down Qakbot and sent the data over to HIBP (that's both email addresses and passwords that are now searchable)
2. CERT Poland also sent over a bunch of data snagged from phishing activities (another 68k records now searchable in HIBP)
3. The Pampling breach went into HIBP despite not being able to get a response from them... (...until it went into HIBP and customers started asking questions)
4. PlayCyberGames was also breached and the data went into HIBP... (...and they also didn't respond to disclosure attempts - at all)
5. If you're building websites and you haven't given Report URI a go yet, you don't know what you're missing! (seriously, CSPs are so cool 😎)
6. Sponsored by: Fastmail. Check out Masked Email, built with 1Password. One click gets you a unique email address for every online signup. Try it now!

Presently sponsored by: Report URI: Guarding you from rogue JavaScript! Don’t get pwned; get real-time alerts & prevent breaches #SecureYourSite

Somehow in this week's video, I forgot to talk about the single blog post I wrote this week! So here's the elevator pitch: Cloudflare's Turnstile is a bot-killing machine I've had enormous success with for the "API" (quoted because it's not meant to be consumed by others), behind the front page of HIBP. It's unintrusive, is super easy to implement and kills bots dead. There you go, how's that for a last minute pitch? 😊

References

1. Sponsored by: Unpatched devices keeping you up at night? Kolide can get your entire fleet updated in days. It's Device Trust for Okta. Watch the demo!
2. Fight the bots with Cloudflare's Turnstile (and hey, if you can find a way through it, let me know and I'll pass your feedback on to Cloudflare)
3. If you enjoy discussing escorts on public forums, you may be in the ECCIE breach (along with your email and IP address 😳)
4. But you probably won't be in the Atmeltomo breach (unless you're Japanese and looking for a friend)
5. The Duolingo scrape from earlier this year is now doing the rounds (that's a 100% hit rate with other breaches)
6. And SevenRooms had their near half a TB breach from December start circulating (that's one of the largest we've seen in a long time)

Presently sponsored by: Report URI: Guarding you from rogue JavaScript! Don’t get pwned; get real-time alerts & prevent breaches #SecureYourSite

This week hasd been manic! Non-stop tickets related to the new HIBP domain subscription service, scrambling to support invoicing and resellers, struggling our way through some odd Stripe things and so on and so forth. It's all good stuff and there have been very few issues of note (and all of those have merely been people getting to grips with the new model), so all in all, it's happy days 😊

References

1. Sponsored by: Unpatched devices keeping you up at night? Kolide can get your entire fleet updated in days. It's Device Trust for Okta. Watch the demo!
2. Brett Adams built a really cool Splunk app using the new domain search API (and he talked me into adding a couple of other ones too)
3. iMenu360 had 3.4M customer records appear in a breach (and ignored every single attempt made to disclose it 🤷‍♂️)
4. We now have a model for education facilities, non-profits and charities (for now, it boils down to "log a ticket and we'll help you out")

Presently sponsored by: Report URI: Guarding you from rogue JavaScript! Don’t get pwned; get real-time alerts & prevent breaches #SecureYourSite

So about those domain searches... 😊 The new subscription model launched this week and as many of you know from your own past experiences, pushing major new code live is always a bit of a nail-biting exercise. It went out silently on Sunday morning, nothing major broke so I published the blog post Monday afternoon then emailed all the existing API key subscribers Tuesday morning and now here we are!

One thing I talk a bit about in the video today are the 2 new APIs someone reached out and requested. This was an awesome idea and I can't wait to show you what they've built with them. I expect I'll blog that this coming week and probably quietly slip out the documentation on the 2 new endpoints in advance. Stay tuned for that one, what he's done with this looks so cool 😎

References

1. Sponsored by: Secure your assets, identity and online accounts with our award-winning ID theft protection. Get started with Aura today.
2. It's almost all about the domain searches today (I'm really happy about how this has been received!)
3. Education facilities and non-profits have come up a bit as organisations we might need to treat a bit differently (we're working a model for them, for now that's a link to the KB requesting they log a ticket we can then review)

Presently sponsored by: Report URI: Guarding you from rogue JavaScript! Don’t get pwned; get real-time alerts & prevent breaches #SecureYourSite

Somewhere in the next few hours from publishing this post, I'll finally push the HIBP domain search changes live. I've been speaking about it a lot in these videos over recent weeks so many of you have already know what it entails, but it's the tip of the iceberg you've seen publicly. This is the culmination of 7 months of work to get this model right with a ridiculous amount of background effort having gone into it. Case in point: read my pain from last night about converting thousands of words of lawyer speak T&Cs from Microsoft Word to HTML. As if preparing these wasn't painful enough, trying to make them simply play nice on a web page has been a nightmare! (I settled for dumping stuff in a <pre> tag for now and will invest the time in doing it right later on.)

I hope you enjoy this week's video, I'll talk much more about the domain search bits in the next video, hopefully following a successful launch!

References

1. Sponsored by: EPAS by Detack. No EPAS protected password has ever been cracked and won't be found in any leaks. Give it a try, millions of users use it.
2. What's the best tooling to start teaching kids to code Python on Windows with? (I decided taking Python from the Windows store then using Visual Studio Code with the Python extension made the most sense)
3. The MagicDuel Adventure MMORPG got breached (it's a short disclosure notice, but kudos to them for that probably being the fastest turnaround from me reaching out to them disclosing I've ever seen!)
4. My Home Assistant Yellow has finally landed! (hoping it solves the intermittent restart problems which now that I think about it, haven't happened for weeks 🤔)
5. Finding a CM4 was the hard bit (Amazon link to the unit I bought a month ago... at A$274 at the time 😭)
6. It's the final hours before the all new bits for domain search go live in HIBP! (the community input has been awesome - thank you!)

Presently sponsored by: Report URI: Guarding you from rogue JavaScript! Don’t get pwned; get real-time alerts & prevent breaches #SecureYourSite

IoT, breaches and largely business as usual so I'll skip that in the intro to this post and jump straight to the end: the impending HIBP domain search changes. As I say in the vid, I really value people's feedback on this so if nothing else, please skip through to 48:15, listen to that section and let me know what you think. By the time I do next week's vid my hope is that all the coding work is done and I'm a couple of days out from shipping it, so now is your time to provide input if you think there's something I'm missing that really should be in there 🙂

References

1. Sponsored by: Kolide ensures that if a device isn't secure, it can't access your apps. It's Device Trust for Okta. Watch the demo today!
2. Messing with door-knocking real estate agents is a really good use of Home Assistant and Ubiquiti IMHO (channelling my inner Password Purgatory demons on this one!)
3. The BookCrossing breach went into HIBP (plain text passwords FTW!)
4. An old Roblox breach surfaced and also went into HIBP (Roblox has had quite the time of it lately...)
5. BreachForums, was itself, breached (definitely legit too, given the presence of a "lurker" account I created there)

Presently sponsored by: Report URI: Guarding you from rogue JavaScript! Don’t get pwned; get real-time alerts & prevent breaches #SecureYourSite

Sad news to wake up to today. Kevin was a friend and as I say in this week's video, probably the most well-known identity in infosec ever, and for good reason. He made a difference, and I have fun memories with him 😊

Felt really sad waking up and seeing “RIP Kevin” in my timeline. I doubt there is a more well known name in our industry but if he’s unfamiliar to you (or you haven’t read this book), go and grab “Ghost in the Wires” which is an exceptional read.

Kevin started regularly coming… pic.twitter.com/w1UMm7mGa8

— Troy Hunt (@troyhunt) July 20, 2023

In other news, I share a lot more on the upcoming domain search changes in this week's video and I've gotta say, I'm feeling pretty good about them. I spent most of the day after recording this writing code and drafting the blog post and I'm pretty damn happy with each right now. I'll keep sharing more info via these updates to the extent that by the time everything launches in a couple of weeks, you'll know it all anyway if you're paying attention here 😎

References

1. Sponsored by: Kolide ensures that if a device isn't secure, it can't access your apps. It's Device Trust for Okta. Watch the demo today!
2. If you haven't done already, go read Ghost in the Wires, the Kevin Mitnick story (it's a genuinely entertaining read)
3. If you mistype an email address, it will go to the wrong place! 🤯 (the .mil conflation with .ml story has received way more airtime than what it's due IMHO)
4. Shellys, Shellys everywhere (after feedback from Richard and Lars on this week's video, I'm pretty sure I'm going to ditch MQTT altogether now)
5. The Roblox Developers Conference had 4k people's data leaked (goes back a few years and they did eventually disclose, but it would have been nice for them to beat me to it)
6. It's more than a month ago now that I wrote about the impending domain search changes (but not long to go now 🙂)

Presently sponsored by: Report URI: Guarding you from rogue JavaScript! Don’t get pwned; get real-time alerts & prevent breaches #SecureYourSite

Today was a bit back-to-back having just wrapped up the British Airways Magecart attack webinar with Scott. That was actually a great session with loads of engagement and it's been recorded to so look out for that one soon if you missed it. Anyway, I filled this week's update with a bunch of random things from the week. I especially enjoyed discussing the HIBP domain search progress and as I say in the video, talking through it with other people really helps crystalise things so I think I'll keep doing that as the dev work continues. Stay tuned for more on that next week, see you then 😊

References

1. Sponsored by: Americans lost $8.8B to identity theft in 2022. Secure your online info with Aura the #1 rated identity theft protection. Start free trial.
2. Scott Helme and I did a Report URI webinar just before this video, all about the Magecart attack on British Airways (stay tuned for the recording)
3. The renos have been very trying on my patience (but the garage is looking totally epic 😎)
4. I finally fixed this hum when the camera was on... by using a USB cable to charge it instead (this was so painful, obviously some sort of electrical interference going on there)
5. I completely forgot to talk about my IoT lock batteries (but yeah, that linked tweet sums it all up)
6. A full "baker's dozen" of MVP awards! (that's 13 years running now 😲)